View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

Home » Security » SEC0045 - ISE 1.1 Wired 802.1X and Machine Authentication with EAP-TLS

SEC0045 - ISE 1.1 Wired 802.1X and Machine Authentication with EAP-TLS

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Category: 
Security

The video walks you through configuration of wired 802.1X using EAP-TLS on Cisco ISE. We will look how to configure authentication and authorization policies to support both user and machine authentication, how to restrict network access with DACL, and how to use Machine Access Restriction (MAR) to correlate user and machine sessions to ensure a user can access the network only from a domain (corporate) computer. We will perform testing from both domain and non-domain computers and observe the authentication results.

Topic:
  • Certificate Profile (Common Name)
  • Identity Source Sequence 
  • User and Machine Authentication with EAP-TLS
  • Policy Element Condition
    • Authorization (Compound Condition)
  • Policy Element Result
    • Authentication (Allowed Protocol)
    • Authorization (Downloadable ACL)
    • Authorization (Authorization Profile)
  • Authentication Policy
  • Authorization Policy
Note:
  • EAP-TLS is a certificate-based authentication. 
  • With EAP-TLS, client certificate is required, and the server root certificate needs to be trusted or the certificate validation needs to be exempted on the client supplicant
  • User and machine certificates should not allow to be exported, otherwise the security will be circumvented
  • Machine authentication only happens at the Windows login
  • Account log-off or machine reboot may be required to force machine authentication
Tag: 
ISE
802.1x
eap-tls
wired
certificate

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
http://www.linkedin.com/in/methachiewanichakorn

67 comments

Submitted by chocolate on Fri, 03/29/2013 - 21:20

May i know how to active EAP-TLS protocol
i enable the IEEE802.1x authentication and use EAP(PEAP)
but restart the client machine in the login page ,i see the log messages always show the DenyAccess
I select the Validate Server Certificate box and need to select connect to these Server box?
If select the connect to these Server box, enter the ip address is CA server or ise server?
thank~

Submitted by admin on Fri, 03/29/2013 - 23:02

On the windows client, you need to choose "Smartcard or other certificate", and unless you already have the root CA certificate installed and trusted, you need to make sure the 'Validate server certificate" is unckecked. You also need to make sure the client certificate has already been installed.

If you find our website helpful, please help support us by sharing our links, recommend website to friends, like our Facebook, Subscribe our YouTube channel, follow us on Twitter

Submitted by lleytonbelmont on Mon, 04/08/2013 - 00:07

good video. cheers.

Submitted by admin on Mon, 04/08/2013 - 20:22

Hope you enjoy our videos.

 

If you find our website helpful, please help support us by sharing our links, recommend website to friends, like our Facebook, subscribe our YouTube channel, follow us on Twitter
Submitted by mervlam on Mon, 04/08/2013 - 01:36

In your example, you used users "employee1" and "admin1".

However, the authorization breaks when you used both first and last names, eg. "John Doe". The cert CN would be "C = John Doe" in this case. Apparently the AD is not able to identify "John Doe" as a member of Domain Users.

Can you try this out?

Submitted by admin on Mon, 04/08/2013 - 20:20

On ISE, if you configure Certificate Profile to use CN as username, ISE will look for "John Doe", as a username and not first and lastname, in AD, and unless you have a username "John Doe", authorization will fail since AD will not be able to find that user. Any reason why you use First/Lastname for CN and not the username?

If you find our website helpful, please help support us by sharing our links, recommend website to friends, like our Facebook, subscribe our YouTube channel, follow us on Twitter

Submitted by mervlam on Tue, 04/09/2013 - 08:41

I have a Windows Server 2008 CA User and Computer Cert Auto-Enrollment setup in a similar fashion.

If you look closely at the user template, the Subject name format is "Fully distinguished name". You could also opt to use "Common Name". Both will result in the CN = First/Lastname.

Submitted by admin on Tue, 04/09/2013 - 20:20

I looked into this and I think I know what you mean now. It seems by default CA server uses the user fullname (Fastname Lastname) as CN, and when ISE tries to authorize with AD, AD could not find the user. What you need is to make sure CN correspond to the username and a quick fix, as far as I can see, would be renaming user fullname on the AD to the username. I am not sure it there is a better way of doing this on the AD, especially if you have to deal with large number of user. If you find anything, feel free to share.

