EAP-TLS & Unknown User Policy

Similar Messages

• ACS issue - External unknown user policy database

  HI all,
  Is there any way I can get back information from an external user database into ACS:
  I have 2 ssids, both on seperate IP address ranges. I have an external unknown user policy to pass username and passwords to. In the database there are flags which distinguish between two different types of users. Can I pass this 'flag' back to ACS somehow. When a user tries to logon to one SSID I want ACS to somehow check this flag and decide if that user can  access that SSID.
  Any ideas ??

  What is your external database?

• 802.1x auth via ACS through unknown user policy - multiple directories?

  A customer has an LDAP directory as well as a Novell NDS directory.
  MAC clients authenticate to IPlanet LDAP.
  Windows users authenticate to Novell NDS.
  Is there any way to use multiple SSIDs and the unknown user policy to authenticate users against their appropriate directories?
  Thanks,
  Tim

  Actually, you can. You can manually add users to the ACS database and specify which external database to use. Take a look at the URL below. It is on adding users to the ACS database using the CSUtil.exe program on the ACS server. The import file that is read allows you to specify which external database type to query for the users authentication.
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/ae.htm#wp365101
  Steve

• EAP-TLS new user login

  Hi!
  I´m having a logical misunderstanding about NPS, EAP-TLS and certificates. Maybe you can help me out with this.
  In my environment I have AD, NPS, CA and network devices. I´m using successfully Wifi EAP-TLS policy and my Ethernet policies are working aswell. I have two policies for ethernet and for wifi:
  1. Computer policy: Conditions are Client Friendly Name (Switches), NAS Port Type (Ethernet), Domain Computer Group
  2. User policy: Conditions are Client Friendly Name (Switches), NAS Port Type (Ethernet), Domain Users Group
  When I turn on computer it get acces to network (if I have certificate and machine is domain computer). When I log in with user who has a certificate and who is domain user - everything still works. So policies are working! If user don´t have certificate
  then connection is disconnected.
  Problem is that when I have a new user logging to the machine then it don´t have certificate. And authentication will fail! Is there a way to allow user to request certificate and then try to authenticate? GPO policy is "enroll automatically" turned
  on but it will not work cause user log in is using TEMP account and certificate is not enrolled! So new users can´t access to network to download profile if I don´t put the certificate there by myself. 
  Second question is about PXE an computer certificate. Is there a way to use SCCM/PXE for OSD?
  Any help would be appriciated!
  Taavi

  On Wed, 22 Jan 2014 09:07:38 +0000, asfewfewf wrote:
  I´m having a logical misunderstanding about NPS, EAP-TLS and certificates. Maybe you can help me out with this.
  In my environment I have AD, NPS, CA and network devices. I´m using successfully Wifi EAP-TLS policy and my Ethernet policies are working aswell. I have two policies for ethernet and for wifi:
  1. Computer policy: Conditions are Client Friendly Name (Switches), NAS Port Type (Ethernet), Domain Computer Group
  2. User policy: Conditions are Client Friendly Name (Switches), NAS Port Type (Ethernet), Domain Users Group
  When I turn on computer it get acces to network (if I have certificate and machine is domain computer). When I log in with user who has a certificate and who is domain user - everything still works. So policies are working! If user don´t have certificate
  then connection is disconnected.
  Problem is that when I have a new user logging to the machine then it don´t have certificate. And authentication will fail! Is there a way to allow user to request certificate and then try to authenticate? GPO policy is "enroll automatically"
  turned on but it will not work cause user log in is using TEMP account and certificate is not enrolled! So new users can´t access to network to download profile if I don´t put the certificate there by myself. 
  You need to look into setting up remediation.
  http://technet.microsoft.com/en-us/library/dd125372%28v=ws.10%29.aspx
  Second question is about PXE an computer certificate. Is there a way to use SCCM/PXE for OSD?
  You should be asking this question in a System Center forum -
  http://technet.microsoft.com/en-ca/systemcenter/bb625749.aspx
  Paul Adare - FIM CM MVP
  How do I set my LaserPrinter to "Stun"?!

