cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6265
Views
30
Helpful
7
Replies

Unable to use EAP-FAST with Windows10.

pbesset
Level 1
Level 1

Hi,

 

I recently set up a Cisco ISE 2.4 install for my company. We are using Cisco Anyconnect 4.7 (with NAM component) on WIndows10.

PEAP(EAP-MSCHAPv2) and EAP-TLS are working well but if I try to use EAP-FAST(EAP-MSCHAPv2) it fails. I tried with User Auth only and with Eap-Chaining but both failed. I keep having the following error message:

 

"12116 Client sent Result TLV indicating failure"

 

 

Capture du 2019-03-29 11-50-51.png

 

Did you allready meet this issue ?

 

Regards.

1 Accepted Solution

Accepted Solutions
7 Replies 7

Mike.Cifelli
VIP Alumni
VIP Alumni
Did you properly configure your configuration.xml file that is used with NAM using the NAM profile editor? Are you using PACs? If not, double check that your general EAP-FAST settings in ISE allow pac-less session resume (Administration->Settings->Protocols->EAP-FAST->EAP-FAST Settings. Can you run a few debug commands on your NAD for the host you are testing and share as well?
debug aaa authentication
debug radius authentication

Hi Mike,

 

I used the NAM profile editor and made this configuration, I use PACs:

 

 

Capture.PNG

 

The EAP-FAST configuration is the following (I enabled "pac-less resume" but I do not think I need it):

 

Capture2.png

 

The logs from the NAD are not very handy, here is the switch output:

 

Mar 29 14:26:20 GMT: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (XXXX.XXXX.XXXX) with reason (Cred Fail) on Interface Gi1/0/2 AuditSessionID 10FEFE0A00000114C9A1077E
Mar 29 14:26:27 GMT: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (XXXX.XXXX.XXXX) with reason (Cred Fail) on Interface Gi1/0/2 AuditSessionID 10FEFE0A00000114C9A1077E
Mar 29 14:26:35 GMT: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (XXXX.XXXX.XXXX) with reason (Cred Fail) on Interface Gi1/0/2 AuditSessionID 10FEFE0A00000114C9A1077E
Mar 29 14:26:35 GMT: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (XXXX.XXXX.XXXX) on Interface GigabitEthernet1/0/2 AuditSessionID 10FEFE0A00000114C9A1077E. Failure reason: Authc fail. Authc failure reason: Cred Fail.

Regards.

Since you are using PACs you are correct. You do not need the pac-less session resume. Can you share your ISE authentication policy and allowed protocols profile being used there. If you goal is to enable fast reconnect then enable fast reconnect in your configuration.xml and test again.

Mike,

 
Here is my authentication policy:
ScreenShot025.jpg

 


 
The allowed protocols profile is pretty simple too:
Capture3.png

 


I tried with Fast-Reconnect enabled but the issue remains the same.
My final goal is to use Eap-Chaining but since user authentication is failing using EAP-Fast I debug step by step so I disabled EAP Chaining for the moment.
 
I am running ISE 2.4 so I will update to 2.4 Patch6 because it seems that the following bugs could be my issue:
Capture du 2019-03-29 16-46-21.png

 

Capture du 2019-03-29 16-47-55.png
 
Regards.
 

Can you share the radius live log detailed steps? Good luck with the upgrade.

hslai
Cisco Employee
Cisco Employee

CSCvm03681 most likely. See 

Field Notice: FN - 70357 - Identity Services Engine and AnyConnect Secure Mobility Client 4.7 Fail to Authenticate When Using EAP-FAST with TLS 1.2 - Software Upgrade Recommended - Cisco

The other bug is for network devices (e.g. a Cisco IOS switch) to retrieve TrustSec policies from ISE.

Hi Mike, Hslai,

 

After upgrading to 2.4 Patch 6, EAP-Fast and EAP-Chaining are now working well.

Thank you for your help.

 

Regards.