View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0043 - ISE 1.1 Wired 802.1X and Machine Authentication with PEAP

Rating: 
5
Average: 5 (2 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>

The video walks you through configuration of wired 802.1X using PEAP on Cisco ISE. We will look how to configure authentication and authorization policies to support both user and machine authentication, how to restrict network access with DACL, and how to use Machine Access Restriction (MAR) to correlate user and machine sessions to ensure a user can access the network only from a domain (corporate) computer. We will perform testing from both domain and non-domain computers and observe the authentication results.

Topic:
  • User and Machine Authentication with PEAP
  • Policy Element Condition
    • Authorization (Compound Condition)
  • Policy Element Result
    • Authentication (Allowed Protocol)
    • Authorization (Downloadable ACL)
    • Authorization (Authorization Profile)
  • Authentication Policy
  • Authorization Policy
Note:
  • PEAP is a password-based authentication with MSCHAPv2. 
  • With PEAP, although client certificate is not required, the server root certificate needs to be trusted or the certificate validation needs to be exempted on the client supplicant
  • Machine authentication only happens at the Windows login
  • Account log-off or machine reboot may be required to force machine authentication

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

12 comments

Hi

why this problem when applied 802.1x in the Cisco ISE....Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected .

Please help me.

Thanks

Please make sure either the 802.1x network setting on client has the root CA cert installed and trusted or disable cert validation.

I tried this config on ISE 1.2. Machine Auth Works but User Auth does not work. Does it has to do with MAR being enabled or else ? My config were ditto to what you have demonstrated. The log show only machine authentication however everything works fine as allowed in Machine DACL.
Please help.

It sounds like you do not have user authentication enabled. Please double check your Windows client and make sure you enable both machine and user authentication. By default, machine and user authentication are two independent processes. MAR has nothing to do with the two processes, It merely provides correlation of the two and allows you to use 'wasmachineauthenticated' condition.

Spot on - Yes the issue was Client machine not configured for single sign on for machine as well as user auth. It is now resolved.
Many thanks for your help and assistance and keep up the good work. God bless.

Hi
I configured machine authentication with PEAP.
I also configured cache for machine authentication
But it is very difficult to manage many user, as all user dont connect at the same time (first conexion)
How could I recognize on the log that cache has expired and ISE require machine authentication
Is there any log or special message to recongnise that machine authentication is required first ?

I don't think there is really a way to check the current machine auth status of a user. If a user fail authentication because his/her machine did not pass machine auth first, you will see that in the authentication log detail saying something like machine was not previously authenticated.

can we make autonomous AP to work with ISE, without any COA just for EAP-TLS based Authentication?

You should be able to, after all ISE is just a Radius server

I'm following this guide, but there is no way on earth my machines is able to communicate.
I'm running the same steps on ISE 1.3 and cisco is 260S running code 15.2

I've noticed that the command
radius-server vsa send authentication | accounting is not being applied on my switch, is this critical ??

I'm wondering if the steps are differentfor ISE 1.3

turn out that those commands "radius-server vsa send authentication| accounting " are important because that is how the ISE send its downloadable ACL to the port.
I wasn't able to set this command due to a possible bug of the switch ios version 15.2.2a.E1, but I did downgrade to the recommended IOS download 15.0.2.SE6 and its working now

There are certainly major changes between 15.0 and 15.2. If you upgrade to 15.2, you will notice that those 'radius-server vsa send' disappear from config. Either this is a bug like you said or it has become a default config. FYI, anything beyond 15.2 should adopt the new mode called 'eEdge' with the command syntax of access-session instead of authentication as 802.1x is known to break on the old authentication syntax.