Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1668
Views
5
Helpful
4
Replies

ISE support for Machine Certificate plus User authentication

Go to solution
tiryan
Cisco Employee
Cisco Employee

‎12-08-2020 05:20 PM

I found the following that was posted here many years ago.

Is this post still valid? Is EAP Chaining with AnyConnect client the only way to accomplish this?

OR has something changed in ISE to support 2 authentications from one device?

Cut from previous post.

I don't believe that this is possible and it is due to the limitations of the native windows supplicant where can do either one of the following:

1. User authentication

2. Machine authentication

3. Machine or user authentication

Machine+User authentication can only be accomplished with EAP-Chaining which is only supported by AnyConnect.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎12-08-2020 05:51 PM

ISE 2.7 release also provided the option for EAP-TEAP as an alternative to EAP-Chaining with NAM. As of today, only Windows supports EAP-TEAP, and of that only the Windows 10 2004+ (May 2020 release) 2H builds or newer. 

https://community.cisco.com/t5/security-documents/teap-for-windows-10-using-group-policy-and-ise-teap/ta-p/4134289

 

There were a couple open bugs in 2.7 for TEAP, but I believe patch 3 was going to address them. 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎12-08-2020 05:51 PM

ISE 2.7 release also provided the option for EAP-TEAP as an alternative to EAP-Chaining with NAM. As of today, only Windows supports EAP-TEAP, and of that only the Windows 10 2004+ (May 2020 release) 2H builds or newer. 

https://community.cisco.com/t5/security-documents/teap-for-windows-10-using-group-policy-and-ise-teap/ta-p/4134289

 

There were a couple open bugs in 2.7 for TEAP, but I believe patch 3 was going to address them. 

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-08-2020 09:37 PM

In addition to the excellent answer from Damien, you can also do EAP+CWA chaining where machines that successfully authenticate with machine certificates are punted through the Central Web Authentication flow for user based authentication. 

Thank you rating helpful posts!

Go to solution
tiryan
Cisco Employee
Cisco Employee
In response to nspasov

‎12-09-2020 06:46 AM

Thank you to both of you for the quick responses.  Do you know what version of ISE is needed to support the EAP+CWA chaining? 

 

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to tiryan

‎12-09-2020 09:20 AM

I really don't recall but this has been supported for a while...probably since ISE 2.0 days. 

Thank you rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents