collapse

Promotion

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: ISE 2.0 EAP Chaining  (Read 627 times)

Offline tegsy8

  • Cisco Newbie
  • *
  • Posts: 1
  • Reputation: 0
    • View Profile
  • Certification: CCNP
ISE 2.0 EAP Chaining
« on: February 24, 2017, 02:13:14 AM »
Hi All

I'm currently setting up ISE 2.0 to authenticate the machine and user using EAP-FAST. The Windows PC's are using Anyconnect 4.3 and ISE has been integrated with AD. I also have postures checks setup and on the whole it seems to be working ok.

The issue I'm seeing is when there is a delay between the PC booting up and the user logging in. In this situation the access fails, so I'm assuming there must be some timeout mechanism between the machine auth and user auth? As I am using EAP chaining I didn't think this would be an issue, I would be grateful if someone could clarify this for me?

I have got around this by adding another authorization rule to allow limited access if the machine succeeds authentication but the user fails, however this raises concerns about the machine having access to the network before any posture checks are run?

One final thing......does ISE block or blacklist devices that continuously fail?

Kind Regards
« Last Edit: February 24, 2017, 11:16:10 AM by tegsy8 »

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 365
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
    • View Profile
  • Certification: CCIE
Re: ISE 2.0 EAP Chaining
« Reply #1 on: February 27, 2017, 09:31:17 PM »
Enabling EAP chaining has nothing to do with Computer auth before login. That still happen regardless (I believe this is Computer Auth only) and you need to have a auth profile to allow computer to access resources that it needs like AD. Once user logs in EAP-chaining happens with both user and computer. There should be no timeout between computer auth and user auth. If there is no user login, the port just sits at successful computer auth state.
ISE does block endpoint with repeated fail auth (for 60 min I think) by default unless you turn it off under Protocol/RADIUS config.

 

SimplePortal 2.3.5 © 2008-2012, SimplePortal