Guest

Preview Tool

Cisco Bug: CSCum60924 - EAP-Chaining EapAuthentication cannot have more than one value

Last Modified

Feb 28, 2018

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

1.2(0.899)

Description (partial)

Symptom:
EAP-Chaining with below config authz config

Conditions:
Network Access:EAPTunnel equals EAP-FAST
Network Access:EAPAuthentication equals EAP-TLS
Network Access:EAPAuthentication equals MSchapv2
Network Access:EAP-ChainingResult equals User and Machine Both

then default authz result "Permit Access"

But client with Cisco AnyConnect supplicant fails to match the defined conditions and the "Matched rule" is DEFAULT (Deny access) with logs showing:
EapFastFlow: authorization failed, so fail the whole conversation. Prepare to send ResultTLV(Failure)

Eap-Fast:onTunnelValidationFailed()

Conditions:
EAP-Chaining EapAuthentication cannot have more than one value.

For example, the following config fails:
Network Access:EAPTunnel equals EAP-FAST
Network Access:EAPAuthentication equals EAP-TLS
Network Access:EAPAuthentication equals MSchapv2
Network Access:EAP-ChainingResult equals User and Machine Both
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.