Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
737
Views
0
Helpful
3
Replies

Authorization rule for EAP-FAST (inner EAP-TLS)

Go to solution
tinu_karki
Level 1
Level 1

‎05-08-2014 04:28 AM - edited ‎03-10-2019 09:41 PM

We have an ISE deployment where we are looking to use EAP-FAST as our authentication method with EAP-TLS as the inner method. We are checking both machine and user certificate. We initally had the following condition in our AuthZ rule -> EapChainingResult = User and machine both succeeded, however we found that intially machine succeeds and the user doesnt succeed until after windows login. If we change the condition to EapTunnelType = EAPFAST then it works fine, logs show that while initially user fails and machine succeeds, after login to windows shell then both user and machine succeded log message is visible. My preference would be to get it working with the first condition as it is a more valid check but it doesnt work due to the initial failure, anyone else got EAP-FAST (EAP-TLS) working.

Regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jan.nielsen
Level 7
Level 7

‎05-08-2014 04:56 AM

I have it running at a customer, and as you discovered only machine auth succeeds initially, this is because the user store where the users certificate is not opened until they have logged ind, this is working as intended.

What you can do is to have two different authz rules, one for eapchainingresult=machine succeded and user failed, and another one for when both succeed. This way you can give granular access by using another ACL for the machine, so the machine doesn't get full access to the network before a user has logged in.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
jan.nielsen
Level 7
Level 7

‎05-08-2014 04:56 AM

I have it running at a customer, and as you discovered only machine auth succeeds initially, this is because the user store where the users certificate is not opened until they have logged ind, this is working as intended.

What you can do is to have two different authz rules, one for eapchainingresult=machine succeded and user failed, and another one for when both succeed. This way you can give granular access by using another ACL for the machine, so the machine doesn't get full access to the network before a user has logged in.

0 Helpful

Go to solution
tinu_karki
Level 1
Level 1
In response to jan.nielsen

‎05-08-2014 06:08 AM

Hi Jan,

Thanks for the info. I will test it down in the lab and get back to you.

Regards

0 Helpful

Go to solution
tinu_karki
Level 1
Level 1
In response to jan.nielsen

‎05-08-2014 07:00 AM

Thanks that is working fine now as per your suggestion

0 Helpful
Customers Also Viewed These Support Documents