Guest

Preview Tool

Cisco Bug: CSCus93665 - ISE 1.3 EAP-FAST chaining fails authorization after upgrade from 1.2.x

Last Modified

Jun 07, 2016

Products (1)

  • Cisco Identity Services Engine (ISE) 3300 Series Appliances

Known Affected Releases

1.3(0.876)

Description (partial)

Symptom:
Upgrading to ISE 1.3 from 1.2.x and endpoints authenticating with dot1x and EAP CHAINING are now missing the compound conditions they were previously matching in ISE 1.2.x

compound condition looks to match on an authentication or EAP method of MSCHAPv2 or EAP-TLS (inner method)

live logs show that the authentication method used was EAP-FAST (outer method)

Conditions:
Upgrade from ISE 1.2.x to ISE 1.3

Have EAP-FAST EAPCHAINING enabled with anyconnect NAM running on a client failing authentications

AuthZ compound condition not only matches the eap chaining result but also checks for eap authentication method as EAP-TLS or EAP-MSCHAPv2
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.