topic Re: client cannot use MAC authentication with ISE in Network Access Control

client cannot use MAC authentication with ISE

sbmc014 — Thu, 03 May 2018 03:52:57 GMT

Hi , PC want to use MAC authentication with ISE but fail , i made the document for detail process and result (as attachment) , Could you help me to figure it out ? thx

Re: client cannot use MAC authentication with ISE

ognyan.totev — Thu, 03 May 2018 05:48:17 GMT

The trick here is on authentication rule for MAB change if user not found continue

Re: client cannot use MAC authentication with ISE

sbmc014 — Thu, 03 May 2018 06:25:32 GMT

thanks for your reply , i adjust setting follow your suggestion :

i add one more policy in authentication for "wired_MAB" but i got the same result , and i found the hits=0 , that is meaning this policy does not active when communicate period between switch & ISE , right ?

do i miss something to configure ?

Re: client cannot use MAC authentication with ISE

smashash — Thu, 03 May 2018 11:43:16 GMT

Hi,

Please try attached NAD profile.

1. Import attached NAD profile into your ISE ( under Administration > network resources > network Device Profiles)

2. Configure the network device using this NAD profile in network devices page

3. Change in authentication policy options “If user not found > Continue”

4. Do MAB authentication

HTH,

Re: client cannot use MAC authentication with ISE

Arne Bier — Thu, 03 May 2018 22:08:04 GMT

I think the profile that Salomon uploaded looks correct. In my quick analysis the Service-Type was originally not being matched. And also the hard coding of MAC addresses in profiles is a no no. With the new device profile attached, you can use a Normalised Smart Condition "Wired_MAB" which will now include the new DLINK Device Profile. Create a Policy Set Condition using Wired_MAB as your condition and that's that.

If the MAC address is in the Endpoint Identity Group then return access-accept (and remember that the Result Policy either has to be the same Vendor Type (i.e. DLINK) or vendor neutral (i.e. remove the vendor icon). The default PermitAccess should do the job (unless of course you need other attributes returned).

As for the Continue if not found - that is a logic trick that we use all the time in Guest redirection, where it is IMPERATIVE that every request passes, because you HAVE to force the user to a portal even if MAC address is unknown.

In your case I don't know if that logic applies, since I think you only want to send an access-accept back to your switch if, and only if, the MAC address is in ISE. Is that right?

Re: client cannot use MAC authentication with ISE

sbmc014 — Fri, 04 May 2018 02:58:44 GMT

thanks for your reply , but after i imported DlinkWired switch NAD profile , the testing result is still fail and got the same log :

verview

Event	5400 Authentication failed
Username	54E1AD9478BB
Endpoint Id
Endpoint Profile	Windows10-Workstation
Authentication Policy	Default >> Default
Authorization Policy	Default
Authorization Result

Authentication Details

Source Timestamp	2018-05-04 02:04:31.124
Received Timestamp	2018-05-04 02:04:31.125
Policy Server	ise
Event	5400 Authentication failed
Failure Reason	22040 Wrong password or invalid shared secret
Resolution	Check the Device shared secret in Administration > Network Resources > Network Devices and user for credentials.
Root cause	Wrong password or invalid shared secret
Username	54E1AD9478BB
User Type	Host
Endpoint Profile	Windows10-Workstation
Authentication Identity Store	Internal Endpoints
Identity Group	Profiled
Authentication Method	PAP_ASCII
Authentication Protocol	PAP_ASCII
Service Type	Framed
Network Device	DGS1210
Device Type	All Device Types#Dlink1210
Location	All Locations
NAS IPv4 Address	192.168.1.21
NAS Port Type	Virtual
Response Time	18 milliseconds

Other Attributes

ConfigVersionId	245
Device Port	49154
DestinationPort	1812
RadiusPacketType	AccessRequest
Protocol	Radius
NAS-Port	0
NetworkDeviceProfileId	580baaf4-4e28-49ca-81fd-63ca390392e9
IsThirdPartyDeviceFlow	true
AcsSessionID	ise/314001139/451
SelectedAuthenticationIdentityStores	Internal Endpoints
IdentityPolicyMatchedRule	Default
CPMSessionID	c0a80113CHtDpU5IigKqw6bFOQrqHJ5ERXON1ldelSNxpGMZ9rg
ISEPolicySetName	Default
IdentitySelectionMatchedRule	Default
DTLSSupport	Unknown
HostIdentityGroup	Endpoint Identity Groups:Profiled
Model Name	DGS1210ME
Software Version	7.01.B021
Network Device Profile	DlinkWired_Switch
Location	Location#All Locations
Device Type	Device Type#All Device Types#Dlink1210
IPSEC	IPSEC#Is IPSEC Device#No
RADIUS Username	54:E1:AD:94:78:BB
NAS-Identifier	D-LINK
Device IP Address	192.168.1.21

Result

RadiusPacketType	AccessReject
AuthenticationResult	Failed
UserName	54:E1:AD:94:78:BB

i have some questions want to confirm :

a. i add one more authentication entry like this :

but the hits still display zero , do i need add this policy ?if yes , what is wrong with this setting ?

