View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0274 - ISE 2.2 Wireless 802.1X with EAP-TLS and PEAP (Part 2)

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0274 - Video Download $11.00
Purchase SEC0274 - Video Download $11.00
The video walks you through configuration of wireless 802.1X using EAP-TLS and PEAP on Cisco ISE 2.2. We will configure authentication and authorization policies to support both user and machine authentications and enforce Machine Access Restriction (MAR) using Windows Native Supplicant. Named ACL will be used to restrict network access. We will perform testing on both domain, and non-domain devices and observe authentication results.
 
Part 2 of this video covers configuration validation with endpoint testing
 
Topic:
  • Network Device and Group
  • Certificate Profile (Common Name)
  • Active Directory User Group
  • Identity Source Sequence 
  • User and Machine Authentication with EAP-TLS and PEAP
  • Windows 802.1X Native Supplicant
  • Policy Element Result
    • Authorization (Named ACL)
    • Authorization (Authorization Profile)
    • Authentication Policy
    • Authorization Policy
  • Policy Set
    • Authentication Policy
    • Authorization Policy

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

11 comments

Metha, wonderful video, thank you. We are running into an issue with our ISE deployment where after we push out the Cisco client installation to workstations, the machine reboots, user logs in and gets denied access. If they reboot again, it works. Here are some relevant logs from the client. Any thoughts? Thanks!

206: TEST-PC: May 10 2018 14:17:20.321 +0600: %NAM-6-INFO_MSG: %[tid=1688]: Sending unprotected identity = host/TEST-PC.ABCCorp.com.

207: TEST-PC: May 10 2018 14:17:20.321 +0600: %NAM-6-INFO_MSG: %[tid=1688]: EAP: Identity sent

208: TEST-PC: May 10 2018 14:17:20.321 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: identity sent: sync=2

209: TEST-PC: May 10 2018 14:17:20.321 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: credential request 2: state transition: PENDING -> RESPONDED

210: TEST-PC: May 10 2018 14:17:20.321 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: Auth[ABCCorp Wired:machine-auth]: Authentication state transition: AUTH_STATE_STARTED -> AUTH_STATE_UNPROTECTED_IDENTITY_SENT_FOR_FULL_AUTHENTICATION

211: TEST-PC: May 10 2018 14:17:20.321 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: credential request completed, response sent: sync=2

212: TEST-PC: May 10 2018 14:17:20.321 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: credential request 2: state transition: RESPONDED -> COMPLETED

213: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1716]: EAP-CB: credential requested: sync=3, session-id=1, handle=026B00A4, type=AC_CRED_EAP_METHODS

214: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1716]: EAP: credential request deferred: sync=3

215: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1716]: EAP-CB: sending EapCredentialRequestEvent...

216: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: ...received EapCredentialRequestEvent.

217: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: processing credential request: sync=3, session-id=1, eap-handle=026B00A4, eap-level=0, auth-level=0, protected=0, type=CRED_REQ_EAP_METHODS

218: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-6-INFO_MSG: %[tid=1688]: EAP: EAP suggested by server: eapTls

219: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-6-INFO_MSG: %[tid=1688]: EAP: EAP requested by client: eapTls

220: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: EAP methods sent: sync=3

221: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: credential request 3: state transition: PENDING -> RESPONDED

222: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: Auth[ABCCorp Wired:machine-auth]: Authentication state transition: AUTH_STATE_UNPROTECTED_IDENTITY_SENT_FOR_FULL_AUTHENTICATION -> AUTH_STATE_UNPROTECTED_IDENTITY_ACCEPTED

Versus what looks like one of the failures:

206: TEST-PC: May 10 2018 13:53:59.988 +0600: %NAM-6-INFO_MSG: %[tid=1700]: Sending unprotected identity = host/TEST-PC.ABCCorp.com.

207: TEST-PC: May 10 2018 13:53:59.988 +0600: %NAM-6-INFO_MSG: %[tid=1700]: EAP: Identity sent

208: TEST-PC: May 10 2018 13:53:59.988 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: EAP: identity sent: sync=2

209: TEST-PC: May 10 2018 13:53:59.988 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: EAP: credential request 2: state transition: PENDING -> RESPONDED

210: TEST-PC: May 10 2018 13:53:59.988 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: Auth[ABCCorp Wired:machine-auth]: Authentication state transition: AUTH_STATE_STARTED -> AUTH_STATE_UNPROTECTED_IDENTITY_SENT_FOR_FULL_AUTHENTICATION

211: TEST-PC: May 10 2018 13:53:59.988 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: EAP: credential request completed, response sent: sync=2

212: TEST-PC: May 10 2018 13:53:59.988 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: EAP: credential request 2: state transition: RESPONDED -> COMPLETED

213: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-7-DEBUG_MSG: %[tid=1732]: EAP-CB: EAP status notification: session-id=1, handle=022D9AAC, status=AC_EAP_STATUS_EAP_FAILURE

214: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-7-DEBUG_MSG: %[tid=1732]: EAP-CB: sending EapStatusEvent...