If you find our website helpful, please help support us by sharing our links, recommend website to friends, like our Facebook, subscribe our YouTube channel, follow us on Twitter

Submitted by chris-a on Tue, 04/30/2013 - 13:59

I may have a fix for this, since I also found this problem.

As per earlier LabMinute videos, ensure the user certificate being auto-enrolled has the following Subject Name settings:
FQDN
Include e-mail name in subject name.
Include:
Email name
UPN
SPN

On the AD user ensure the e-mail field is populated on the General Tab.

On ISE do the following.

External Ident Source - Cert Auth Profile - Add

Name: LAB_CERT_Sub_Alt_Name
Principal User X509 Attrib: Subject Alternative Name

Now click Active Directory - Attributes.
I added the following, but I suspect only the first one is req'd:

userPrincipalName
sAMAccountName
cn

Tie the LAB_CERT_Sub_Alt_Name to an identity source sequence, which is subsequently used in your authentication policies.

When the wireless device submits the username and certificate, ISE will present the "Username" as user@lab.domain.tld, from the certificate, which AD is able to match.

Hope this helps.

Submitted by chris-a on Tue, 04/30/2013 - 15:48

Update on my post above.

I noticed this actually broke machine authentication, since AD can't match machine@domain.tld.

The solution to this is to have a separate Cert Auth Profile which checks on X509 Common Name.

Reference this in a separate Ident Source Sequence.

Now duplicate the Auth Compound Condition, Wireless_802.1X and name it Wireless_802.1X_Device. Add the following attribute/pair:
Radius:User-Name Starts with Host

Duplicate above the authentication policy LAB-WLAN-DOT1X rename LAB-WLAN-DOT1X-DEVICE, and reference condition and identity source created above.

Submitted by ytht1212 on Mon, 02/24/2014 - 19:34

I have a work-around for this issue. In the ISE Certificate Authentication Profile, Principal Username X509 Attribute choose : subject Alternative Name.

If you choose the common name, the ISE log showing the common name can not be found in AD.

Submitted by admin on Sun, 04/21/2013 - 09:51

I've figured an alternative to check for WasMachineAuthenticated and still use certificates.

For corporate devices (using GPO), modify authentication to use a PEAP tunnel (PEAP outer, EAP-TLS inner). For BYOD corporate users, simply use EAP-TLS.

This way we can identify the authentication flow.

So my authz policies look like this:

LAB-WIRED-MACHINE # PEAP Tunnel (see below)
LAB-WIRED-BLACKLIST
LAB-WIRED-USER # corporate user, PEAP Tunnel (see below)
...
LAB-WIRED-BYOD # corporate user with personal device, uses EAP-TLS (see below).

The authz compound condition for LAB-WIRED-MACHINE is this:

Radius:Service-Type EQUALS Framed AND
Radius:NAS-Port-Type EQUALS Ethernet AND
AD1:ExternalGroups EQUALS lab2.domain.co.uk/Users/Domain Computers AND
Network Access:EapTunnel EQUALS PEAP AND
Network Access:EapAuthentication EQUALS EAP-TLS

The authz compound condition for LAB-WIRED-USER is this:

Radius:Service-Type EQUALS Framed AND
Radius:NAS-Port-Type EQUALS Ethernet AND
AD1:ExternalGroups EQUALS lab2.domain.co.uk/Users/Domain Users AND
Network Access:WasMachineAuthenticated EQUALS True AND
Network Access:EapTunnel EQUALS PEAP AND
Network Access:EapAuthentication EQUALS EAP-TLS

The authz compound condition for LAB-WIRED-BYODis this:

AD1:ExternalGroups EQUALS lab2.domain.co.uk/LAB2/BYOD Users AND
DEVICE:Device Type EQUALS All Device Types#Switch AND
Network Access:EapAuthentication EQUALS EAP-TLS

On corporate machines, logging shows machine prior auth using PEAP(EAP-TLS)

Authentication Protocol : PEAP(EAP-TLS)
...
24422 ISE has confirmed previous successful machine authentication for user in Active Directory

And on BYOD machines, logging shows it falls through to LAB-WIRED-BYOD and can be given a different DACL or results, etc.