b. Where i can configure PC MAC can accept in ISE server ?

for example , if i testing this function between switch & ISE server , i should configure "54E1AD9478BB Auth-Type := Accept " in user file of freeRadius server , then it can work fine.

thx

Re: client cannot use MAC authentication with ISE

sbmc014 — Fri, 04 May 2018 03:01:30 GMT

Thanks for your reply , as your mentioned "In your case I don't know if that logic applies, since I think you only want to send an access-accept back to your switch if, and only if, the MAC address is in ISE. Is that right? "

yes , and do you know where i can configure this MAC can accept in ISE side ?

thx

Re: client cannot use MAC authentication with ISE

Jason Kunst — Fri, 04 May 2018 04:53:45 GMT

It looks to me that the shared secret configured on the network access device is not matching with the NAD configuration on ISE

Re: client cannot use MAC authentication with ISE

Arne Bier — Fri, 04 May 2018 05:09:45 GMT

Here is how you load static MAC addresses into an Identity Group. Click on each image because of the resolution is reduced in this forum view.

You add the MAC addresses via Context visibility

You can also verify that they are in the Endpoint identity Group that you have chosen. Please don't use my example of Profiled/Axis-Device. Choose something meaningful off the root Group, like, MAB-Printers or whatever.

Re: client cannot use MAC authentication with ISE

ognyan.totev — Fri, 04 May 2018 05:13:02 GMT

Jason is right not same shared secret ,and i wonder in ise 2.2 we have a option to enable radius for third party vendors i dont know in ISE 2.4 there is same option

Re: client cannot use MAC authentication with ISE

sbmc014 — Fri, 04 May 2018 06:39:54 GMT

thanks for your reply , i am sure the secret value are the same between switch & ISE , it probably some other things going wrong.

Re: client cannot use MAC authentication with ISE

sbmc014 — Fri, 04 May 2018 06:54:05 GMT

thanks for your reply , my PC MAC existed in Endpoint list :

and existed in identity group :

but testing result is still fail ,

above settings are meaning this MAC already be accept in ISE !? or any other configurations i need to adjust ?

Re: client cannot use MAC authentication with ISE

ognyan.totev — Fri, 04 May 2018 06:59:30 GMT

As you see you there are invalid radius attributes .In cisco switch we define attributes like:

radius-server attribute 6 on-for-login-auth

radius-server attribute 6 support-multiple

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server attribute 31 mac format ietf

radius-server vsa send accounting

radius-server vsa send authentication

I never configured switch on WEB i always do on cli.ANd this is the commands for cisco switch i don't know is your switch support it .

Re: client cannot use MAC authentication with ISE

hslai — Sat, 05 May 2018 06:38:24 GMT

The endpoint ID is empty so it seems the auth request does not have calling-station-id, which is likely why it not matching the Wired MAB condition.

Please try a wired capture to confirm what attributes are sent in the auth requests and then modify the NAD profile and the network access policy set accordingly.

Re: client cannot use MAC authentication with ISE

hslai — Sat, 05 May 2018 17:14:37 GMT

After reviewing your word doc, I am now thinking the user-password is not the same as the user-name. This RSA doc 000035182 - How to decrypt RADIUS traffic using... | RSA Link might help decrypting it.

Re: client cannot use MAC authentication with ISE

sbmc014 — Mon, 07 May 2018 01:49:19 GMT

thanks for your reply .Yes, my original auth request does not have calling-station-id , and after i change another switch that has calling-station-id , it's work , so i have some questions like this :

1. When i want to run MAC aurh with ISE , it's only support that Pkts include ""calling-station-id" !?

2. Or it also support without "calling-station-id" ? if yes , what's configurations i should adjust ?

to modify NAD profile in wired MAB detected? or in wired 802.1x detected? and what's content i need to configure ?　

Re: client cannot use MAC authentication with ISE

hslai — Mon, 07 May 2018 02:10:45 GMT

ISE may authenticate without calling-station-id in the requests. However, ISE features, such as CWA or posture, would not work without calling-station-id. ISE session directory is keying off calling-station-ID in most cases.

Re: client cannot use MAC authentication with ISE

howon — Mon, 07 May 2018 15:22:43 GMT

Following NAD Profile settings should allow you to match against wired MAB. However, it does not have wired 802.1X, since I am not sure what attributes gets sent from D-Link during 802.1X. Contact me directly at howon@cisco.com and I can assist with creating the NAD profile that works with both MAB and 802.1X.

Re: client cannot use MAC authentication with ISE

sbmc014 — Fri, 11 May 2018 08:18:59 GMT

it can work after follow your setting!! Thanks u very much!!

Re: client cannot use MAC authentication with ISE

sbmc014 — Fri, 11 May 2018 10:01:07 GMT

sorry , after i double confirm , if i just enable PAP/ASCII in my profile (as attachment ) ,

then all clients can pass through 802.1x MAC auth even there is no this MAC exist ISE endpoint profile table , it is abnormally , what's configurations should i need to adjust ?