View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0048 - ISE 1.1 User and Machine Authentication with EAP Chaining (Part 1)

Average: 5 (1 vote)
Difficulty Level: 
Lab Document: 
<Please login to see the content>

The video demonstrate how Cisco ISE EAP Chaining can solve caveats on user and machine authentication inherent to Windows native supplicant. In part 1 of this video, we will steps through necessary authentication and authorization policies configurations to support EAP Chaining for both wired and wireless. In part 2, we will go through configuration on NAM Profile Editor to create a .xml file that will be used by the NAM module to gain network access. The video ends with wired and wireless testing and seeing how EAP Chaining appears in authentication log on Cisco ISE.

  • AnyConnect Secure Mobility 3.x (NAM Module)
  • NAM Profile Editor
  • User and Machine Authentication with MSCHAPv2 inside EAP-FAST
  • Policy Element Condition
    • Authorization (Compound Condition)
  • Policy Element Result
    • Authentication (Allowed Protocol)
    • Authorization (Downloadable ACL)
    • Authorization (Authorization Profile)
  • Authentication Policy
  • Authorization Policy
  • With automatic provision of PAC, EAP-TLS is used to build a secured tunnel to transport PAC
  • PAC is used by both endpoints to construct an EAP-FAST outer tunnel
  • The actual authentication occurs in the inner authentication method, which can be any protocols
  • EAP chaining allows multiple rounds of authentication to be carried out back-to-back within the same EAP session
  • User can switch seamlessly between wired and wireless as both user/machine authentication take place together at connection attempt.
  • No longer relies on machine authentication at Windows login, hence eliminates hassles for user to occasionally having to log off
  • No longer uses machine authentication cache on ISE, hence eliminates cache expire problem
  • Additional software needs to be installed on user computers

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


After labs w EAP-Chaining, EAP-TLS and PEAP-MSCHAPv2, I came to the following conclusions for my environment.

It is extremely difficult to manage client NAM without a central administration console, need a pre-deploy with GPO / AD is out of the question in an environment of more than 2000 hosts. Why? There are different types of SO (WinXP, Win7, Win8 and 8.1) What is the probability of all work 100% on a client update? And what in my opinion totally discards the EAP-Chaining is the client NAM load after login - mappings, scripts and policies are affected without network connection, SBL profile option with a timeout is meaningless, since it creates a delay at login and there are machines with different hardware where the timeout can range from 5 to 40 seconds? How to manage this? Insane!

The EAP-TLS authentication bumped into the user when there are two cert Auth, after the user login, a popup appears to select the right certificate.

In my case to have a low impact, the path can be PEAP-MSCHAPv2 for User and Machine or only EAP-TLS for machine. All these layers of security, from what I understood, are lost in a MAB authentication, Why so much security for dot1x in the MAB have nothing, PEAP in my case is easy to manage and works well.

You points are certainly valid. There are always a lot more to be considered in a large deployment. Sometime you have to compromise between security and managability.Thanks for sharing your story.

A question, for only EAP-TLS to machine, is it possible disable MAR?

Not sure if I understand your question. If you only do machine auth, MAR is irrelevant. But yes, you can disable MAR under the Active Directory esternal database setting.

I have PKI so i have certificate for every machine, my Q is does i`m still need to allow PAC in the allowed authentication protocols when using EAP-FAST?
Thanks alot

Having client cert shouldn't really have anything to do with PAC. PAC is just an additional secret used by the two endpoints to create secure channel. Without PAC, the comminucation essentiall become TLS. Mostly likely the client cert will only be used in the inner authentication. That said, you probably still want to use PAC.

isn`t the inner authentication done using MS-CHAP2, so what is the purpose of Certificates in the inner authentication ?

Inner authentication can be any protocol supported; PEAP, EAP-TLS. Client certificate is needed if you plan to use inner protocol like EAP-TLS that requires it.

I did setup the Eap-Chaining, and it seems to work fine for what I see in the logs, the issue I have is I cannot browse the internet, I can ping internet resources like Google, but cannot open Google web page, did I miss anything.
internally all works fine.

Do you use any dACL after successful authentication? If so, what does it look like and did it get applied correctly to the user session?

I did the setup of the eap-chaining using user and machine certificate but it not worked. Anyconnect v3.1 is sending the wrong machine name.

In the authentication I see host/machiname, but in the authentication I expected host/machinename, but ISE has received host/domain

I tryed to configure eap_chaining with mschapv2 and it worked fine.

I tryed to configure machine authentication with eap_tls and it worked.

I tryed to configure eap_chain (user certificate and machine mschapv2) and it worked.

The issue is occuring just when I set EAP_fast tunnel with EAP_tls for machine authentication.

anyone already see it ?

We have tried EAP-TLS with EAP-FAST EAP-Chaining before without any issue. This could be a bug specific to AnyConnect NAM  and ISE version. You may want to check with TAC on this.

what version did you use?


It was on ISE 1.2 and AnyConnect 3.1

Windows 7 Pro works fine with EAP-FAST and EAP-Chaining. I get the following error with Windows 10 Pro clients.

24431 Authenticating machine against Active Directory - AD
24325 Resolving identity - host/LABLT01
24313 Search for matching accounts at join point - ccnpvoice.local
24319 Single matching account found in forest - ccnpvoice.local
24323 Identity resolution detected single matching account
24344 RPC Logon request failed - STATUS_WRONG_PASSWORD,ERROR_INVALID_PASSWORD,LABLT01$@ccnpvoice.local
24485 Machine authentication against Active Directory has failed because of wrong password - AD

This might be a know issue with Windows 8/10 where it does not allow external application (ie.NAM) to read machine credential. Try adding  DWORD value LsaAllowReturningUnencryptedSecrets to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa and set value to 1

See the link below.

Reg Fix worked