• Cisco ISE - EAP-TLS - Machine / User Authentication - Multiple Certificate Authentication Profiles (CAP)

  Hello,
  I'm trying to do machine and user authentication using EAP-TLS and digital certificates.  Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
  In ISE, I can define multiple Certificate Authentication Profiles (CAP).  For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
  Problem is how do you specify ISE to check both in the Authentication Policy?  The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.  
  Any way to resolve this?
  Thanks,
  Steve

  You need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
  an example (uses user/pass though, but same concept)
  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

• EAP-TLS client security policy enforcement question using ISE

  Hi Experts ,
  I have remote site connected to HQ wireless controller and cisco ISE used as RADIUS server . I am using EAP-TLS authentication method where client will validate the server certificate and server will validate the client certificate.
  I am using EAP-TLS and machine authentication.
  In case of server certificate installation using internal PKI (Root CA ) server , I am quite clear that we can create certificate in ISE and can be signed by CA which will be used for EAP-TLS as well. however I am trying to under the client certificate installation.
  how does client gets certificate from CA. is there any mechanism used by AD to import the certificate automatically to all the clients ?
  and more important is , which certificate will be installed on client machines. Do we need to create certificate first from CA and save in repository and later can be installed same to client machines .... Sorry it could be microsoft AD related question however i am pretty sure that since we as a wireless techie , need to know even client side configuration.
  This is all about certificate installation . how about entire security policy which is used for EAP-TLS ?
  how will client wireless network adapter properties automatically configured with same SSID which is configured with EAP-TLS along with certificate validation ?
  I am not sure ... will it get pushed through AD ? how will it happen ?
  It would be really helpful if someone could put light on this ..

  Hello Vino,
  Some answers below :
  how does client gets certificate from CA. is there any mechanism used by AD to import the certificate automatically to all the clients ?
  You have templates in the certificate authority to user or machine certificate and you can apply these certificates to a group of machines or users using GPO in the Windows Server 2008.
  It can be automatically because the machine can get it using GPO from domain and after can authenticates using 802.1X using these certificates received from this policy.
  If you want a user certificate and get it manually you can access the CA too using the URL https://X.X.X.X/certsrv and request manually the user certificate using your domain credentials and install manually to authenticate using EAP-TLS with this user certificate.
  In the Cisco ISE Side it needs to have a local certificate from the same client CA or from another CA and the Cisco ISE needs to trust in the clients CA Issuer to accept the client certificate and allow this one to access the network.
  In the client side the same happens, the client needs to trust in the Issuer CA for the Cisco ISE certificate to validate ISE certificate and get access to the network.
  and more important is , which certificate will be installed on client machines. Do we need to create certificate first from CA and save in repository and later can be installed same to client machines .... Sorry it could be microsoft AD related question however i am pretty sure that since we as a wireless techie , need to know even client side configuration.
  If you have a Windows Server with GPO and a CA configured you can use some templates to apply automatically a machine certificate or user certificate to a group of machines or user, in the case of machines it can be get from the domain using GPO and in the case of user certificate it can be get manually or using GPO too.
  This is all about certificate installation . how about entire security policy which is used for EAP-TLS ?
  The EAP-TLS is the most secured method to use to authenticate devices in the network because you have certificates and you have trusted certificate authority that you trust and only devices who has certificates from these CAs will be allowed to access the network.
  Another method very secured is EAP-FAST with machine and user certificate that the ISE will validade both the machine and user certificate before allow this one to get access to the network.
  how will client wireless network adapter properties automatically configured with same SSID which is configured with EAP-TLS along with certificate validation ?
  You can apply it too using GPO in the Windows Server to a domain machine but when you have a machine that is not a domain machine you can use a user certificate to authenticate this one and need to install manually the user certificate in that machine to authenticate the user to wireless network and create SSID specifying the policy that is EAP-TLS.
  Remember that client machine needs to have the CA issuer for the Cisco ISE certificate to trust in the Cisco ISE and get access to the network and the opposite too (ISE needs to have the CA Issuer to trust in the client)
  I hope it helps.

• 802.1x eap-tls machine + user authentication (wired)

  Hi everybody,
  right now we try to authenticate the machines and users which are plugged to our switches over 802.1X eap-tls. Works just fine with windows.
  You plug a windows laptop to a switchport and machine authenticates over eap-tls with computer certificate. Now the user logsin and our RADIUS (Cisco ACS) authenticates the user as well, with the user certificate. After eap-tls user-authentication the RADIUS checks if the workstation on which the user is currently logged in is authenticated as well. If yes = success, if no the switchport will not allow any traffic.
  Now we have to implement the same befaviour on our MacBooks Pro. Here the problems start. First of all I installed user and computer certificates issued by our CA (Win 2008 R2). So far so good. Now I have no idea how to implement the same chain of authentication. I was reading countless blogs, discussions, documentations etc. about how to create .mobileconfig profiles. Right now im able to authenticate the machine, and _only_ if I login. As soon as I logout eap-tls stops to work. It seems that loginwindow does not know how to authenticate.
  1) how do I tell Mavericks to authenticate with computer certificate while no user is loged in ? already tried profiles with
  <key>SetupModes</key>
  <array>
      <string>System</string>
      <string>Loginwindow</string>
  </array>
  <key>PayloadScope</key>
      <string>System</string>
  but it does not work
  2) How do I tell Mavericks to reauthenticate with user certificate when user logs in ?
  Thanks

