Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

EAP Chaining with PEAP does not work

 

 

Problem

User tries to do EAP Chaining with PEAP but this is not working. How can we make this work?

Resolution

EAP chaining works with EAP-FAST and does not work with PEAP. It will be a bit more complex than using PEAP as we will be using EAP-FAST, EAP-MS-CHAPv2 and EAP-TLS. EAP Chaining requires both a supplicant on the client device and a RADIUS server that support the technology.

 

In Cisco ISE, Release 1.1.1, Extensible  Authentication Protocol (EAP) chaining solution allows you to  authenticate both the machine and user in the same EAP-FAST  authentication in a configurable order. When an EAP-FAST authentication  result is determined, Cisco ISE allows you to apply an authorization  policy, depending on the result of both authentications. When EAP  chaining is turned off, Cisco ISE performs the usual EAP-FAST  authentication.

 

Refer to EAP Chaining deployment for more information on EAP-Chaining process along with requirements

 

Source:https://supportforums.cisco.com/thread/2179660?tstart=0

Version history
Revision #:
2 of 2
Last update:
‎08-28-2017 02:11 AM
Updated by:
 
Labels (1)
Contributors
Comments
New Member

Hi Prabhu

 

I have an issue trying eap chaining for machine and user authentication with certificate (tunnel EAP_fast with EAP_tls authentication):

When machine and user not have certificate, anyconnect is trying EAP PEAP.

11001

Received RADIUS Access-Request

11017

RADIUS created a new session

15049

Evaluating Policy Group

15008

Evaluating Service Selection Policy

15048

Queried PIP - DEVICE.Wired

15048

Queried PIP - Radius.Service-Type

15048

Queried PIP - Radius.NAS-Port-Type

15004

Matched rule - wire_teste

11507

Extracted EAP-Response/Identity

12100

Prepared EAP-Request proposing EAP-FAST with challenge

12625

Valid EAP-Key-Name attribute received

11006

Returned RADIUS Access-Challenge

11001

Received RADIUS Access-Request

11018

RADIUS is re-using an existing session

12301

Extracted EAP-Response/NAK requesting to use PEAP instead

12303

Failed to negotiate EAP because PEAP not allowed in the Allowed Protocols

11504

Prepared EAP-Failure

11003

Returned RADIUS Access-Reject

 

 

 Do you have any idea about it ?

 

thanks,