Your company’s Cisco ISE device and all of its supplicants support EAPFASTv2. A user’s authentication fails. However, the user’s device attempts to authenticate and succeeds.Which of the following is true? (Select the best answer.)
- The user will have no access.
- The user will have restricted access.
- The user will have full access.
- The device will have full access but the user will have no access.
The user will have restricted access if user authentication to the Cisco Identity Services Engine (ISE) fails but the user’s device authentication succeeds. Extensible Authentication Protocol (EAP)Flexible
Authentication via Secure Tunneling (FAST) with EAP chaining, which is also sometimes called EAPFAST version 2 (EAPFASTv2), enables the validation of both user and device credentials in a single EAP transaction. EAP chaining enables a Cisco security device to validate authentication credentials for both a user and the user’s device. In order to enable EAP chaining, both the Cisco security device and the supplicant device must support EAP chaining.
The Cisco ISE will assign a different level of authorization access depending on one of four success and failure possibilities, as shown in the following table:
EAP-FAST is an authentication protocol that can be used for pointtopoint connections and for both wired and wireless links. The EAP-FAST authentication process consists of three phases. The first phase, which is optional and is considered phase 0, consists of provisioning a client with a PAC, which is a digital credential that is used for authentication. A PAC can be manually configured on a client, in which case phase 0 is not required. The second phase, which is referred to as phase 1, involves creating a secure tunnel between the client and the server. The final phase, which is referred to as phase 2, involves authenticating the client. If the client is authenticated, the client will be able to access the network.