  Unfortunatelly this documents do not describe how to do what I want.
  I already have an working 802.1x. But the mac only authenticates when the user is loged in. I have to say that even this does not work like it should. If Im loged in sometimes i need to click on "Connect" under networksettings and sometimes it connects just automatically. Thats really strange.
  I set the eapolclient to debugging mode and see following in /var/log/system.log when I logout.
  Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
  Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
  Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
  Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
  this are only debugging messages I get. Looks to me like eapolclient is not able to find a certificate (?)
  The certificates are in my System keychain.
  Unfortunatelly apple also changed the loging behaviour of eapolclient, I dont see any eapolclient.*.log under /var/log
  Any ideas ?

• EAP-TLS Vista Machine Authentication to ACS integrated to non AD LDAP

  Hello all,
  I've been working on a scenario with ACS 4.2 (trial) for Proof of Concept to a customer of ACS's abilities.
  His intended network plan is to use Vista Laptops doing Machine authentication only towards a ACS server integrated with a non-microsoft LDAP server. The mechanism of choice is EAP-TLS.
  We've set up the PKI on the right places and it is all up. We do manage to get a user certificate on the PC, authenticate via ACS to the LDAP repository, and everything is good.
  The problem that we are facing is when we want to move to do machine authentication, the behaviour is inconsistent. I'll explain:
  When the first authentication is done, the EAP-Identity requests are always prepended with a "host/". What we see is that the CN of a certificate is TEST, and the Identity request appears as host/TEST. This is no problem to LDAP, as we can get rid of the "host/" part to do the user matching and in fact it does match. After TLS handshake (certificates are ok), ACS tries to check CSDB (the internal ACS db) and afterwards it will follow the unknown user policy and query LDAP.
  All of this appears to be successful the first time.
  If we disassociate the machine, the problems start. The accounting STOP message is never sent.
  Any new authentication will fail with a message that CS user is invalid. The AUTH log shows that ACS will never try again to check LDAP, and invalidates the user right after CSDB check. In fact if we do see the reports for RADIUS, the authenticated user is host/TEST, but if we check the dynamic users, only TEST appears. Even disabling caching for dynamic users the problem remains.
  Does anyone have an idea on how to proceed? If it was possible to handle the machine authentication without the "host/" part, that would be great, as it works.
  My guess is that ACS is getting confused with the host/, as I'm seeing its AUTH logs and I do see some messages like UDB_HOST_DB_FAILURE, after UDB_USER_INVALID.
  IF someone can give me a pointer on how to make this work, or if I'm hitting a bug in ACS.
  Thanks
  Gustavo

  Assuming you're using the stock XP wifi client.
  When running XPSP3, you need to set two things:
  1) force one registry setting.
  According to
  http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
  You need to force usage of machine cert-store certificate:
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
  "AuthMode"=dword:00000002
  2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
  - show available wireless networks
  - change advanced settings
  - wireless networks tab
  - select your SSID, and then hit the "properties" button
  - select authentication tab, and then hit "properties" button
  - search for your signing CA, and check the box.
  I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
  Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
  please cross reference to
  https://supportforums.cisco.com/message/3280232
  for a better description of the whole setup.
  Ivan

• ISE 802.1x EAP-TLS machine and smart card authentication

  I suspect I know the answer to this, but thought that I would throw it out there anway...
  With Cisco ISE 1.2 is it possible to enable 802.1x machine AND user smart card  authentication simultaneously for wired/wireless clients (specifically  Windows 7/8, but Linux or OSX would also be good).  I can find plenty of  information regarding 802.1x machine authentication (EAP-TLS) and user  password authentication (PEAP), but none about dual EAP-TLS  authentication using certificates for machines and users at the same time.  I think I can figure out how to configure such a policy in ISE, but options seem to be lacking on the client end.  For example, the Windows 7 supplicant seems only able to present either a machine or user smart card certificate, not one then the other.  Plus, I am not sure how the client would know which certificate to present, or if the type can be specified from the authenticator.

