View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0185 - ISE 1.3 Wired 802.1X with EAP-TLS and PEAP (Part 1)

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
The video walks you through configuration of wired 802.1X using EAP-TLS and PEAP on Cisco ISE 1.3. By leveraging AD integration from the previous video, we will configure authentication and authorization policies to support both user and machine authentications and enforce Machine Access Restriction (MAR). Here we assume user and machine certificate are already installed. We will perform testing on both domain, and non-domain computers and observe authentication results.
 
Part 1 of this video focuses on ISE authentication and authorization policies configuration.
 
Topic:
  • Network Device and Group
  • Policy Set
  • Certificate Profile (Common Name)
  • Identity Source Sequence 
  • User and Machine Authentication with EAP-TLS and PEAP
  • Policy Element Result
    • Authorization (Downloadable ACL)
    • Authorization (Authorization Profile)
  • Authentication Policy
  • Authorization Policy
Relevant Videos:

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

35 comments

Hello, From what i have learnt so far, i do not need to request for certificate services from the CA server as the Cisco ISE Server acts as a proxy.

Performing my lab test with the MAB and 802.1X with the basic authentication and authorization defined by ISE.

But for 802.1X i encountered authentication failure and one of the reasons given was
(1) that i didnt accept the certificate protocol handshake failed.
Do i need to request for certificate from the client PC using SCEP or deploy it using group policy for any computer that wants to join the network.)

What should i do? Because i didnt get the option to accept the certificate.

First of all, ISE being SCEP proxy you mentioned only applies to BYOD onboarding use case. In a regular corporate environment, all domain computers should obtain their client certificates from your enterprise CA along with proper 802.1x profile via GPO.  Within the 802.1x profile is a setting to have client trust the root CA cert that signed ISE identity cert. Without having this trust pre-configued in the 802.1x profile, client may or may not be prompted to trust ISE cert hence leading to fail TLS handshake.

Thank you so much for all these vital tips. It worked.

Hi Metha,
Thank you for your videos. Your a great help to all us admin. Please keep up the good work :)

I am facing an issue with the client provisioning resource download.

It fails when i try to download resources from Cisco site with the below error.

Connection to the remote site has failed. Verify that the remote site is available and/or related ISE administration settings are correct.
my DNS can resolve www.cisco.com. Internet is working. I can ping and trace the website.

Can you please help.

thanks

Just to confirm, you are running ISE 1.3, you can ping cisco.com from ISE CLI, and you are trying to perform manual download from Cisco under the Resources page, correct? Do you see a connection going out successfully on your internet firewall? Are you using any internet proxy that need to be explicitly configured?

Yes im running ISE 1.3.
yes i can ping and im trying to download resources using the Policy>policy elements>Client Provisioning >resources> download from cisco

When i run the above i don't see the connection on the internet firewall. I dont think its leaving the ISE server :(
Internet is just NAT. no proxy. I have a static NAT configured for the ISE server.

Strange. Used to run into failed automatic update but not manual. Have to tried to restart the server. Worst case try a fresh install, hopefully you are not too far along with the config

I restarted it and tried multiple time. changing DNS as well.

Guess ill have to do a fresh install :(

btw, do you have a video on how to setup ise ==> switches in a vitalized environment on windows?

thanks for the help :)

Hi,
It finally got through to Cisco :)

I feel so dumb. My firewall was the one blocking the connection. it was allowing icmp but dropped other connections even outbound.

Thanks for all your help Metha Cheiwanichakorn.

Please keep up your good work

Thanks for all your work on these videos, they are very good and useful. I'm having one issue that I can't solve, though, and wondered if you could point me in the right direction. Your use of WasMachineAuthenticated implies the use of MAR, which is necessary if using the native Win7 Supplicant rather than Cisco AnyConnect NAM and the EAP-Chaining feature. However, I can't get it to work:

I have a two-node Cisco ISE 1.3 running as a Virtual Machine. It is managing IEEE802.1x EAP-TLS security for wired devices on Cisco 3560s. The devices (Win7 PCs) obtain certificates for both them and their users during initial wired connection to a physically secure non-IEEE802.1x port, via GOP, using a Microsoft CA running in the same platform as the AD server (It's all virtualized, in ESXi5.5 hosts)

I have created a controlling "WIRED" policy specifying that the policy applies to switch connections with NAS-port-type=Ethernet

Authentication looks for the presence of certificates and authenticates when they are there.

Authorization, however, is behaving weirdly. The first statement, selecting machine authentication looks for: "ExternalGroups EQUALS <domain name>/Users/Domain Computers. This seems to work fine and when the machine hits this authorization, it enables a DACL "WIRED_AD_ONLY" that does what it says in its name, and then allows the machine's user to go off to the AD server and log on....no problems so far.

However, the second Authorization statement "ExternalGroups EQUALS <domain name>/Users/Domain Users AND Network Access: WasMachineAuthenticated EQUALS True" fails to catch the user logon, so the second DACL "WIRED_PERMIT_ALL" is not invoked, the port stays shut and the authorization fails (goes to "if no matches, then DenyAccess" the default last statement)

If I change the second Authorization statement to remove the "AND Network Access: WasMachineAuthenticated EQUALS True", the authorization works as expected, so it looks like the machine was not authenticated (though it was or we would not have got to this step?).

Can you suggest where I may be going wrong? Google has given me little help so far....