Authorization Policy Matched Rule: LAB-WIRED-BYOD

Submitted by ytht1212 on Sat, 10/12/2013 - 14:32

Hi,

I have watched your all ISE video and that is really useful. I have completed the Wired 802.1X and Machine Authentication with PEAP and it was successful. I then followed the steps in your video Wired 802.1X and Machine Authentication with EAP-TLS, but I failed:

The testing pc has joined the domain and the dot1x has been enable as your previous lab
The testing pc has already installed the certificate of the root CA and got the computer certificate and user certificate from the root CA.
I have add the Certificate Authentication Profile on ISE and change the sequence to Cert-AD-local
The authorization compound condition is match the domain account, coming from switch and eap authentication=TLS

From the monitor section, I got the message for the machine authentication showing the RADIUS Status:
Authentication failed : 15039 Rejected per authorization profile, ISE chooses the default authorization policy and denies it.

In the detail step, it shows
…..
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
…..
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - AD-ISE // I have already added the Certificate Authentication Profile and changed the sequence, but I don't know why it still uses the AD as DB
24431 Authenticating machine against Active Directory
24470 Machine authentication against Active Directory is successful
22037 Authentication Passed
……
12306 PEAP authentication succeeded
11503 Prepared EAP-Success
Evaluating Authorization Policy
15004 Matched rule
15016 Selected Authorization Profile - DenyAccess
15039 Rejected per authorization profile
11003 Returned RADIUS Access-Reject

It shows the host matches the default rules instead of my customized rules.
When I changed the compound conduction to use the PEAP, it succeeded.

The ISE version is 1.1.4. Could you help identify where the problem may come from?

Thanks a lot for your help!

Eric

Submitted by admin on Sun, 10/13/2013 - 15:48

Look like you client is coming in a PEAP. Could you double check and make sure the client network profile has EAP-TLS (ie. Smartcard and certificate) chosen instead of PEAP?

Submitted by maiquel on Thu, 01/09/2014 - 09:02

Hi i have the same problem. My Supplicant its the any connect with the 8021.x Configuration certificated and EAP-TLS.

I make the any test and has the same problem above

ogged At:

January 9,2014 2:55:18.268 PM
RADIUS Status:
Authentication failed : 15039 Rejected per authorization profile
NAS Failure:

Username:
maiquel mc. consalter
MAC/IP Address:
00:0C:29:D3:9F:CC
Network Device:
SW1 : 192.168.2.247 : FastEthernet0/12
Allowed Protocol:
LM-PEAP-TLS
Identity Store:

Authorization Profiles:

DenyAccess
SGA Security Group:

Authentication Protocol :

EAP-TLSogged At:

January 9,2014 2:55:18.268 PM
Occurred At:

January 9,2014 2:55:18.267 PM
Server:
ise-1
Authentication Method:

dot1x
EAP Authentication Method :

EAP-TLS
EAP Tunnel Method :

Username:
maiquel mc. consalter
RADIUS Username :

maiquel@sise.local
Calling Station ID:
00:0C:29:D3:9F:CC
Framed IP Address:

Use Case:

Network Device:
SW1
Network Device Groups:

Device Type#All Device Types#Switch,Location#All Locations
NAS IP Address:
192.168.2.247
NAS Identifier:

NAS Port:

50012
NAS Port ID:
FastEthernet0/12
NAS Port Type:

Ethernet
Allowed Protocol:
LM-PEAP-TLS
Service Type:

Framed
Identity Store:

Authorization Profiles:

DenyAccess
Active Directory Domain:

Identity Group:

Allowed Protocol Selection Matched Rule:

LM-WIRED-DOT1X-CERT
Identity Policy Matched Rule:

Default
Selected Identity Stores:

Authorization Policy Matched Rule:

Default
SGA Security Group:

AAA Session ID:

ise-1/178648593/324
Audit Session ID:

C0A802F70000004D0402C37E
Tunnel Details:

Cisco-AVPairs:

audit-session-id=C0A802F70000004D0402C37E
Other Attributes:

ConfigVersionId=13,Device Port=1645,DestinationPort=1645,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1500,State=37CPMSessionID=C0A802F70000004D0402C37E;29SessionID=ise-1/178648593/324;,EAP-Key-Name=,CPMSessionID=C0A802F70000004D0402C37E,EndPointMACAddress=00-0C-29-D3-9F-CC,Device Type=Device Type#All Device Types#Switch,Location=Location#All Locations,Device IP Address=192.168.2.247,Called-Station-ID=00:1A:2F:FA:E6:0E

Thanks for your time.

