Hi, I read the thread and it

Sarayuth.s01 · ‎10-01-2015

Hi Experts,

Now, I do implement ISE 1.4 for machine and user authentication on wired and wirless network.

For wired network no issue.

For wireless network when I connect to ssid that integrate with ISE, The authorization has deny.

this the rule in authoraization.

first rule; Machine Authen

Radius:Called-Station-ID == Containt == Office

3D-AD:ExternalGroups == domain computer

Second rule; User Authen

Radius:Called-Station-ID == Containt == Office

3D-AD:ExternalGroups == domain user

Network Access:WasMachineAuthenticated ==True

If I delete condition on Second rule in past of Network Access:WasMachineAuthenticated ==True. It can authentication pass.

Could you please advise to me that root cause is?

Thank you

Jason van den Berg · ‎10-01-2015

Hi,

By the sounds of it you want to setup EAP chaining. I would suggest you read trough this document that has a good example on how to achieve this. The only missing part would be the AD groups which you can add however it also seems you using the default groups anyways.

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-82_Deploy_EAP_Chaining.pdf

Regards,

Jason

Sarayuth.s01 · ‎10-01-2015

Hi Jason,

I'm not to set up EAP chaining, I using PEAP and EAP-TLS authentication method. I'm authen pass but stuck in authorization if apply condition "Network Access:WasMachineAuthenticated ==True" so It go to default authoraization(Deny access).

Jason van den Berg · ‎10-01-2015

Hi,

If you not using eap chaining then you cant combine machine and user success criteria as you have it in your authz. What are you attempting to achieve?

Regards,

Jason

ISE1.4 - User authentication issue on WLAN