cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

984
Views
0
Helpful
7
Replies
Tutu
Beginner

Eap chaining

Hello guys,

 

im totally confused i need to understand something. 

so i have done wired user and machine authentication using eap chaining, why is it that when i remove anyconnect from the pc i am not able to authenticate either user or machine ?

7 REPLIES 7
Rob Ingram
VIP Mentor

@Tutu 

Simple, because you have to use AnyConnect NAM when using EAP-Chaining, native microsoft supplicant doesn't support it. The authorisation rules you've probably written in ISE are specific to Eap-chaining, so you'd have to modify them.

Mike.Cifelli
VIP Advocate

Agree with @Rob Ingram.  You should start by utilizing your detailed radius live logs and take a deeper look into your conditions utilized in authz policies.  As for native supplicant eap-chaining support, eap-teap support started with a later version of Windows 10 and ISE 2.7.x.  See here for further detail: https://www.ise-support.com/2020/05/29/using-teap-for-eap-chaining/

HTH!

Okay so this is what i want to achieve, lets say there is a new user with a new pc and there is no anyconnect installed,both user and machine are part of AD so usually it would do a posture check before right so as to install anyconnect and thn go about the whole eap chaning thing? Please correct me if im wrong. But if i connect the pc to the port it brings up the guest/byod policy. How do i go about this? 

Thank you Mike for the documents, i have already done the anyconnect eap chaining. What i want to know is how m i going to get authorization for a user who doesnt have any connect as i have eap chaining rule for aithorization that requires anyconnect.

m i suppsed to install any connect manually on a new pc or is there a way i can do it through ise? Please let me know if im not making sense?

Okay so this is what i want to achieve, lets say there is a new user with a new pc and there is no anyconnect installed,both user and machine are part of AD so usually it would do a posture check before right so as to install anyconnect and thn go about the whole eap chaning thing? Please correct me if im wrong. But if i connect the pc to the port it brings up the guest/byod policy. How do i go about this? 

So there is a lot to consider without trying to dive too deep.  Assuming the new pc client has no domain gpos to configure the native supplicant the host would authenticate to the network via mab as dot1x would eventually terminate based on interface configs.  This means you would need to support both dot1x and mab from a switch config perspective.  In most cases you would want to have separate radius policies to support different dot1x and mab policies.  In order to bring up a guest or byod portal you would configure either portal and reference the portal redirect in your authz profile which would then be referenced as the authz result based on condition matching inside the radius authz policy.  In that situation once a new client authenticates via mab you need to figure out how you want these clients to get redirected to the your portal if that is what you wish.  Keep in mind that NAM can be tricky as once it is installed it overrides windows network management.  In my experience for "new" known domain clients most implement AC deployment later either via SCCM packages or as a step in the imaging process. I strongly suggest taking a peek at the links provided earlier.  Also, for free config tutorials see: http://www.labminutes.com/video/sec

HTH!