I

Submitted by admin on Fri, 01/10/2014 - 00:26

Could you explain what you have for the authorization conditions? It s the request came in as EAP-TLS already so that is good. Double check if what you have for the certificate CN is the same as AD username otherwise ISE will fail the AD group lookup (if you use External Group as one of conditions). You can remove one condition at a time until you get a success to troubleshoo which condition gives you trouble.

Submitted by nicanor on Tue, 01/21/2014 - 10:32

Hi
I will like to know if machine credential cached is shared from the primary to the secondary ISE ?

If I configure Primary ISE to cache machine credential, then primary ISE go down: normaly user is authenticated on secondary ISE . user will need to restart his computer or log off login on windows again in other to perform machine authentication or secondary ISE will already have machine credential cached from primary ISE in his cache ?

Submitted by admin on Tue, 01/21/2014 - 11:27

As of version 1.2, machine credential cache is not being shared between PSN. If the primary fails or reset, users will need to go through machine auth.

Submitted by admin on Thu, 07/03/2014 - 23:18

To do machine authentication with EAP-TLS you need 2 things.
1)Your Certificate Profile should have Binary Certificate Comparison Checked.
2)For Binary Cert Comp to work you need to have your certificate published to the AD. To do this duplicate the computer certificate template and select publish to active directry.

What ISE(or ACS) does is that the thumbrint(SHA1 Hash) of your certificate is compared to the thumbprint published to the AD for binary certificate comparision.Without this the machine auth request is treated as a user auth request and so not added to MAR cache.

Submitted by andrey on Wed, 08/20/2014 - 10:42

I have two certificates for user in my environment, when I login the windows shows a popup to choose the certificates and I need pick the user certificate for ISE, How can I do this automatically? The other user certificate is for Microsoft Lync.

Submitted by andrey on Thu, 08/21/2014 - 10:38

I research a lot and what I understood ... If you have a list of certificates with EKu = Client authentication.. than the windows shows a drop-list to choose... big issue to the final user...

Only Windows 8 have a Eku filter that helps to automatic choose the better certificate.

I think the best way is go to NAM..

Submitted by admin on Thu, 08/21/2014 - 17:12

Under Control Panel, there is Credential Manager where you can select a client certificate. Wonder if that would solve this issue.

Submitted by andrey on Thu, 08/21/2014 - 19:02

Great tip, I think this solves the issue, I will try and tell you. But in production, where we can have much users would be something difficult to manage. Do you know if is configurable via GPO?

Thank you for the videos, which are of great help to learn. Congratulations!

Submitted by admin on Sun, 08/24/2014 - 12:44

Like you said, even if this works, mass production deployment will need to be taken into consideration. Not sure if there is an option in GPO for this. This might be taken up to Microsoft support. Definitely please share your result on this so we know if it works. Thank you for bringing this up. I am sure there are other people who have the same question.

Submitted by maiquel on Wed, 08/27/2014 - 11:14

My EAP-TLS in virtual machine, where is Computer Domain.
Where is where something strange is happening, when i reboot the machine, i enter with my user and password, my machine auth in ISE, but just in autorization WiredUser with the permition PERMIT-ALL. When i try log off the user, the authentication does not work, just i reboot the machine. Other thing, is there the authorization that comes before the WiredUser that is MachineUser not appear.

My Authorization:

MACHINE -> Framed/Ethernet/Domain Computer / EAP-TLS -> LOGIN-AD-AUTH -> Not appear in log and the show auth sess int
User -> Framed/Ethernet/Domain User/ EAP-TLS -> Apper and it's work, when i reboot the machine.

My profile in Wired - Supplicant win7, hast the user/computer authentication.

Submitted by maiquel on Wed, 08/27/2014 - 12:51

Guy's, i read the file below in Template Workstation, and after setting worked.

http://www.cisco.com/c/dam/en/us/td/docs/solutions/SBA/August2012/Cisco_...

Thanks.

Submitted by waqarjunejo on Thu, 11/20/2014 - 03:08

EAP_TLS WasMachineAUthenticated does not work. When we make compound condition for user authentication just like peap(was machine authenticated) it use to work. but in EAP_TLS its not.
did any one find any solution to it? Please share.

Thanks.

