Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
6656
Views
5
Helpful
1
Comments

EAP Chaining with PEAP does not work

Prabhu Nagarajan
Level 1
Level 1

‎12-12-2012 01:19 AM - edited ‎02-21-2020 09:59 PM

 

 

Problem

User tries to do EAP Chaining with PEAP but this is not working. How can we make this work?

Resolution

EAP chaining works with EAP-FAST and does not work with PEAP. It will be a bit more complex than using PEAP as we will be using EAP-FAST, EAP-MS-CHAPv2 and EAP-TLS. EAP Chaining requires both a supplicant on the client device and a RADIUS server that support the technology.

 

In Cisco ISE, Release 1.1.1, Extensible  Authentication Protocol (EAP) chaining solution allows you to  authenticate both the machine and user in the same EAP-FAST  authentication in a configurable order. When an EAP-FAST authentication  result is determined, Cisco ISE allows you to apply an authorization  policy, depending on the result of both authentications. When EAP  chaining is turned off, Cisco ISE performs the usual EAP-FAST  authentication.

 

Refer to EAP Chaining deployment for more information on EAP-Chaining process along with requirements

 

Source:https://supportforums.cisco.com/thread/2179660?tstart=0

Labels:
Comments
mukka
Level 1
Level 1
‎11-27-2015 07:13 AM

Hi Prabhu

 

I have an issue trying eap chaining for machine and user authentication with certificate (tunnel EAP_fast with EAP_tls authentication):

When machine and user not have certificate, anyconnect is trying EAP PEAP.

11001

Received RADIUS Access-Request

11017

RADIUS created a new session

15049

Evaluating Policy Group

15008

Evaluating Service Selection Policy

15048

Queried PIP - DEVICE.Wired

15048

Queried PIP - Radius.Service-Type

15048

Queried PIP - Radius.NAS-Port-Type

15004

Matched rule - wire_teste

11507

Extracted EAP-Response/Identity

12100

Prepared EAP-Request proposing EAP-FAST with challenge

12625

Valid EAP-Key-Name attribute received

11006

Returned RADIUS Access-Challenge

11001

Received RADIUS Access-Request

11018

RADIUS is re-using an existing session

12301

Extracted EAP-Response/NAK requesting to use PEAP instead

12303

Failed to negotiate EAP because PEAP not allowed in the Allowed Protocols

11504

Prepared EAP-Failure

11003

Returned RADIUS Access-Reject

 

 

 Do you have any idea about it ?

 

thanks, 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents