View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0274 - ISE 2.2 Wireless 802.1X with EAP-TLS and PEAP (Part 2)

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0274 - Video Download $11.00
Purchase SEC0274 - Video Download $11.00
The video walks you through configuration of wireless 802.1X using EAP-TLS and PEAP on Cisco ISE 2.2. We will configure authentication and authorization policies to support both user and machine authentications and enforce Machine Access Restriction (MAR) using Windows Native Supplicant. Named ACL will be used to restrict network access. We will perform testing on both domain, and non-domain devices and observe authentication results.
 
Part 2 of this video covers configuration validation with endpoint testing
 
Topic:
  • Network Device and Group
  • Certificate Profile (Common Name)
  • Active Directory User Group
  • Identity Source Sequence 
  • User and Machine Authentication with EAP-TLS and PEAP
  • Windows 802.1X Native Supplicant
  • Policy Element Result
    • Authorization (Named ACL)
    • Authorization (Authorization Profile)
    • Authentication Policy
    • Authorization Policy
  • Policy Set
    • Authentication Policy
    • Authorization Policy

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new Cisco technologies.

3 comments

Metha, wonderful video, thank you. We are running into an issue with our ISE deployment where after we push out the Cisco client installation to workstations, the machine reboots, user logs in and gets denied access. If they reboot again, it works. Here are some relevant logs from the client. Any thoughts? Thanks!

206: TEST-PC: May 10 2018 14:17:20.321 +0600: %NAM-6-INFO_MSG: %[tid=1688]: Sending unprotected identity = host/TEST-PC.ABCCorp.com.

207: TEST-PC: May 10 2018 14:17:20.321 +0600: %NAM-6-INFO_MSG: %[tid=1688]: EAP: Identity sent

208: TEST-PC: May 10 2018 14:17:20.321 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: identity sent: sync=2

209: TEST-PC: May 10 2018 14:17:20.321 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: credential request 2: state transition: PENDING -> RESPONDED

210: TEST-PC: May 10 2018 14:17:20.321 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: Auth[ABCCorp Wired:machine-auth]: Authentication state transition: AUTH_STATE_STARTED -> AUTH_STATE_UNPROTECTED_IDENTITY_SENT_FOR_FULL_AUTHENTICATION

211: TEST-PC: May 10 2018 14:17:20.321 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: credential request completed, response sent: sync=2

212: TEST-PC: May 10 2018 14:17:20.321 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: credential request 2: state transition: RESPONDED -> COMPLETED

213: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1716]: EAP-CB: credential requested: sync=3, session-id=1, handle=026B00A4, type=AC_CRED_EAP_METHODS

214: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1716]: EAP: credential request deferred: sync=3

215: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1716]: EAP-CB: sending EapCredentialRequestEvent...

216: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: ...received EapCredentialRequestEvent.

217: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: processing credential request: sync=3, session-id=1, eap-handle=026B00A4, eap-level=0, auth-level=0, protected=0, type=CRED_REQ_EAP_METHODS

218: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-6-INFO_MSG: %[tid=1688]: EAP: EAP suggested by server: eapTls

219: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-6-INFO_MSG: %[tid=1688]: EAP: EAP requested by client: eapTls

220: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: EAP methods sent: sync=3

221: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: credential request 3: state transition: PENDING -> RESPONDED

222: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: Auth[ABCCorp Wired:machine-auth]: Authentication state transition: AUTH_STATE_UNPROTECTED_IDENTITY_SENT_FOR_FULL_AUTHENTICATION -> AUTH_STATE_UNPROTECTED_IDENTITY_ACCEPTED

Versus what looks like one of the failures:

206: TEST-PC: May 10 2018 13:53:59.988 +0600: %NAM-6-INFO_MSG: %[tid=1700]: Sending unprotected identity = host/TEST-PC.ABCCorp.com.

207: TEST-PC: May 10 2018 13:53:59.988 +0600: %NAM-6-INFO_MSG: %[tid=1700]: EAP: Identity sent

208: TEST-PC: May 10 2018 13:53:59.988 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: EAP: identity sent: sync=2

209: TEST-PC: May 10 2018 13:53:59.988 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: EAP: credential request 2: state transition: PENDING -> RESPONDED

210: TEST-PC: May 10 2018 13:53:59.988 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: Auth[ABCCorp Wired:machine-auth]: Authentication state transition: AUTH_STATE_STARTED -> AUTH_STATE_UNPROTECTED_IDENTITY_SENT_FOR_FULL_AUTHENTICATION

211: TEST-PC: May 10 2018 13:53:59.988 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: EAP: credential request completed, response sent: sync=2

212: TEST-PC: May 10 2018 13:53:59.988 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: EAP: credential request 2: state transition: RESPONDED -> COMPLETED

213: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-7-DEBUG_MSG: %[tid=1732]: EAP-CB: EAP status notification: session-id=1, handle=022D9AAC, status=AC_EAP_STATUS_EAP_FAILURE

214: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-7-DEBUG_MSG: %[tid=1732]: EAP-CB: sending EapStatusEvent...

215: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-7-DEBUG_MSG: %[tid=1732]: EAP-CB: EAP status notification: session-id=1, handle=022D9AAC, status=AC_EAP_STATUS_ERR_CLIENT_IDENTITY_REJECTED

216: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: EAP: ...received EapStatusEvent: session-id=1, EAP handle=022D9AAC, status=AC_EAP_STATUS_EAP_FAILURE

217: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-7-DEBUG_MSG: %[tid=1732]: EAP-CB: sending EapStatusEvent...

218: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-6-INFO_MSG: %[tid=1700]: EAP: Eap status AC_EAP_STATUS_EAP_FAILURE.

219: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: EAP: processing EapStatusEvent in the subscriber

220: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-6-INFO_MSG: %[tid=1732][mac=1,6,f8:b1:56:12:34:56]: {294B1B0E-21DC-4857-AECC-1234567890}: Port State UNAUTHENTICATED and status EAP_FAILURE

221: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: Auth[ABCCorp Wired:machine-auth]: Unprotected identity rejected, authentication failed.

What error does ISE shows?

Interestingly, nothing. I don't see the MAC address hitting ISE logs at all, even the RADIUS live logs.

Lab Minutes Classifieds