Submitted by admin on Thu, 11/20/2014 - 22:11

What version of ISE are you running? Have you tried all of the possible solutions mentioned above especially have the " Binary Certificate Comparison Checked"

Submitted by waqarjunejo on Sun, 11/23/2014 - 00:01

Thanks for your reply.
I am running ISE version 1.2. and machine do gets authenticated by certificate but let me tel you the flow.

1- when machine boots up, its authenticated by EAP-TLS. so at this point machine has machine ACL pushed.
2-when user logins the machine with (was machine authenticated = true) than user is not able to get authenticated(authentication fails) and does not get USER ACL. however, if i remove this attribute of ( was machine authenticated = true) than i am able to login and get user level privileges.

In the videos itself its been told by the instructor it does not work and if any one have any solution please share.
that is why i am wondering if some one have any solution.

Submitted by admin on Sun, 11/23/2014 - 20:07

Completely understand your issue which is the same issue mentioned in the video. Have you tried to check the" Binary Certificate Comparison Checked" under the Certificate profile as suggested by the comment posted above?

Submitted by waqarjunejo on Tue, 11/25/2014 - 02:17

yes i tried "" Binary Certificate Comparison Checked" but with this, the machine authentication fails. however user authentication is successful (without "wasmachine authenticated").
I am wondering where ise is looking for machine certificate for binary comparison. i have checked the serial number of the machine issued certificate in client machine and in CA Cert store Issued certificates as well. but some how this machine authentication fails if " Binary Certificate Comparison " is checked.

Submitted by admin on Sun, 11/30/2014 - 21:45

Is you CA standalone or enterprise?

Submitted by halina on Fri, 04/20/2018 - 01:16

Thanks a lot! It really helped me.

Submitted by waqarjunejo on Mon, 12/01/2014 - 00:36

Its an enterprise CA. i installed it with AD so its the same machine AD&CA.

Submitted by admin on Mon, 12/01/2014 - 22:36

If that does not work, another workaround is to use PEAP with EAP-TLS for inner method which have been suggested by someone else also. 

Submitted by ciobis on Thu, 02/12/2015 - 13:01

I have been trying to get this working for a few days; I am trying to use wired 802.1x authentication with dynamic VLAN assignment. After machine boots and user logs in, I get an IP in the VLAN specified and I have connectivity for about 30 seconds, then it drops;

These are the results on ISE:

11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - Radius.Service-Type
15048 Queried PIP - Radius.NAS-Port-Type
15004 Matched rule - My-Test
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for Test-Machine
12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for Company Issuing CA
12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for Company Policy CA
12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for Company Root CA
12811 Extracted TLS Certificate message containing client certificate
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
15041 Evaluating Identity Policy
15006 Matched Default Rule
22072 Selected identity source sequence - Company_Cert_AD
22070 Identity name is taken from certificate attribute
22037 Authentication Passed
12506 EAP-TLS authentication succeeded
15036 Evaluating Authorization Policy
15048 Queried PIP - Radius.Service-Type
15048 Queried PIP - Radius.NAS-Port-Type
15048 Queried PIP - CERTIFICATE.Issuer - Organization
15004 Matched rule - Test-LAN-Prod-Resources_Machine
15016 Selected Authorization Profile - LAN-Assign-VLAN30,PermitAccess
15016 Selected Authorization Profile - LAN-Assign-VLAN30,PermitAccess
11503 Prepared EAP-Success
11002 Returned RADIUS Access-Accept

Submitted by admin on Thu, 02/12/2015 - 21:08

When connection drops, what was the state of the switchport. Did the port remain authorized or changed to something else? If you debug RADIUS, did switch receive anything from ISE before it drop the connection?

Submitted by ciobis on Fri, 02/13/2015 - 12:41

when the connection drops, the switch port goes back to it's default Vlan (vlan 27);
Performing a dot1x debug on the switch shows authorization and handshake timeouts, followed by Unauthorization and unassigning the VLAN.