  Hope this video link will help you
  http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls

• WLC EAP-TLS

  Hi,
  My Wireless network consists of 8 WLC and 2 Cisco ACS 1113 with 4.2. I need to implement certificate authentication for Cisco Wireless Phone SSID. I tried PEAP along with certificate generated by Microsoft Cert Server, but the issue is the client can ignore the certificate and I believe only way to force is via Active Directory group policy.
  So as my Cisco IP Phones are not joined to Active Directory I think the only option is to use EAP-TLS. For this I have the following Queries.
  •1.     What will be the SSID security setting. ( I tried Layer 2 802.X with WEP 104bit encryption)
  •2.     Do I need to install any certificate on WLC if yes which Certificate (Ex root, Client)
  •3.     What Certificate should be installed on Client.
  •4.     What should be the client PC security setting for EAP-TLS
  I had gone through the following Docs for reference.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008068d45a.shtml
  https://supportforums.cisco.com/docs/DOC-24723
  Thanks
  Nibin

  Dear Philip,
  Thanks for your reply. Actually the setting is working for Laptops only issue with Wireless IP Phones.
  Please find the logs from Cisco ACS. I followed the deployment guide for IP Phone.
  AUTH 02/10/2013  13:29:58 I 0000 1756 0xb CryptoLib.SSLConnection.pvServerInfoCB - Process TLS  data: SSL state=SSLv3 read  client certificate A
  AUTH 02/10/2013  13:29:58 I 2009 1756 0xb EAP: EAP-TLS:  Handshake failed
  AUTH 02/10/2013  13:29:58 E 2255 1756 0xb EAP: EAP-TLS:  ProcessResponse: SSL recv alert fatal:bad certificate
  AUTH 02/10/2013  13:29:58 E 2258 1756 0xb EAP: EAP-TLS:  ProcessResponse: SSL ext error reason: 412 (Ext error code =  0)
  AUTH 02/10/2013  13:29:58 E 2297 1756 0xb EAP: EAP-TLS: ProcessResponse(1519):  mapped SSL error code (3) to -2198
  AUTH 02/10/2013  13:29:58 I 0526 1756 0xb EAP: EAP-TLS: Unknown EAP code  Unknown EAP code
  AUTH 02/10/2013  13:29:58 I 0366 1756 0xb EAP: EAP state: action = send
  AUTH 02/10/2013  13:29:58 I 1151 1756 0xb [AuthenProcessResponse]:[eapAuthenticate] returned  -2198
  AUTH 02/10/2013  13:29:58 I 1198 1756 0xb EAP: <-- EAP Failure/EAP-Type=EAP-TLS (identifier=7,  seq_id=7)
  AUTH 02/10/2013  13:29:58 I 5501 1756 0xb Done  UDB_SEND_RESPONSE, client 50, status  UDB_EAP_TLS_INVALID_CERTIFICATE
  Thanks
  Nibin Rodrigues

• EAP-TLS FAILING ON WIRELSS IPPHONE CP-7925G

  Hi all,
  we had enabled the eap-tls authentication on our WIFI network. We are using Cisco ACS 1113 & Microsoft Certificate Server for this setup. Currently we are able to successfully authenticat EAP-TLS on computer, but the Phones are not registering the network.
  On the ACS we are getting the following error.
  "EAP-TLS or PEAP authentication failed due to invalid certificate during SSL handshake".
  Thanks
  Nibin       

  Dear all
  Thanks for your reply. Actually the setting is working for Laptops only issue with Wireless IP Phones.
  Please find the logs from Cisco ACS. I followed the deployment guide for IP Phone.
  AUTH 02/10/2013 13:29:58 I 0000 1756 0xb CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client certificate A
  AUTH 02/10/2013 13:29:58 I 2009 1756 0xb EAP: EAP-TLS: Handshake failed
  AUTH 02/10/2013 13:29:58 E 2255 1756 0xb EAP: EAP-TLS: ProcessResponse: SSL recv alert fatal:bad certificate
  AUTH 02/10/2013 13:29:58 E 2258 1756 0xb EAP: EAP-TLS: ProcessResponse: SSL ext error reason: 412 (Ext error code = 0)
  AUTH 02/10/2013 13:29:58 E 2297 1756 0xb EAP: EAP-TLS: ProcessResponse(1519): mapped SSL error code (3) to -2198
  AUTH 02/10/2013 13:29:58 I 0526 1756 0xb EAP: EAP-TLS: Unknown EAP code Unknown EAP code
  AUTH 02/10/2013 13:29:58 I 0366 1756 0xb EAP: EAP state: action = send
  AUTH 02/10/2013 13:29:58 I 1151 1756 0xb [AuthenProcessResponse]:[eapAuthenticate] returned -2198
  AUTH 02/10/2013 13:29:58 I 1198 1756 0xb EAP: <-- EAP Failure/EAP-Type=EAP-TLS (identifier=7, seq_id=7)
  AUTH 02/10/2013 13:29:58 I 5501 1756 0xb Done UDB_SEND_RESPONSE, client 50, status UDB_EAP_TLS_INVALID_CERTIFICATE
  Thanks
  Nibin Rodrigues