215: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-7-DEBUG_MSG: %[tid=1732]: EAP-CB: EAP status notification: session-id=1, handle=022D9AAC, status=AC_EAP_STATUS_ERR_CLIENT_IDENTITY_REJECTED

216: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: EAP: ...received EapStatusEvent: session-id=1, EAP handle=022D9AAC, status=AC_EAP_STATUS_EAP_FAILURE

217: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-7-DEBUG_MSG: %[tid=1732]: EAP-CB: sending EapStatusEvent...

218: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-6-INFO_MSG: %[tid=1700]: EAP: Eap status AC_EAP_STATUS_EAP_FAILURE.

219: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: EAP: processing EapStatusEvent in the subscriber

220: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-6-INFO_MSG: %[tid=1732][mac=1,6,f8:b1:56:12:34:56]: {294B1B0E-21DC-4857-AECC-1234567890}: Port State UNAUTHENTICATED and status EAP_FAILURE

221: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: Auth[ABCCorp Wired:machine-auth]: Unprotected identity rejected, authentication failed.

What error does ISE shows?

Interestingly, nothing. I don't see the MAC address hitting ISE logs at all, even the RADIUS live logs.

That does not sounds correct. If you install NAM manually, does that works? You can also run AAA/RADIUS debug on the switch and see what the switch see.

Have mixed luck with manual NAM installation as well. Looking at debug on the switch I'm seeing these entries which seems curious:

22005371: *May 22 13:39:43.800: dot1x-sm:[34e6.d716.a38b, Gi4/0/22] Posting EAP_REQ for 0xF3000155
22005372: *May 22 13:39:43.800: dot1x_auth_bend Gi4/0/22: during state auth_bend_request, got event 7(eapReq)
22005373: *May 22 13:39:43.800: @@@ dot1x_auth_bend Gi4/0/22: auth_bend_request -> auth_bend_request
22005374: *May 22 13:39:43.800: dot1x-sm:[34e6.d716.a38b, Gi4/0/22] 0xF3000155:request request action
22005375: *May 22 13:39:43.800: dot1x-sm:[34e6.d716.a38b, Gi4/0/22] 0xF3000155:entering request state
22005376: *May 22 13:39:43.800: dot1x-ev:[34e6.d716.a38b, Gi4/0/22] Sending EAPOL packet
22005377: *May 22 13:39:43.800: dot1x-registry:registry:dot1x_ether_macaddr called
22005378: *May 22 13:39:43.801: dot1x-ev:[34e6.d716.a38b, Gi4/0/22] Sending out EAPOL packet
22005379: *May 22 13:39:43.801: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
22005380: *May 22 13:39:43.801: dot1x-packet: length: 0x0005
22005381: *May 22 13:39:43.801: dot1x-packet:EAP code: 0x1 id: 0x1 length: 0x0005
22005382: *May 22 13:39:43.801: dot1x-packet: type: 0x1
22005383: *May 22 13:39:43.801: dot1x-packet:[34e6.d716.a38b, Gi4/0/22] EAPOL packet sent to client 0xF3000155
22005384: *May 22 13:39:43.801: dot1x-sm:[0050.b682.224c, Gi5/0/21] Posting AUTH_TIMEOUT on Client 0x37000132
22005385: *May 22 13:39:43.801: dot1x_auth Gi5/0/21: during state auth_authenticating, got event 14(authTimeout)
22005386: *May 22 13:39:43.801: @@@ dot1x_auth Gi5/0/21: auth_authenticating -> auth_authc_result

Happy to pass along any additional information. Thank you for your responses thus far!

Are you using PEAP, EAP-TLS or EAP-FAST? If you run aaa and RADIUS debug, do you see the switch sending RADIUS packet to ISE? What is your interface config?

Hi Metha,

Many thanks for great video. Just wondering how to handle the certificate when we have 2 ISE servers (no PAN failover) and Cisco mentioned that wildcard is rejected by Windows machine.
Currently, we have ise and ise02 as a server name and using PEAP with group policy for ise as primary, it has an issue when failover to ise02.
Do we need to add another PEAP group policy to cater the certificate for ise02 or generate CSR with both the node’s FQDNs.
Many thanks.

Using Wildcard should be your first option. We are not aware of any issue with Windows as you can see all of our lab uses wildcard cert. You other option is to use identity certificate which mean each ISE nodes will need its own cert signed and installed. 

Great vids! I'm playing around and for some reason my machine cert either using peap or eap-tls setup keeps adding "host/" in front of the Username that is used to send to ISE. Any idea why? This is windows 10. Trying to get rid of it.

We have not seen that before in ESP-TLS. If you check various attributes on the machine cert (e.g. CN, Subject, etc.), do you see host\ anywhere. If not, there should be no reason why it would show up on ISE.

Hi Metha,
Many thanks for the Great videos. We've configured 'Computer or User authentication' but still as shown in the video end, a personal IPAD is able to connect to the Network. In this case, how do we just enable only the corporate devices that should connect to the Network? Just by keeping the Cert Authentication Profile (CAP) would suffice this in the Identity sources list? Can you please suggest, thanks in advance.