View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0044 - ISE 1.1 Wireless 802.1X and Machine Authentication with PEAP

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>

The video walks you through configuration of wireless 802.1X using PEAP on Cisco ISE. We will look how to configure authentication and authorization policies to support both user and machine authentication, how to restrict network access with DACL, and how to use Machine Access Restriction (MAR) to correlate user and machine sessions to ensure a user can access the network only from a domain (corporate) computer. We will perform testing from domain, non-domain computers, and iPhone and observe the authentication results.

Topic:
  • User and Machine Authentication with PEAP
  • Policy Element Condition
    • Authorization (Compound Condition)
  • Policy Element Result
    • Authentication (Allowed Protocol)
    • Authorization (Authorization Profile)
  • Wireless LAN Controller ACL
  • Authentication Policy
  • Authorization Policy
Note:
  • PEAP is a password-based authentication with MSCHAPv2. 
  • With PEAP, although client certificate is not required, the server root certificate needs to be trusted or the certificate validation needs to be exempted on the client supplicant
  • Machine authentication only happens at the Windows login
  • Account log-off or machine reboot may be required to force machine authentication
  • Wireless LAN Controller uses name ACL instead of Downloadable ACL

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new Cisco technologies.

34 comments

hi....
May i know how to configuration Central Web Authentication with a ISE??
i go to cisco.com to download notes...but not work.

Just Like that: http://www.cisco.com/en/US/products/ps11640/products_configuration_examp...

thx~

The document pretty much covers it all. Mose likely you need to configure wired or wiredless MAB authentication and make sure your client pass that first. Then create an authorization rule with an authorization profile with a Web Authentication checked. Also make sure you have redirect ACL configured correctly on the switch, if wired, or on the WLC, if wireless. Our videos on CWA will be posted over the next few weeks.

Hello

I have this set up in a lab, and it works to a point. When the wireless endpoint connects, I can see it gets the AD login authorization profile, but it gets stuck there, and only does the machine authentication.

I have a problem, in that there are loads of AD servers, and I don't know which one the client authenticates against... it isn't my IT network. I created an ACL on the WLC to allow what I think should be used for AD login. First I tried UDP port 389, and TCP port 3268, which works for wired clients, and I also tried some private IP ranges where I think the AD servers exist, however I get a limited connection, and can't progress. If I then put a permit rule and the end of the AD ACL on the WLC, I can get onto the wireless network, but ISE does not authenticate the user. ISE authentications page does not show an further policy admission for the domain user authorization profile

If I look at the WLC, it still has the AD only ACL applied, so does not progress to the full access ACL as you would expect (although I do have full access with my fudged AD ACL permitting anything at the end)

So my question is, at what point does ISE go from the computer authorization profile rule to the user authorization profile rule in the authorization policy. It seems to just stop at computer for me.

I followed your steps to the letter apart from my ACL problems

thanks

ISE does not really initiate anything. It just sits there waiting for authentication request. Authentication events are driven by clients. The machine authentication should happen at Windows login screen, and user authentication should follow once you logged into Windows assuming you have both user and machine authentication configured.

i should have also said, that if I disable the machine authorization rule, then I can get on the network using the user authorization rule. I don't understand why ISE does not process the user rule after it has done the machine

ok, i seem to have worked out the issue myself, although I don't know what the difference is. I have the wlan machine rule below the wired machine rule, and then the wired and wlan user ruls below that. If I move the wlan rules to the top of the list on the policy page, it works. the wlan rules are still in the same order

If your rules match differently when you reorder them, you may not have conditions that are specific enough. Regardless, you should still see user authentication attempts on the log.

Thanks. It must have been some sort of glitch. I followed your wired and wireless peap tutorials, and had the rules in the same order and ise would not process the user rule. When i moved the wireless machine rule to the top followed by the user rule it worked. I didn't change anything in the rules, and they had the same conditions as you in terms of nas port type, network access ad1 and wasmachineauthenticated. I will try moving the rules back to where they were (below wired peap) today, but it isn't any different in terms of order for the wireless rules

On a side note, what are your plans for these tutorials? More datacenter? Wireless? Voip? I have a membership for ine, but i think these labs are as good, if not better for the subject matter so far

Thank you for your feedback. It is hard to say what we will be releasing next as we try to keep up with new technologies, and also depends on what resources are available to us to produce the lab. Stay on our newsletter and you will be notified on our upcoming video releases.

Hi
I see below that Machine authentication only happens at the Windows login. whan hapen if user open a session and have access on the network (machine and user authentication work) then user disconnect his network cable on the nerwork and reconect it few hour after : machine authentication will work ? or he should close Windows session and open it again ?

At that time, only user authen will happen but since ISE already have the machine credential cached, user should be able to connect normally. Only when the caches are lost (due to expiration or node restart), user will have to log off to force machine auth before regaining access to the network.

can I configure manually the expiration time ?
Is it possible to configure manualy that PEAP authenticate machine every monday mornig (9AM)

The cache expiration can be adjusted to a very large value but you still runs a risk of losing the cache if you need to restart the policy service node for whatever reason. Not sure if it is possible to write a script and have it run regularly, but might be worth looking into. Another option is to go with AnyConnect client and use EAP-chaining.