• TACACS "fail unknown users" after upgrade to ACS 3.3

  Basic config issue is :
  1) User Account is added to ACS 3.3
  2) User Account is added to Group with correct Privilege Levels
  3) User Password Authentication: is listed as "Windows Database"
  4) TACACS+ Enable Control: is set to user group settings
  5) And TACACS+ Enable is also set to "Windows Database"
  In External DB all windows Domains are listed (but not down to specific group mapping)
  Here is the problem, every thing works fine.
  Users can log onto router in User mode (using domain password) & change to EN mode (using domain password)
  As long as the "Unknown user policy" is set to check against "Windows". this works.
  But if it is set to "fail Unknown users" then no one can gain access

  Hi Michael,
  We opened a TAC case ans was given the following info;
  CSCef84196
  First Found-in Version 3.3(1)
  Symptom:
  users created on acs but mapped to external DB manually fail authentication
  Condition:
  -this happens when unkown user policy is set to fail authentication attempt.
  Workaround:
  - set unkown policy to check external database.
  if dynamic users aren't desired to authenticate, you can map the external DB to a disabled group.
  and put the manually mapped users in an enabled group.
  Ther is no fix available yet!

• ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

  Hello, I´m stucked with this problem for 3 weeks now.
  I´m not able to configure the EAP-TLS autentication.
  In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
  The ISE´s certificate has been issued with the "server Authentication certificate" template.
  The clients have installed the certificates  also the certificate chain.
  When I try to authenticate the wireless clients I allways get the same error: "     Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
  and "OpenSSLErrorMessage=SSL alert
  code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack=  1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
  I don´t know what else can I do.
  Thank you
  Jorge

  Hi Rik,
  the Below are the certificate details
  ISE Certificate Signed by XX-CA-PROC-06
  User PKI Signed by XX-CA-OTHER-08
  In ISE certificate Store i have the below certificates
  XX-CA-OTHER-08 signed by XX-CA-ROOT-04
  XX-CA-PROC-06 signed by XX-CA-ROOT-04
  XX-CA-ROOT-04 signed by XX-CA-ROOT-04
  ISE certificate signed by XX-CA-PROC-06
  I have enabled - 'Trust for client authentication' on all three certificates
  this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'
  when i check the certificates of current user in the Client PC this is how it shows.
  XX-CA-ROOT-04 is listed in Trusted root Certification Authority
  and XX-CA-PROC-06 and XX-CA-OTHER-08  are in Intermediate Certificate Authorities

• EAP-TLS Authentication failure happening in ACS for Wireless End User Authentication

  Hi All,
  We have the Win 3.2 ACS setup in the production environment, We are migrating it with 4.2 Appliance version. We have succesfully migrated the database and other stuffs from 3.2 to 4.2. Same way we have exported the certificates from 3.2 to 4.2 and installed it.
  We have the leap as well as eap-tls in the authentication part.
  We were able to test successfully with the leap. But when it comes to eap-tls. In 4.2 version its throwing the error.
  5/3/2011
  23:16:38
  Authen failed
  [email protected]
  EAP-TLS users
  0023.1413.de18
  (Default)
  EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake
  21356
  10.121.198.38
  13
  EAP-TLS
  ap-1242b4 
    Bangalore APs
  We have used the same certficate exported and installed in the 4.2 version. But its working in the existing 3.2 version and why it is not working with the 4.2 version.
  Could anyone help me out in this?
  Regards
  Karthik

  Hi,
  Looks like the CA Cert is not installed on the ACS.
  The following link will help you install the CA cert.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAuth.html#wp327056
  Also trust the CA certificate in the Edit trust list list.
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

• EAP Chaining with Machine TLS and User PEAP

  We are deploying an ISE based .1x. The design is to use eap-tls for machine and eap-peap for user. Apparently EAP-Chaining is recommended, but can anyone confirm if we can do chaining based on machine TLS and user PEAP. I have done some investigation and could not find any supporting document, but not any document saying not supporting either. Looking at Anyconnect profile editor, it does not look like this configuration is supported. Has anyone done this before?
  Thanks a lot.

  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
  Just change the authentication policy to allow the methods you want to use under eap-fast (eap-chaining) and use the same ones in your nam client configuration settings.