One thought on “A network administrator must enable which protocol to utilize EAP-Chaining?”
EAP-FAST is a Cisco proprietary EAP authentication method. It provides the ability to chain user and machine authentications together, this is called EAP Chaining. The major advantage of using this protocol is ensuring that only corporate users can authenticate to the network using a corporate issued computer. EAP-FAST is only supported when using Cisco AnyConnect as the dot1x supplicant.
ISE Configuration
This post will cover the configuration of EAP-Chaining on Cisco ISE, using EAP-FAST with EAP-TLS (certificates) as an inner authentication method for both Machine and User authentication. In this lab Cisco ISE version 2.4 and Cisco AnyConnect v4.6 is used.
Allowed Protocols
As default EAP-Chaining is not enabled, either the Default Network Access allowed protocol list must be modified or creation of a new list.
Navigate to Policy > Policy Elements > Results > Authentication > Allowed Protocols
Select Default Network Access and click Duplicate
Enter an appropriate name E.g LAB-Protocols
Scroll down to the Allow EAP-FAST section, click Enable EAP Chaining (ensure Allow EAP-FAST is still ticked)
Click Submit
EAP-FAST is a Cisco proprietary EAP authentication method. It provides the ability to chain user and machine authentications together, this is called EAP Chaining. The major advantage of using this protocol is ensuring that only corporate users can authenticate to the network using a corporate issued computer. EAP-FAST is only supported when using Cisco AnyConnect as the dot1x supplicant.
ISE Configuration
This post will cover the configuration of EAP-Chaining on Cisco ISE, using EAP-FAST with EAP-TLS (certificates) as an inner authentication method for both Machine and User authentication. In this lab Cisco ISE version 2.4 and Cisco AnyConnect v4.6 is used.
Allowed Protocols
As default EAP-Chaining is not enabled, either the Default Network Access allowed protocol list must be modified or creation of a new list.
Navigate to Policy > Policy Elements > Results > Authentication > Allowed Protocols
Select Default Network Access and click Duplicate
Enter an appropriate name E.g LAB-Protocols
Scroll down to the Allow EAP-FAST section, click Enable EAP Chaining (ensure Allow EAP-FAST is still ticked)
Click Submit