Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
374
Views
0
Helpful
1
Replies

EAP_chaining - ISE 1.4 - anyconnect 3.1.11004 issue

mukka
Level 1
Level 1

‎11-27-2015 07:24 AM - edited ‎03-10-2019 11:16 PM

Hi all

I am trying to deploy a new eap chaining authentication for machine and user authentication with certificate.

 

Tunnel EAP_FAST and authentication EAP_TLS

 

I would like to perform 4 policies:

Machine and user has the certificate: It is working

Machine has the certificate and user not: It is ok.

Machine not have certificate and user has the cert. It is working too.

 

But when machine and user not have the certificate, anyconnect is trying EAP_PEAP.

My profile is not set to use EAP_PEAP.

 

11001  Received RADIUS Access-Request
11017  RADIUS created a new session
15049  Evaluating Policy Group
15008  Evaluating Service Selection Policy
15048  Queried PIP - DEVICE.Wired
15048  Queried PIP - Radius.Service-Type
15048  Queried PIP - Radius.NAS-Port-Type
15004  Matched rule - wired_test
11507  Extracted EAP-Response/Identity
12100  Prepared EAP-Request proposing EAP-FAST with challenge
12625  Valid EAP-Key-Name attribute received
11006  Returned RADIUS Access-Challenge
11001  Received RADIUS Access-Request
11018  RADIUS is re-using an existing session
12301  Extracted EAP-Response/NAK requesting to use PEAP instead
12303  Failed to negotiate EAP because PEAP not allowed in the Allowed Protocols
11504  Prepared EAP-Failure
11003  Returned RADIUS Access-Reject  

 

Do you have any idea about it ?

 

thanks.

 

 

 

 

Labels:
0 Helpful
1 Reply 1

nspasov
Cisco Employee
Cisco Employee

‎11-27-2015 04:05 PM

Can you post screen shots of the NAM profile?

0 Helpful
Customers Also Viewed These Support Documents