Author Topic: ISE 2.0 EAP Chaining (Read 38726 times)

tegsy8 · « **on:** February 24, 2017, 02:13:14 AM »

Hi All

I'm currently setting up ISE 2.0 to authenticate the machine and user using EAP-FAST. The Windows PC's are using Anyconnect 4.3 and ISE has been integrated with AD. I also have postures checks setup and on the whole it seems to be working ok.

The issue I'm seeing is when there is a delay between the PC booting up and the user logging in. In this situation the access fails, so I'm assuming there must be some timeout mechanism between the machine auth and user auth? As I am using EAP chaining I didn't think this would be an issue, I would be grateful if someone could clarify this for me?

I have got around this by adding another authorization rule to allow limited access if the machine succeeds authentication but the user fails, however this raises concerns about the machine having access to the network before any posture checks are run?

One final thing......does ISE block or blacklist devices that continuously fail?

Kind Regards

MC · « **Reply #1 on:** February 27, 2017, 09:31:17 PM »

Enabling EAP chaining has nothing to do with Computer auth before login. That still happen regardless (I believe this is Computer Auth only) and you need to have a auth profile to allow computer to access resources that it needs like AD. Once user logs in EAP-chaining happens with both user and computer. There should be no timeout between computer auth and user auth. If there is no user login, the port just sits at successful computer auth state.
ISE does block endpoint with repeated fail auth (for 60 min I think) by default unless you turn it off under Protocol/RADIUS config.

Search

User Info

Author Topic: ISE 2.0 EAP Chaining (Read 38726 times)

tegsy8

ISE 2.0 EAP Chaining

MC

Re: ISE 2.0 EAP Chaining

Related Topics