Solved: Re: Unable to use EAP-FAST with Windows10.

pbesset · ‎03-29-2019

Hi,

I recently set up a Cisco ISE 2.4 install for my company. We are using Cisco Anyconnect 4.7 (with NAM component) on WIndows10.

PEAP(EAP-MSCHAPv2) and EAP-TLS are working well but if I try to use EAP-FAST(EAP-MSCHAPv2) it fails. I tried with User Auth only and with Eap-Chaining but both failed. I keep having the following error message:

"12116 Client sent Result TLV indicating failure"

Did you allready meet this issue ?

Regards.

hslai · ‎03-30-2019

CSCvm03681 most likely. See

Field Notice: FN - 70357 - Identity Services Engine and AnyConnect Secure Mobility Client 4.7 Fail to Authenticate When Using EAP-FAST with TLS 1.2 - Software Upgrade Recommended - Cisco

The other bug is for network devices (e.g. a Cisco IOS switch) to retrieve TrustSec policies from ISE.

View solution in original post

Mike.Cifelli · ‎03-29-2019

Did you properly configure your configuration.xml file that is used with NAM using the NAM profile editor? Are you using PACs? If not, double check that your general EAP-FAST settings in ISE allow pac-less session resume (Administration->Settings->Protocols->EAP-FAST->EAP-FAST Settings. Can you run a few debug commands on your NAD for the host you are testing and share as well?
debug aaa authentication
debug radius authentication

pbesset · ‎03-29-2019

Hi Mike,

I used the NAM profile editor and made this configuration, I use PACs:

The EAP-FAST configuration is the following (I enabled "pac-less resume" but I do not think I need it):

The logs from the NAD are not very handy, here is the switch output:

Mar 29 14:26:20 GMT: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (XXXX.XXXX.XXXX) with reason (Cred Fail) on Interface Gi1/0/2 AuditSessionID 10FEFE0A00000114C9A1077E
Mar 29 14:26:27 GMT: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (XXXX.XXXX.XXXX) with reason (Cred Fail) on Interface Gi1/0/2 AuditSessionID 10FEFE0A00000114C9A1077E
Mar 29 14:26:35 GMT: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (XXXX.XXXX.XXXX) with reason (Cred Fail) on Interface Gi1/0/2 AuditSessionID 10FEFE0A00000114C9A1077E
Mar 29 14:26:35 GMT: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (XXXX.XXXX.XXXX) on Interface GigabitEthernet1/0/2 AuditSessionID 10FEFE0A00000114C9A1077E. Failure reason: Authc fail. Authc failure reason: Cred Fail.

Regards.

Mike.Cifelli · ‎03-29-2019

Since you are using PACs you are correct. You do not need the pac-less session resume. Can you share your ISE authentication policy and allowed protocols profile being used there. If you goal is to enable fast reconnect then enable fast reconnect in your configuration.xml and test again.

pbesset · ‎03-29-2019

Mike,

Here is my authentication policy:

The allowed protocols profile is pretty simple too:

I tried with Fast-Reconnect enabled but the issue remains the same.

My final goal is to use Eap-Chaining but since user authentication is failing using EAP-Fast I debug step by step so I disabled EAP Chaining for the moment.

I am running ISE 2.4 so I will update to 2.4 Patch6 because it seems that the following bugs could be my issue:

Regards.

Mike.Cifelli · ‎03-29-2019

Can you share the radius live log detailed steps? Good luck with the upgrade.

hslai · ‎03-30-2019

CSCvm03681 most likely. See

Field Notice: FN - 70357 - Identity Services Engine and AnyConnect Secure Mobility Client 4.7 Fail to Authenticate When Using EAP-FAST with TLS 1.2 - Software Upgrade Recommended - Cisco

The other bug is for network devices (e.g. a Cisco IOS switch) to retrieve TrustSec policies from ISE.

pbesset · ‎04-01-2019

Hi Mike, Hslai,

After upgrading to 2.4 Patch 6, EAP-Fast and EAP-Chaining are now working well.

Thank you for your help.

Regards.