The only way to do both at the same time is as Justin said with EAP chaining, which is only supported with the latest anyconnect + EAP-FAST + ISE. But you can easily do machine auth followed by user auth with most anything.
In the anyconnect profile editor, configure a new profile. Choose the normal stuff to begin with. When you get to the Network Connection Type screen, select Machine and User Connection. After tha, you can specify the machine EAP type/credentials and then the user EAP type/credentials separately. Windows also allows this natively. With this configuration, AnyConnect will do machine authentication when the laptop first boots. After the user logs in, it will then do a new authentication with the user credentials. On the RADIUS server side, you need to make sure that you are authorizing both. There is also a "was machine authenticated" criteria that you can set so that in order to allow the user auth, the device had to be previously machine authenticated. Hope that helps. Jeff Rensink - CCIE #24834 (Wireless, R&S) Senior Technical Instructor - IPexpert On Fri, Oct 25, 2013 at 4:00 PM, Justin Kurynny <[email protected]>wrote: > Marvin,**** > > ** ** > > Just to add on to my previous comment, you may be able to use EAP-TTLS, > which is supported natively in Windows 8 (according to the Wikipedia > article on EAP). I’m not sure what you’d use for a AAA server, however. I’m > pretty sure ISE and ACS don’t support EAP-TTLS. W2k13 Server may support it. > **** > > ** ** > > Justin**** > > ** ** > > *From:* Justin Kurynny > *Sent:* Friday, October 25, 2013 13:53 > *To:* 'Marvin Krym'; [email protected] > *Subject:* RE: [OSL | CCIE_Wireless] Windows Wireless Client/Supplicant > Config Question**** > > ** ** > > Marvin,**** > > ** ** > > Are you trying to use both authentication types simultaneously (AND)? If > so, I don’t know of any support for this except for maybe EAP Chaining with > AnyConnect as supplicant and ISE as authenticator, and even then I think > you’ll need to use EAP-FAST as one of the methods.**** > > ** ** > > If you are trying to do this as an OR authentication (such as with connect > before login), you may be able to do this natively on W7 or higher, but > I’ve never tried it and the configuration dialogs don’t look promising. > It’s possible you could be able to do it with AnyConnect, but you’d need to > set up an AnyConnect profile using the administration tool.**** > > ** ** > > As a side note, I recall reading about Tunneled EAP (TEAP), which was a > draft proposal to the IETF in 2011 and renewed in 2012. I believe TEAP > would have supported multiple authentication methods inside a tunnel. I’m > not sure where that initiative stands now, but it would be nice to have a > method for using more than one EAP method to authenticate an endpoint/user > combination.**** > > ** ** > > Justin**** > > ** ** > > *From:* [email protected] > [mailto:[email protected]] *On Behalf Of *Marvin > Krym > *Sent:* Friday, October 25, 2013 10:16 > *To:* [email protected] > *Subject:* [OSL | CCIE_Wireless] Windows Wireless Client/Supplicant > Config Question**** > > ** ** > > Is it possible to configure the Windows wireless client/supplicant to do > machine auth by sending a machine cert (ie EAP-TLS) and then do user auth > by using PEAP/MSCHAP? It seems to me that I have to chose one EAP type or > the other. Any clarifciation would be appreciated.**** > > **** > > Thanks.**** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