*Feb 13 09:55:10:338 2015 SWITCH 8021X/7/EVENT: Auth:694,Msg: timeout
*Feb 13 09:55:10:339 2015 SWITCH 8021X/7/EVENT: Port:Ethernet1/0/8,Auth:694,Received Msg:519, Current state:9
*Feb 13 09:55:10:340 2015 SWITCH 8021X/7/EVENT: Auth:694,DOT1X Auth WorkTrans handshake timeout

*Feb 13 09:55:10:340 2015 SWITCH 8021X/7/EVENT: Port:Ethernet1/0/8,Auth:694,Processing node Unauthor action...
*Feb 13 09:55:10:548 2015 SWITCH 8021X/7/EVENT: Auth:694,Sending EAPoL-Failure...
*Feb 13 09:55:10:549 2015 SWITCH 8021X/7/PACKET: Port:Ethernet1/0/8,Transmitted a packet.
---Verbose information of the packet---
Destination Mac Address: a01d-48b6-9999
Source Mac Address: b7cd-67ac-e4b7
Mac Frame Type: 888e.
Protocol Version ID: 1.
Packet Type: 0.
Packet Length: 4.
-----Packet Body-----
Code: 4.
Identifier: 16.
Length: 4.
*Feb 13 09:55:10:549 2015 SWITCH 8021X/7/EVENT: Port:Ethernet1/0/8,Auth:694,
Received a Vlan authorizaion notification:MAC=a01d-48b6-9999, CMD=2, ResultCode=0
*Feb 13 09:55:10:550 2015 SWITCH 8021X/7/EVENT: Port:Ethernet1/0/8,Auth:694,Received Msg:23, Current state:11
*Feb 13 09:55:10:550 2015 SWITCH 8021X/7/EVENT: Port:Ethernet1/0/8,Auth:694, Processing node unauthor trans, the Msgtype is 23.

*Feb 13 09:55:10:551 2015 SWITCH 8021X/7/EVENT: Port:Ethernet1/0/8,Auth:694,DOT1X Auth UnauthorTrans recv SC_MSG_AUTHOR_UNASGNVLANFROMPORT_RESP: ulParam2=0
*Feb 13 09:55:10:552 2015 SWITCH 8021X/7/EVENT: Port:Ethernet1/0/8,Auth:694,Processing node Unauthor action...
*Feb 13 09:55:10:552 2015 SWITCH 8021X/7/EVENT: Port:Ethernet1/0/8,Auth:694,Unauthor operation finished!
*Feb 13 09:55:10:553 2015 SWITCH 8021X/7/EVENT: Auth:694,Processing node LOGOFF...
*Feb 13 09:55:10:564 2015 SWITCH 8021X/7/EVENT: Auth:694,Msg: Release request ack, ACM->1X.
*Feb 13 09:55:10:565 2015 SWITCH 8021X/7/EVENT: Port:Ethernet1/0/8,Auth:694,Received Msg:263, Current state:12
*Feb 13 09:55:10:565 2015 SWITCH 8021X/7/EVENT: Port:Ethernet1/0/8,Auth:694,
Succeed to del a binding item by ip(ip = 192.168.130.16) from IPCIM.
*Feb 13 09:55:10:566 2015 SWITCH 8021X/7/EVENT: Auth:694,Processing node RELEASE...
*Feb 13 09:55:10:581 2015 SWITCH 8021X/7/EVENT: Auth:694,Authenticatior resource is released.

Interesting, even though the machine is assigned the VLAN configured on ISE and gets an IP in that VLAN, has connectivity for that short period of time, the adapter never displays a successful authentication; it is "Attempting to authenticate" state, then it fails, at which point, the process is started again, and it repeats every minute ( (because the BlockTime in the registry is set to 1 min, otherwise, it will have to wait for 20 min, by default, until it responds to authentication request).

Thank you

Submitted by admin on Fri, 02/13/2015 - 22:38

If you just do 802.1x authentication without VLAN assignment, does connection stablelize? You might want to double check switch config against video below just to make sure. Also have you tried using a different computer

http://www.labminutes.com/sec0038_ise_1_1_switch_wlc_recommended_config_1

Submitted by ciobis on Tue, 02/17/2015 - 17:03

Hello,

I have tried authentication without VLAN assignment as well, but still unsuccessful;
I am now trying to use cisco anyconnect as suplicant instead of w7 native, but I am failing at user authentication, it keeps asking to chose a Certificate from the list - I have multiple user certificates installed.

