Why is ISE defaulting to DenyAccess?

imc0000011 — Thu, 01 Feb 2018 15:04:10 GMT

I have a 802.1X Rule, using Certificate based authentication. All of a sudden it's stopped working and it's now started using the default Poilcy Flow

Note: This is ISE 2.3

11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP
	15048	Queried PIP
	15048	Queried PIP
	11507	Extracted EAP-Response/Identity
	12500	Prepared EAP-Request proposing EAP-TLS with challenge
	12625	Valid EAP-Key-Name attribute received
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12301	Extracted EAP-Response/NAK requesting to use PEAP instead
	12300	Prepared EAP-Request proposing PEAP with challenge
	12625	Valid EAP-Key-Name attribute received
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12302	Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
	12318	Successfully negotiated PEAP version 0
	12800	Extracted first TLS record; TLS handshake started
	12805	Extracted TLS ClientHello message
	12806	Prepared TLS ServerHello message
	12807	Prepared TLS Certificate message
	12808	Prepared TLS ServerKeyExchange message
	12810	Prepared TLS ServerDone message
	12811	Extracted TLS Certificate message containing client certificate
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	12318	Successfully negotiated PEAP version 0
	12812	Extracted TLS ClientKeyExchange message
	12813	Extracted TLS CertificateVerify message
	12804	Extracted TLS Finished message
	12801	Prepared TLS ChangeCipherSpec message
	12802	Prepared TLS Finished message
	12816	TLS handshake succeeded
	12310	PEAP full handshake finished successfully
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	12313	PEAP inner method started
	11521	Prepared EAP-Request/Identity for inner EAP method
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	11522	Extracted EAP-Response/Identity for inner EAP method
	11806	Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	12523	Extracted EAP-Response/NAK for inner method requesting to use EAP-TLS instead
	12522	Prepared EAP-Request for inner method proposing EAP-TLS with challenge
	12625	Valid EAP-Key-Name attribute received
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	12524	Extracted EAP-Response containing EAP-TLS challenge-response for inner method and accepting EAP-TLS as negotiated
	12800	Extracted first TLS record; TLS handshake started
	12545	Client requested EAP-TLS session ticket
	12546	The EAP-TLS session ticket received from supplicant. Inner EAP-TLS does not support stateless session resume. Performing full authentication
	12805	Extracted TLS ClientHello message
	12806	Prepared TLS ServerHello message
	12807	Prepared TLS Certificate message
	12808	Prepared TLS ServerKeyExchange message
	12809	Prepared TLS CertificateRequest message
	12527	Prepared EAP-Request for inner method with another EAP-TLS challenge
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	12526	Extracted EAP-Response for inner method containing TLS challenge-response
	12527	Prepared EAP-Request for inner method with another EAP-TLS challenge
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	12526	Extracted EAP-Response for inner method containing TLS challenge-response
	12527	Prepared EAP-Request for inner method with another EAP-TLS challenge
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	12526	Extracted EAP-Response for inner method containing TLS challenge-response
	12527	Prepared EAP-Request for inner method with another EAP-TLS challenge
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	12526	Extracted EAP-Response for inner method containing TLS challenge-response
	12527	Prepared EAP-Request for inner method with another EAP-TLS challenge
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	12526	Extracted EAP-Response for inner method containing TLS challenge-response
	12571	ISE will continue to CRL verification if it is configured for specific CA
	12811	Extracted TLS Certificate message containing client certificate
	12812	Extracted TLS ClientKeyExchange message
	12813	Extracted TLS CertificateVerify message
	12804	Extracted TLS Finished message
	12801	Prepared TLS ChangeCipherSpec message
	12802	Prepared TLS Finished message
	12816	TLS handshake succeeded
	12509	EAP-TLS full handshake finished successfully
	12527	Prepared EAP-Request for inner method with another EAP-TLS challenge
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	12526	Extracted EAP-Response for inner method containing TLS challenge-response
	61025	Open secure connection with TLS peer
	15041	Evaluating Identity Policy
	15013	Selected Identity Source - DenyAccess
	22017	Selected Identity Source is DenyAccess
	12529	Inner EAP-TLS authentication failed
	11520	Prepared EAP-Failure for inner EAP method
	22028	Authentication failed and the advanced options are ignored
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	61025	Open secure connection with TLS peer
	12307	PEAP authentication failed
	11504	Prepared EAP-Failure
	11003	Returned RADIUS Access-Reject
	5434	Endpoint conducted several failed authentications of the same scenario

Re: Why is ISE defaulting to DenyAccess?

hslai — Thu, 01 Feb 2018 20:20:36 GMT

The steps show PEAP-TLS. Is that what your client supplicant doing? What's the client OS? What are your authentication policy rules like?

Re: Why is ISE defaulting to DenyAccess?

Dustin Anderson — Thu, 01 Feb 2018 22:04:08 GMT

Inner EAP-TLS authentication failed

So, the cert failed. Can you test AD authentication and does that succeed?

Did this stat for everyone, or just certain people?

Did your AD cert change and ISE doesn't trust it for authentication?

Are you oversubscribed on licensees? (My Cisco rep said that in 2.3, after 45 days oversubscribed it will not auth. I can't verify this though)

I also wonder why we are seeing all the other methods in the session. PEAP, MS-CHAP etc.

topic Re: Why is ISE defaulting to DenyAccess? in Network Access Control

Why is ISE defaulting to DenyAccess?

Re: Why is ISE defaulting to DenyAccess?

Re: Why is ISE defaulting to DenyAccess?