SEC0185 - ISE 1.3 Wired 802.1X with EAP-TLS and PEAP (Part 1)

Hi Metha,
Thank you for your videos. Your a great help to all us admin. Please keep up the good work :)

I am facing an issue with the client provisioning resource download.

It fails when i try to download resources from Cisco site with the below error.

Connection to the remote site has failed. Verify that the remote site is available and/or related ISE administration settings are correct.
my DNS can resolve www.cisco.com. Internet is working. I can ping and trace the website.

Can you please help.

thanks

Thanks for all your work on these videos, they are very good and useful. I'm having one issue that I can't solve, though, and wondered if you could point me in the right direction. Your use of WasMachineAuthenticated implies the use of MAR, which is necessary if using the native Win7 Supplicant rather than Cisco AnyConnect NAM and the EAP-Chaining feature. However, I can't get it to work:

I have a two-node Cisco ISE 1.3 running as a Virtual Machine. It is managing IEEE802.1x EAP-TLS security for wired devices on Cisco 3560s. The devices (Win7 PCs) obtain certificates for both them and their users during initial wired connection to a physically secure non-IEEE802.1x port, via GOP, using a Microsoft CA running in the same platform as the AD server (It's all virtualized, in ESXi5.5 hosts)

I have created a controlling "WIRED" policy specifying that the policy applies to switch connections with NAS-port-type=Ethernet

Authentication looks for the presence of certificates and authenticates when they are there.

Authorization, however, is behaving weirdly. The first statement, selecting machine authentication looks for: "ExternalGroups EQUALS <domain name>/Users/Domain Computers. This seems to work fine and when the machine hits this authorization, it enables a DACL "WIRED_AD_ONLY" that does what it says in its name, and then allows the machine's user to go off to the AD server and log on....no problems so far.

However, the second Authorization statement "ExternalGroups EQUALS <domain name>/Users/Domain Users AND Network Access: WasMachineAuthenticated EQUALS True" fails to catch the user logon, so the second DACL "WIRED_PERMIT_ALL" is not invoked, the port stays shut and the authorization fails (goes to "if no matches, then DenyAccess" the default last statement)

If I change the second Authorization statement to remove the "AND Network Access: WasMachineAuthenticated EQUALS True", the authorization works as expected, so it looks like the machine was not authenticated (though it was or we would not have got to this step?).

Can you suggest where I may be going wrong? Google has given me little help so far....

Thanks for sharing knowledge

I've followed this steps and I'm not quit sure if i'd make some mistake, but I'm receiving error when connecting the machine into the network.

The failure reason: 12103 Failed to negotiate EAP because EAP-FAST not allowed Allowed Protocols

I've deployed the version 2.0 of ISE and trying to create a new EAP/TLS profile for 801.1X authentication and now I'm receiving "22056 Subject not found in the application identity store(s)"

Please help!!!

Regards,
AM

Dear Metha,

Thank you so much for your excellent videos.

I have configured eap-tls in my lab as in your video. My issue is Machine is successfully getting authenticating but the user authentication never initialized. I don't get any error messages and stops at "WIRED_AD_ONLY". I am trying windows 7 and windows 10 machines with native supplicant both having the same result.

When I use PEAP both the user and the machine get authenticated.

I would appreciate help.

Regards,
Neil

Dear,

Do you have the supplicant configured for "user and computer"? YES
Both user and computer certificate installed.

I tested wireless dot1x with eap-tls on the same computers and both user and computer got authenticated.

Thanks,
Neil

ISE 2.0 patch 4
Authentication policy = wired 802.1X with allowed protocols EAP-FAST Chaining with AD_Local

Rule 1 Authorization policy = wired 802.1X and EAP-FAST_TUNNEL and AD:ExternalGroups EQUALS /Users/Domain Computers Permission:AD_Machine
Authorization Compound Conditions (EAP-FAST_TUNNEL) = Network Access: EAPAuthentication = EAP-MSCHAPV2 and Network Access: EAPTunnel = EAP-FAST

Authorization Profile = AD_Machine
ACL = AD_Permit
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit icmp any any
permit ip any host 10.1.16.20
permit ip any host 10.1.16.25
deny ip any any

Rule 2 Authorization policy = wired 802.1X and AD:ExternalGroups EQUALS /Users/Domain Users and Network Access: WasMachineAuthenticated EQUALS
Permission:PermitAccess/SGT_Domain_User
Authorization Profile = PermitAccess

I start the Windows 7 machine and it successfully authenticates the machine with the ACL = AD_Machine Authorization Profile
I proceeded to logon and the user successfully authenticates but the Authorization Profile stays with ACL = AD_Machine
I verified aaa server radius dynamic-author client server-key matches the ISE device radius password.

Have you seen this before and how do i fix it?

Thanks

NetworkAccess:EapChainingResult = Computer succeed User failed worked.

Thank you

Having AnyConnect 4.3 RDP issues with EAP-FAST. Users have no problem with EAP-FAST with machine authorization and User authorization. The problem is when a admin user RDPs into the PC or server we have connectivity issues, and session failures and disconnection issues happen.

Have you seen this before and do you know of a Cisco fix.

Thanks

After successful user .1x, a permit-all DACL is pushed. No VLAN assignment. I do have a final attribute for user authentication. Was the machine Authenticated "Y". Could that cause a problem when RDP?