Submitted by admin on Tue, 02/17/2015 - 22:12

When you say unsuccessful, what was the switchport status? Did the port remain authorized on the same VLAN? Did you have any port ACL and dACL that might have been blocking traffic? Windows Native supplicant should work just fine and using AnyConnect NAM usually complicates thing as you now need to configure the supplicant profile using the profile editor separately. If client possesses multiple certificate, client will be prompted to choose a certificate to use to authenticate. You need to see what the authentication log on ISE says when user tries to authenticate and failed.

Submitted by ciscouser on Sat, 02/28/2015 - 06:32

Hello, I am trying enable EAP-TLS authentication just for Machine authentication. I used the video SEC0029 - Windows 2008 CA User and Computer Certificate Auto-Enrollment and the certificate is already on the machine.
When I permit EAP-TLS in allowed protocols and permit mschapv2 on the PEAP, the authentication is sucessfull:

12304 Extracted EAP-Response containing PEAP challenge-response
15036 Evaluating Authorization Policy
24433 Looking up machine in Active Directory - host/isepc.w2kserver.local
24435 Machine Groups retrieval from Active Directory succeeded

The Authentication Protocol matches PEAP (EAP-MSCHAPv2) and the options selected in the network adapter is
- only machine authentication,
- Microsoft: EAP protected (PEAP)
- not validate server certificate

When I change in ISE to accept only EAP-TLS at allowed protocols (not peap with mschavp), and I change the network adapter to use smart card or other certificate, I got the following error:

Event 5400 Authentication failed
Failure Reason 22047 Principal username attribute is missing in client certificate
Resolution Check which certificate attribute is configured in Certificate Authentication Profile as User Principal Name. Ensure user certificate contains this attribute
Root cause Principal username attribute is missing in client certificate
Username host/ISEPC.w2kserver.local
Endpoint Id 00:E0:4C:30:01:E6
Endpoint Profile
IP Address
Identity Store W2KSERVER

Authentication protocol: EAP-TLS

11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and
accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12571 ISE will continue to CRL verification if it is configured for specific CA
12571 ISE will continue to CRL verification if it is configured for specific CA
12811 Extracted TLS Certificate message containing client certificate
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
15041 Evaluating Identity Policy
15006 Matched Default Rule
22047 Principal username attribute is missing in client certificate
22002 Authentication complete
22057 The advanced option that is configured for a failed authentication request is
used
22061 The 'Reject' advanced option is configured in case of a failed authentication
request
12507 EAP-TLS authentication failed
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject

Submitted by admin on Sat, 02/28/2015 - 10:36

Looks like ISE is complaining about missing principal name on the client cert. You might want to double check that Principal Name checkbox is checked as part of your client certificate template on Win2008 CA. 

Submitted by ciscouser on Mon, 03/02/2015 - 16:08

I changed the Subject name format to Fully distinguished name. By default, when I created the workstation authentication template, this field is filled as none.

Thanks!

Submitted by admin on Wed, 03/04/2015 - 00:06

That would do it, thanks for the update.

Submitted by aleph1 on Tue, 03/03/2015 - 11:06

When I choose to authenticate using computer only in the windows supplicant I can see the computer authenticating on ISE. When I select computer or user I get an authentication failed message on the windows machine and only see the computer authenticating on ISE. There are no messages regarding the user account on ISE. If I select computer only I get authentication failed. I have certificates add for the machine and user. Can anyone advise?

Submitted by admin on Wed, 03/04/2015 - 00:05

Are you doing EAP-TLS? If so, can you try PEAP and see if it makes any difference? The first time you mentioned Computer Only passes authentication but second time you mentioned it failed. What are the difference between the two occasions?

Submitted by aleph1 on Wed, 03/04/2015 - 00:19

Yes I'm using eap-tls and I have added certificates using auto enrolment for both the user and machine. I have successfully authenticated both machine and user using peap before. To clarify what happens when using eap-tls: when I choose to authenticate using "computer only" in the windows supplicant I see a successful authentication on ise. If I choose "user only" or "computer or user" I get an authentication failed message on the pc.

Submitted by admin on Wed, 03/04/2015 - 22:36

It sounds like you might be having issue with EAP-TLS user authentication. Did you get any fail authentication on ISE log? Are you using Machine Access Restriction (ie. WasMachineAuthenticated)? What version of ISE are you running? 

Submitted by aleph1 on Thu, 03/05/2015 - 00:03

Thanks for getting back to me. I have now solved the issue. The problem was with the certificate template I had created for autoenrollment.

Pages