If change aging time here
(Administration->Identity Management->External Identity Sources->Active Directory->Advanced Settings)
from actual value :6 to new value : 168,
1. new cache will be and machine authentication will hapen again only after 7 days ?

Regards

It means ISE will cache the machine credential for 7 days. Machine authentication can still happen at any time and everytime ISE sees it, the cache will be refreshed.

I see in the video that this option have been enable "Allow EAP-TLS"
Why ?
Is it mandatory to enable this option when we use PEAP

No, you only need to allow the protocol that you use. We enabled EAP-TLS so we can use it in other labs. 

Thanks

Hi
I saw in the video that you create interface vlan64
I have only one ESSID for corporate user(and many DATA vlan because each AD group is assosiated to one specific VLAN)
I have already created Management interface associated with management Vlan
Wich interface interface should I associate on the corparate WAN ( WLAN -->General --->Interface/interface group) ?

Should I create another interface ? wich Vlan ID should I associate to this interface
or should I use Management interface

Please advise

If you plan to switch user to a different VLAN once they successfully authenticate, the default VLAN you set is not important so any VLAN like management interface should work fine. If you are extra cautious on security, you can create a floating VLAN that gets no where for the default VLAN. 

In my configuration, All the 3 option on this menu are enabled (Administration->Identity Management->External Identity Sources->Active Directory->Advanced Settings)

Can I uncheck "enable machine access restriction" or do I abslutly need it , you did not give precision in the video

If you don't plan to enforce machine authentication on a user, you can uncheck it.

How did you configure your Windows 7 supplicant? Does it use Single Sign-On? Is the authentication under advanced set to 'User', 'Machine' or both? With my older autonomous APs the only difference is that the Service-Type is 'Login' as opposed to 'Framed'. When I disable Single Sign-On, and set the authentication to 'Machine', I get a successful login to the wireless network but it ONLY performs machine (as you'd expect). It does not work with the other two settings. If you select 'User' it will obviously fail because the user authentication has the prerequisite of 'WasMachineAuthenticated = true' and the 'User or Machine' performs differently in context (i.e. Single Sign-On, wired connection active, Logoff/Logon, Reboot, etc.). I need some consistency here. I just need it to work just like you have it setup with the only difference being that I am using autonomous APs and not a WLC.

The supplicat is configured for 'User or Machine' hence it will perform both machine and user authentications. The Single Sign-On setting is default which I believe is enabled. So what kind of result do you get with these settings? Authenitcation is client-initiated and the AP just relays the request to ISE so as long as the client is configured properly, you should see the requests show up on the ISE log.

Hello;

I like to know if you have Video that shows how to set up ISE and a wireless controller that have one SSID and ISE will drop the user to a particular VLAN depending on the user credential or Type of machine, Windows 7, iPad that is being used.

Thanks;

We do not have a video for that specfic use case but you should be able adjust your policy based on this video to achieve this. All you should need is to add VLAN ID to the autorization profile that you want to drop the user into. Just make sure the corresponding VLAN interface is created on the WLC and the SSID is doing central switching and not local switching. 

Thank you for your prompt response, but I have a question, on "VLAN and SSID doing central switching as opposed to not local switching" Do you mean configuring the AP as Flexconnect instead of Local mode? I was wondering if you have a controller wireless sample configuration that explains how to configure the VLAN and SSID doing central switching.

Thanks;

If the AP is in local mode already, you should already be doing central switching, you just need to add vlan ID to auhtorization profile and that should work

Thank you very much. One suggestion a hard copy of the screens shots or configuration on the video will be really helpful.

Thanks again.

on my External Identity Store I have the " Enable Machine Access Restriction aging time " set to 1 hour.
the issue that I'm having is:
user is authenticated , then it takes the machine out of the switch, so user spends more than an hour working locally on the machine, when user comes back (after the 1 hour expires), and connects the computer back to the network, machine does not authenticate, therefore user cannot authenticated. so user is denied access to the network unless he reboots

other than increasing the time , since it can always happen.
how can I solve this issue ???

many thanks.

As long as you want to perform Machine Access Restriction, you always rely on the machine cache credential to be maintained on ISE. Usually the cache timeout should be increased to a value that user is unlikelyto reconnect to network without re-login to Windows. A clean solution to this problem is to use EAP-Chaining that always allow both user and machine authentications to happen in one session but it is only currently supported using AnyConnect NAM module as 802.1x supplicant. BElow is a link to the video.

http://www.labminutes.com/sec0048_ise_1_1_user_machine_authentication_ea...
http://www.labminutes.com/sec0049_ise_1_1_user_machine_authentication_ea...

Hello, would somebody know why I cannot put tacacs like the one in 12:33 of the video. Under 'Security tab' > 'AAA' , 'Server 1', It says only "None" as my option and no input box to type in the tacacs IP.

No. That is for RADIUS server only. There should be almost no reason why you would want to use TACACS instead of RADIUS anyway.

Thanks Admin ! Was able to choose now my ISE under. 'Security tab' > 'AAA' , 'Server 1', Instead of just saying None as an option, I can see now my ISE ip by defining it in the first place in AAA.