Please check

1. Under Certificate Profile, a correct AD scope is selected
2. Under AD Joing point, MAR is enabled with cache time that is long enough

In user authentication detail log, look for the sentence along the line of "machine was previously authenticated". If it was not, it would have say NOT previously authenticated and that would be the problem.

Thanks for sharing knowledge

I've followed this steps and I'm not quit sure if i'd make some mistake, but I'm receiving error when connecting the machine into the network.

The failure reason: 12103 Failed to negotiate EAP because EAP-FAST not allowed Allowed Protocols

Which .1x supplicant do you use? Windows native supplicatnt which is what we used in this video does not support EAP-FAST so the chances are you are using AnyConnect NAM or something else, in which case, EAP-FAST need to be allowed under Allowed Protocol if not already.

I'm using Anyconnect NAM, and I would like to use the EAP/TLS. can I force that with Anyconnect?

Yes you can by configuring your NAM profile using Profile Editor.

I've deployed the version 2.0 of ISE and trying to create a new EAP/TLS profile for 801.1X authentication and now I'm receiving "22056 Subject not found in the application identity store(s)"

Please help!!!

Regards,
AM

Please explain what you mean on EAP/TLS profile. What identity store  (local, AD, etc) you are using? Are you AD integrated? How certificate was generated? Do you use Identity Source Sequences? What type of endpoint you are deailing with (Windows, Mac, iOS)? What cert attribute you specify under cert profile to be used for user lookup?

Hello,

Identity Store: AD
AD Integrated: Yes
Certificate was generated from AD integrated PKI.
Endpoint: Windows
Identity Sequence: Yes with Certificate Based Auth and AD only selected
Certificate Attribute: CN

Everything seems proper. Make sure yur cert profile is configured to point to the AD as shown in the video. Assuming the AD user appears on the cert Common/Subject name, and ISE is integrated to the domain that contains that user, there should be no reason why the user can't be found. If you switch to PEAP, does it work?

but the authentication is falling on machines authentication process, using machine certificate for authentication.

Plese confirm that the machine is domain joined and its cert contains correct machine name. If you switch over to PEAP, do you pass both machine and user auth?

Dear Metha,

Thank you so much for your excellent videos.

I have configured eap-tls in my lab as in your video. My issue is Machine is successfully getting authenticating but the user authentication never initialized. I don't get any error messages and stops at "WIRED_AD_ONLY". I am trying windows 7 and windows 10 machines with native supplicant both having the same result.

When I use PEAP both the user and the machine get authenticated.

I would appreciate help.

Regards,
Neil

Do you have the supplicant configured for "user and computer"? Could you check if you have both user and computer certificate installed?

Dear,

Do you have the supplicant configured for "user and computer"? YES
Both user and computer certificate installed.

I tested wireless dot1x with eap-tls on the same computers and both user and computer got authenticated.

Thanks,
Neil

In that case, there whould be no reason why it wouldn't have worked on wired. At least you should see both user and computer authentication requests.

ISE 2.0 patch 4
Authentication policy = wired 802.1X with allowed protocols EAP-FAST Chaining with AD_Local

Rule 1 Authorization policy = wired 802.1X and EAP-FAST_TUNNEL and AD:ExternalGroups EQUALS /Users/Domain Computers Permission:AD_Machine
Authorization Compound Conditions (EAP-FAST_TUNNEL) = Network Access: EAPAuthentication = EAP-MSCHAPV2 and Network Access: EAPTunnel = EAP-FAST

Authorization Profile = AD_Machine
ACL = AD_Permit
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit icmp any any
permit ip any host 10.1.16.20
permit ip any host 10.1.16.25
deny ip any any

Rule 2 Authorization policy = wired 802.1X and AD:ExternalGroups EQUALS /Users/Domain Users and Network Access: WasMachineAuthenticated EQUALS
Permission:PermitAccess/SGT_Domain_User
Authorization Profile = PermitAccess

I start the Windows 7 machine and it successfully authenticates the machine with the ACL = AD_Machine Authorization Profile
I proceeded to logon and the user successfully authenticates but the Authorization Profile stays with ACL = AD_Machine
I verified aaa server radius dynamic-author client server-key matches the ISE device radius password.

Have you seen this before and how do i fix it?

Thanks

Try to add condition NetworkAccess:EapChainingResult = Computer succeed User failed to Rule1. You can also watch our ISE1.1 EapChaininh video

NetworkAccess:EapChainingResult = Computer succeed User failed worked.

Thank you

Welcome.. Glad that works. 

Having AnyConnect 4.3 RDP issues with EAP-FAST. Users have no problem with EAP-FAST with machine authorization and User authorization. The problem is when a admin user RDPs into the PC or server we have connectivity issues, and session failures and disconnection issues happen.

Have you seen this before and do you know of a Cisco fix.

Thanks

Are you doing EAP-Chaining although it shouldn't matter? What is the port .1x status after user RDP to computer, does it show the user or computer name on the session?

The Port .1x status shows user before it drops the connection.

You do push DACL upon successful user .1x? If so, is RDP allowed on the DACL. Are you doing any dynamic VLAN assignment that may cause computer IP to change?

After successful user .1x, a permit-all DACL is pushed. No VLAN assignment. I do have a final attribute for user authentication. Was the machine Authenticated "Y". Could that cause a problem when RDP?

It shouldn't as that was only part of Auth Condition. Try to remove DACL from auth profile as well as default port ACL if you have any just to see if it is ACL related issue.

Poll

Vote for the Next Video Series