View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0275 - ISE 2.2 User and Machine Authentication with EAP Chaining (Part 1)

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0275 - Video Download $14.00
Purchase SEC0275 - Video Download $14.00
The video demonstrates the use of EAP Chaining on Cisco ISE 2.2 and how it can solve caveats on user and machine authentication inherent to Windows native supplicant. We will steps through necessary authentication and authorization policies configurations to support EAP Chaining for both wired and wireless. We will go through configuration on NAM Profile Editor to create a .xml file that will be used by the NAM module to gain network access. The video ends with wired and wireless testing and seeing how EAP Chaining appears in authentication log on Cisco ISE.
 
Part 1 of this video covers EAP-Chaining configuration on ISE
 
Topic:
  • AnyConnect Secure Mobility 4.x (NAM Module) on Windows 10
  • NAM Profile Editor
  • User and Machine Authentication with MSCHAPv2 inside EAP-FAST
  • Policy Element Result
    • Authentication (Allowed Protocol)
    • Authorization (Downloadable ACL)
    • Authorization (Authorization Profile)
  • Policy Set
  • Authentication Policy
  • Authorization Policy

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new Cisco technologies.

5 comments

Good morning Meta

We are implementing ISE 2.2 patch 10 in our company, we are running AAA and posture but we have the next issues:

1) Several users are getting disconnected from the network while they are working, and we have realized the next output on the switch:

Interface: GigabitEthernet1/0/19
MAC Address: 48ba.4eeb.9b6c
IPv6 Address: Unknown
IPv4 Address: 10.101.71.24
User-Name: 48-BA-4E-EB-9B-6C
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 900s (local), Remaining: 602s
Common Session ID: 0A654302000000E259DB623C
Acct Session ID: 0x00000117
Handle: 0xF7000026
Current Policy: POLICY_Gi1/0/19

Local Policies:
Idle timeout: 50400 sec
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
URL Redirect: https://ISE-1.fvl.local:8443/portal/gateway?sessionId=0A654302000000E259...
URL Redirect ACL: REDIRECT_POSTURE

Method status list:
Method State

mab Authc Success

The user stops running dot1x and start running MAB and sent the MAC address as username, the only way to fix it is to use the network repair option or shut-no shut on the port. Do you have any idea is the workaround should be on the switch, on ISE or in Windows?

2) The other situation is when the user returns from one day to other or from the weekend, they never shutdown the machines so the posture not runs automatically and kick out the user until force to run the posture again. What can we do to fix this issue?

Any help will be appreciated, thanks a lot.

This does not sound right. Once user is authenticated and become compliant, they shoudl stay connected until either user logs out, or network connection drops. Please make sure you do not have any type of timeout (eg. session, reauthentication, or Posture Reassessment) set on both switch and ISE. By default, the posture assessment only runs when LAN connectivity is detected unless periodix reassessment is set.

Good morning

I think that is the issue because the people is working and get disconnected, and the computer stop running dot1x and start running mab. This is the standard port config in the switches:

interface GigabitEthernet1/0/19
description PC Liber
switchport access vlan 117
switchport mode access
switchport voice vlan 120
authentication event fail retry 0 action next-method
authentication event server dead action reinitialize vlan 117
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 50400
mab
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast edge

Do you know what can I check?

Try to remove "authentication periodic". Also check the Posture Reassessment config on the GUI and make sure it is disabled.

Good morning Meta

This was the final configuration for the ports that we are using ritgh now:

interface GigabitEthernet1/0/10
description PC Jeferson FIgueroa
switchport access vlan 117
switchport mode access
switchport voice vlan 120
authentication event fail retry 0 action next-method
authentication event server dead action reinitialize vlan 117
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 15
spanning-tree portfast edge

Also we make an addition in the authorization results of the policies:
- Reauthentication --> Check
- Timer --> 43200
- Maintain Connectivity During Reauthentication --> RADIUS-Request

I hope this configuration can help someone else.

Thanks a lot.

Lab Minutes Classifieds