topic ISE Problem in Network Access Control

ISE Problem

Reyad Safi — Mon, 11 Mar 2019 02:17:52 GMT

Hi Experts

we have new ISE servers at our network and it work good .

but lately i faced the below problem :

the ISE integrated to get the authentication from the microsoft active directory which depend on the windows login username / password , and the dot1x configurations and settings pushed to the users PCs via the active directory and the user can't change it .

if the user login to the windows sucessfully , the ISE put the user in the quarantine vlan , then check the policy and if pass assign the full access to the users .

Our System Admins force the users to change the password monthly bases , so when the password expired , the authentication failed so the ISE will not assign any vlan to the user , and the can't change the password on the Active Directory becouse he is disconnected from the network .

so i need a way to enable the switch to assign a restricted vlan to reach the Active Directory once the user plug the network cable , regardless he authenticate succesfully or not .

our switch configuration is :

-----------------------------

aaa new-model

aaa authentication login default local

aaa authentication login TEST group radius

aaa authentication enable default enable

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

aaa server radius dynamic-author

client 10.10.10.238 server-key C1sc0

aaa session-id common

system mtu routing 1500

authentication mac-move permit

ip device tracking

interface FastEthernet0/2

switchport access vlan 22

switchport mode access

switchport voice vlan 110

authentication port-control auto

mab

dot1x pae authenticator

spanning-tree portfast

ip access-list extended ACL-POSTURE-REDIRECT

deny ip any host 10.10.10.238

deny ip any host 10.10.10.239

deny udp any any

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq 8443

ip access-list extended webauth

permit tcp any any eq www

permit tcp any any eq 443

deny ip any host 10.10.10.238

deny ip any host 10.10.10.239

ip radius source-interface Vlan10

ip sla enable reaction-alerts

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 20 tries 3

radius-server host 10.10.10.238 auth-port 1812 acct-port 1813

radius-server host 10.10.10.239 auth-port 1812 acct-port 1813

radius-server key C1sc0

radius-server vsa send accounting

radius-server vsa send authentication

aaa new-model

aaa authentication login default local

aaa authentication login TEST group radius

aaa authentication enable default enable

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

aaa server radius dynamic-author

client 10.10.10.238 server-key C1sc0

aaa session-id common

system mtu routing 1500

authentication mac-move permit

ip device tracking

!
interface FastEthernet0/2
switchport mode access
switchport voice vlan 110
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
!

!
ip access-list extended ACL-POSTURE-REDIRECT
deny   ip any host 10.10.10.238
deny   ip any host 10.10.10.239
deny   udp any any
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443
ip access-list extended webauth
permit tcp any any eq www
permit tcp any any eq 443
deny   ip any host 10.10.10.238
deny   ip any host 10.10.10.239
!
ip radius source-interface Vlan10
ip sla enable reaction-alerts
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 20 tries 3
radius-server host 10.10.10.238 auth-port 1812 acct-port 1813
radius-server host 10.10.10.239 auth-port 1812 acct-port 1813
radius-server key C1sc0
radius-server vsa send accounting
radius-server vsa send authentication
!

------------------------------------

any suggestion to solve this problem .....

regards

Reyad

ISE Problem

Tarik Admani — Fri, 13 Jul 2012 13:42:45 GMT

Reyad,

Please check and see if you have the enable password change box enabled under your AD settings:

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1243634

Thanks,

Tarik admani

ISE Problem

Reyad Safi — Fri, 13 Jul 2012 14:18:06 GMT

Dear Tarik

thank you for your reply , but it's already enabled there ...

i think i should add some configuration or ACL to the switch to assign native vlan to the port before checking the authentication from the AD .

Any Suggestion

Reyad

ISE Problem

Tarik Admani — Fri, 13 Jul 2012 14:21:09 GMT

Reyad,

The password change is done through the supplicant and over to ISE via peap-mschapv2, there is no need for the client to be connected to the domain in order to do the password change. What version of ISE are you currently running?

Thanks,

tarik Admani

ISE Problem

Reyad Safi — Fri, 13 Jul 2012 14:48:01 GMT

Dear tarik

Version Identifier (VID) V01

ADE-OS Version 2.0.2.103 Version Identifier (VID) V01
ADE-OS Version 2.0.2.103

the above reply not clear for me , please clarify it more , how could i change the AD Password while im not connected to the network ? please advise .

the PC IP address when it not authenticated succesfully is nubian ip address ( 169.x.x.x)

Reyad

ISE Problem

Tarik Admani — Fri, 13 Jul 2012 16:09:48 GMT

That is normal, dot1x works as a L2 authentication mechanism in which radius from the NAD to the radius server is encapsulated in a radius packet. If authentication fails then the client doesnt receive and ip address since dhcp isnt forwarded from the NAD.

I need you to issue a show ver from the cli.

Also can you post the screenshot of the authentication to see why the client is failing, is it because the password is expired or is the account locked out? That will make a difference too.

Thanks,

Tarik Admani

ISE Problem

Reyad Safi — Fri, 13 Jul 2012 18:59:21 GMT

the Sho Ver from cli is :

ME-ISE-1/reyad# sh version

Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.2.103
ADE-OS System Architecture: i386

Version information of installed applications
---------------------------------------------

Cisco Identity Services Engine
---------------------------------------------
Version      : 1.1.0.665
Build Date   : Thu Mar 8 00:51:03 2012
Install Date : Tue May 22 10:39:15 2012

Cisco Identity Services Engine Patch
---------------------------------------------
Version : 1
Install Date : Thu Jun 21 10:47:35 2012

and i will provide you the GUI screenshot when available .

thank you for support

Reyad

ISE Problem

Tarik Admani — Wed, 25 Jul 2012 07:55:31 GMT

Reyad,

My apologies for the delay were you able to get this resolved?

Thanks,

Tarik Admani
*Please rate helpful posts*

ISE Problem

Reyad Safi — Wed, 25 Jul 2012 12:57:45 GMT

Dear TArik

thank you for your interesting ...

i solved the problem , and every thing working now

Reyad

ISE Problem

edondurguti — Thu, 26 Jul 2012 14:25:14 GMT

Could you please share how you solved your problem?

Thank you.

ISE Problem

Reyad Safi — Fri, 27 Jul 2012 18:15:32 GMT

Hi Edondurquti

yes you are right .....

i changed the authentication method from user authentication to computer authentication , so when you plug the network cable to the PC , it start authentication and the ISE assign the quarantine vlan to the port , so the changing password problem solved .

the computer authentication solved many problems i faced when implementation .

- when you try to connect remotly to your PC at the office ( when i applied user authentication ) , it was

connected for seconds , then the PC re-authentiate and assigned to the quarantine vlan , so i lost the connection to my PC .

- the password expire problem happened on the user authentication especially when you put the option to use the windows login .... its big problem .

- many PCs can connect to the network using the same username/password ,,, and this is also big problem .

- no way to enforce the users to join to the domain if you use the user authentication , you can login locally at your pc , then at the popup screen you can enter the AD user .

by using the computer authentication , all the above problems solved , and the connection become more stable , and all PCs enforced to join to the domain to get the authentication.

another helpful command on the switch , is to assign a restricted configured VLAN to the switches as native VLAN , and you can apply the below command on the interface to assign a VLAN when the authentication fail .

Switch(config-if)#authentication event fail action authorize vlan

i hope this can help you in case you faced the above problems ....

Reyad