ISE not sending Access-reject for IOS clients for putting wrong password.

Gagandeep Singh — Fri, 08 Sep 2017 18:59:56 GMT

Hi Team,

ISE set to 0 retries for PEAP inner methods because of below reason from some internal documentation.

PEAP Password Retries: In a non-Microsoft environment such as a wireless environment with many Apple or Android devices set PEAP Password Retries to 0. Currenly devices that do not support PEAP Password Retries will stop responding once the retry message is received and instead start a new EAP session. Since an Access-Reject is never received by the WLC client exclusions will never kick in for multiple failed password attempts meaning a device statically configured with a bad password can flood ISE.

I do not see any erroneous debugs from WLC log.

From the latest captures in ISE, it’s clear that ISE detects the wrong password, but I see different flow in case of iPhone vs android.

iPhone:

========

24212 Found User in Internal Users IDStore

22063 Wrong password

22057 The advanced option that is configured for a failed authentication used

22061 The 'Reject' advanced option is configured in case of a failed authentication

request

11823 EAP-MSCHAP authentication attempt failed

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

11810 Extracted EAP-Response for inner method containing MSCHAP 11815 Inner EAP-MSCHAP authentication failed – Why ISE is not sending Access-Reject from here???

11520 Prepared EAP-Failure for inner EAP method

22028 Authentication failed and the advanced options are ignored

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

5440

Endpoint abandoned EAP session and started new

Android:

========

24212 Found User in Internal Users IDStore

22063 Wrong password

22057 The advanced option that is configured for a failed authentication request is used

22061 The 'Reject' advanced option is configured in case of a failed authentication request

11823 EAP-MSCHAP authentication attempt failed

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response

11815 Inner EAP-MSCHAP authentication failed

11520 Prepared EAP-Failure for inner EAP method

22028 Authentication failed and the advanced options are ignored

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12917 Expected TLS acknowledge for PEAPv1 protected termination but received another message

11500 Invalid or unexpected EAP payload received

11504 Prepared EAP-Failure

11003 Returned RADIUS Access-Reject

The only difference found is that if “Authentication Method comes as dot1x “, ISE will reject it.

If it comes as “MSCHAPv2”, ISE doesn’t reject it. Instead sending another Access-challenge packet.

Need to know the reason behind coming different authentication method.

I have tested in LAB with Iphone6 + with IOS 10.3.3 and got failed authentication with access-reject.

Identity Services Engine

Overview

Event 5400 Authentication failed

Username abcd

Endpoint Id 9C:4F:DA:1B:C5:35

Endpoint Profile

Authentication Policy Default >> Dot1X

Authorization Policy Default

Authorization Result

Authentication Details

Source Timestamp 2017-08-10 17:41:28.023

Received Timestamp 2017-08-10 17:41:28.024

Policy Server ISE23

Event 5400 Authentication failed

Failure Reason 22063 Wrong password

Resolution Check the user credentials. Also check whether the password is wrong.

Root cause Wrong password

Username abcd

User Type User

Endpoint Id 9C:4F:DA:1B:C5:35

Calling Station Id 9c-4f-da-1b-c5-35

Authentication Identity Store Internal Users

Identity Group User Identity Groups:ALL_ACCOUNTS (default)

Audit Session Id 0ac9e875000000c3598ce117

Authentication Method dot1x

Authentication Protocol PEAP (EAP-MSCHAPv2)

.............

.....

WLC engineer filed an internal bug "WLC/ISE unable to exclude iOS 10.3.3 client with failed authentication" but they want this thing to be validated on ISE side.

Any help would be appreciated.

Regards

Gagan

Re: ISE not sending Access-reject for IOS clients for putting wrong password.

Craig Hyps — Mon, 11 Sep 2017 14:04:32 GMT

Per the message "Endpoint abandoned EAP session and started new". This is saying that before auth event came to a conclusion (pass/fail), endpoint started new EAP session. ISE can return access reject for these cases by using suppression with reject option. This will allow client exclusion to kick in on WLC.

Craig

Re: ISE not sending Access-reject for IOS clients for putting wrong password.

Juan Jose Rodriguez Segovia — Tue, 23 Mar 2021 15:02:02 GMT

I have this same problem and even configuring suppression with reject option, ISE does not send rejects, the request timeout so exclusion does not kick in, causing ultimately that AD password locks out...

Re: ISE not sending Access-reject for IOS clients for putting wrong password.

b1230912 — Wed, 23 Jun 2021 14:30:04 GMT

I know this is an old threat but I seem to be experiencing a very similar issue with iOS devices. Can anyone provide clarification on what actually solved this issue? I see the note about suppression and rejection, but what was the actual fix?

Re: ISE not sending Access-reject for IOS clients for putting wrong password.

Juan Jose Rodriguez Segovia — Wed, 23 Jun 2021 15:57:14 GMT

I opened a case and no solution... They told me it is an IOS issue because they cannot control how the client behaves, so if the client stops responding and causes the timeout and the wrong password trigger, they cannot do anything about it... I told them to get in contact with Apple to fix the issue, good luck with that...

topic Re: ISE not sending Access-reject for IOS clients for putting wrong password. in Network Access Control

ISE not sending Access-reject for IOS clients for putting wrong password.

Re: ISE not sending Access-reject for IOS clients for putting wrong password.

Re: ISE not sending Access-reject for IOS clients for putting wrong password.

Re: ISE not sending Access-reject for IOS clients for putting wrong password.

Re: ISE not sending Access-reject for IOS clients for putting wrong password.