Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1812
Views
0
Helpful
7
Replies

EAP-FAST With MFA

Go to solution
NETAD
Level 4
Level 4

‎07-09-2018 11:58 AM - edited ‎07-05-2021 08:49 AM

Hi, is it possible to deploy EAP-FAST without the anyconnect NAM module? I'm trying to use the option from the windows drop down list for the authentication methods but getting the attached error message and ISE complaining about not finding the authentication method. 

 

Thanks

Labels:
Preview file
186 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
stsargen
Cisco Employee
Cisco Employee

‎07-17-2018 10:55 AM

If you are not currently using NAM and using the Native supplicant for EAP-Fast you most likely have the EAP-Plugins that were provided to Microsoft years ago.  You can still download them from a few different location, one of which is in the Surface bundle here.

https://www.microsoft.com/en-us/download/details.aspx?id=46703

 

That said, for multi-factor auth you will probably want the inner method of EAP-Fast to use GTC, and not MSCHAPv2.  From the screenshot you provided the inner method sent to ISE was MSCHAPv2, and ISE tried to send this off to presumably your MFA server, and the server rejected it.  I suspect the server is expecting GTC.  I don't know your entire setup, but going off what you said this is my best guess.

 

Thanks,

Steve S.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Flavio Miranda
VIP
VIP

‎07-09-2018 02:03 PM

Hi

From Cisco docs:

 

"

EAP-FAST Error Messages and Prompts

Error Message    Automatic PAC provisioning is enabled for this profile. However, a 
valid PAC that matches the server to which the client adapter is connecting could 
not be found. Do you wish to obtain a new security credential (PAC)?

Recommended Action    Click Yes to provision a new PAC for this server using your existing credentials or click No to cancel the operation. If you click No, the client adapter will fail the authentication."

 

https://www.cisco.com/c/en/us/td/docs/wireless/wlan_adapter/cb21ag/user/vista/1-0/configuration/guide/cb21ag10vistaconfigguide/messages_ap.html

 

 

-If I helped you somehow, please, rate it as useful.-i

 

0 Helpful

Go to solution
NETAD
Level 4
Level 4
In response to Flavio Miranda

‎07-09-2018 03:00 PM

Hi Flavio, thanks. Is the anyconnect client necessary to configure EAP-FAST?

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to NETAD

‎07-09-2018 03:54 PM

Don't think so. However, looks like this EAP method is not used anymore. Are you using Windows XP? Windows 7 and 10 seems not support anymore.

 Looks like EAP TLS or PEAP is currently available.

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

Go to solution
NETAD
Level 4
Level 4
In response to Flavio Miranda

‎07-09-2018 04:10 PM

We're using Windows 7 and Windows 10. you mean EAP-Fast isn't supported on those anymore with or without the anyconnect client?
0 Helpful

Go to solution
stsargen
Cisco Employee
Cisco Employee

‎07-17-2018 10:55 AM

If you are not currently using NAM and using the Native supplicant for EAP-Fast you most likely have the EAP-Plugins that were provided to Microsoft years ago.  You can still download them from a few different location, one of which is in the Surface bundle here.

https://www.microsoft.com/en-us/download/details.aspx?id=46703

 

That said, for multi-factor auth you will probably want the inner method of EAP-Fast to use GTC, and not MSCHAPv2.  From the screenshot you provided the inner method sent to ISE was MSCHAPv2, and ISE tried to send this off to presumably your MFA server, and the server rejected it.  I suspect the server is expecting GTC.  I don't know your entire setup, but going off what you said this is my best guess.

 

Thanks,

Steve S.

0 Helpful

Go to solution
NETAD
Level 4
Level 4
In response to stsargen

‎07-17-2018 11:35 AM

This windows native supplicant kept doing mschapv2 for the inner tunnel. I ended up using the anyconnect profile editor to create a profile for EAP-FAST with EAP-GTC and it worked. 

 

One last question. Does EAP-FAST require a cert on ISE or this is just with PEAP? 

 

Thanks

0 Helpful

Go to solution
stsargen
Cisco Employee
Cisco Employee
In response to NETAD

‎07-17-2018 11:55 AM

EAP-Fast does not require the use of client or server certificates when performing unauthenticated provisioning.  The tunnel is established using anonymous DH (Diffie Hellman) exchange (less secure, not recommended).  If you use authenticated provisioning the TLS tunnel is established using the ISE server certificate.

 

This doc explains a lot of this in detail.

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/eap-fast/200322-Understanding-EAP-FAST-and-Chaining-imp.html

 

PEAP always requires the server certificate.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card