Solved: EAP-GTC

jshakyan · ‎05-27-2016

Hello Experts,

My customer is looking into deploying 802.1x, EAP-PEAP with EAP-GTC and an inner protocol. They want to use hardware token card as an additional security in case the laptop got stolen. Does anyone see an issue or anything we need to know when deploying ISE 802.1x with EAP-GTC? ISE will be pointing to RSA server for external authentication.

Thank you in advance for your response

hslai · ‎05-27-2016

This is supported. See Table 2 of ISE Internal and External Identity Sources

Please note that ISE is not caching OTP so it might be painful for end users on wireless connections if RSA OTP used with EAP-GTC.

View solution in original post

hslai · ‎05-27-2016

This is supported. See Table 2 of ISE Internal and External Identity Sources

Please note that ISE is not caching OTP so it might be painful for end users on wireless connections if RSA OTP used with EAP-GTC.

howon · ‎05-27-2016

It is not common to use tokens for 802.1X as it impacts user experience negatively. I have seen customers deploy token based on webauth. Few things comes to mind:

- Will need to use non-native supplicant like AnyConnect NAM which supports EAP-GTC

- You will need to make sure the NAD honors the EAP requests whenever it comes from the endpoint. Often times switches are configured to ignore once it failed over to MAB, which may require user to unplug/replug the cable to get the authentication working again. Even after the precautions you may still end up users having to enter password twice due to timers etc.

- Would also need to disable re-auth to make sure user does not have to authenticate multiple times.

Hosuk