topic Hi, I read the thread and it in Network Access Control

ISE1.4 - User authentication issue on WLAN

Sarayuth.s01 — Mon, 11 Mar 2019 06:06:42 GMT

Hi Experts,

Now, I do implement ISE 1.4 for machine and user authentication on wired and wirless network.

For wired network no issue.

For wireless network when I connect to ssid that integrate with ISE, The authorization has deny.

this the rule in authoraization.

first rule; Machine Authen

Radius:Called-Station-ID == Containt == Office

3D-AD:ExternalGroups == domain computer

Second rule; User Authen

Radius:Called-Station-ID == Containt == Office

3D-AD:ExternalGroups == domain user

Network Access:WasMachineAuthenticated ==True

If I delete condition on Second rule in past of Network Access:WasMachineAuthenticated ==True. It can authentication pass.

Could you please advise to me that root cause is?

Thank you

Hi, By the sounds of it you

Jason van den Berg — Thu, 01 Oct 2015 10:28:21 GMT

Hi,

By the sounds of it you want to setup EAP chaining. I would suggest you read trough this document that has a good example on how to achieve this. The only missing part would be the AD groups which you can add however it also seems you using the default groups anyways.

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-82_Deploy_EAP_Chaining.pdf

Regards,

Jason

Hi Jason,I'm not to set up

Sarayuth.s01 — Thu, 01 Oct 2015 10:41:21 GMT

Hi Jason,

I'm not to set up EAP chaining, I using PEAP and EAP-TLS authentication method. I'm authen pass but stuck in authorization if apply condition "Network Access:WasMachineAuthenticated ==True" so It go to default authoraization(Deny access).

Hi, If you not using eap

Jason van den Berg — Thu, 01 Oct 2015 10:50:35 GMT

Hi,

If you not using eap chaining then you cant combine machine and user success criteria as you have it in your authz. What are you attempting to achieve?

Regards,

Jason

Himy purpose like this topic

Sarayuth.s01 — Thu, 01 Oct 2015 11:24:38 GMT

my purpose like this topic please see the correct answer. https://supportforums.cisco.com/discussion/11583721/machine-user-auth-windows-endpoint-autheticating-through-ise

It's work on my wired network.

And wlan network used to work fine on ISE 1.2

Hi, I read the thread and it

Jason van den Berg — Thu, 01 Oct 2015 11:48:27 GMT

Hi,

I read the thread and it seems there is several limitations on how this works and in the same article not recommended.

However lets see if we can reproduce how it worked in your earlier version, when your wireless device connects to the SSID, do you see a successful machine authz?

Regards,

Jason

How many PSNs do you have?

Tim Steele — Thu, 01 Oct 2015 13:14:46 GMT

How many PSNs do you have? Keep in mind that the MAR cache (where previous machine authentications are stored) does not replicate across PSNs. So, if you machine authenticated against one PSN and then the user authentication hit a different PSN, that PSN wouldn't have a record of the previous machine authentication. This is one of the limitations of MAR (machine access restrictions).

One of the things you'll want to do if you plan to use MAR is to extend the MAR cache aging timer at Administration > Identity Management > External Identity Sources > Active Directory. Once you click on your AD Join Point Name, click the Advanced Settings tab across the top. The default is 6hrs, you may consider expanding that to something you feel would better serve your environment. I've used 168hrs (7 days) a number of times. This doesn't solve the machine auth replication between PSNs issue, but at least it holds the record of the machine auth for a decent amount of time.

That is one restriction of MAR. Another is the idea of a user coming to work, putting her laptop on a docking station and powering it up. That machine auth attempt will be wired. An hour later, she needs to undock and go to a meeting - now she is authenticating with just user auth over wireless with potentially no matching machine auth.

Review this doc for more details:

http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html

EAP Chaining with AnyConnect solves these issues, but it comes at the cost of the help desk having to support a new client which some companies want to avoid. There is also the licensing cost to consider. However, even with those costs, it is a good option to consider - especially if you are already using AnyConnect VPN on your endpoints. There is now an RFC for a new EAP type called TEAP where "EAP Chaining" will be standardized. Key word there is "will" as there are no supplicants supporting TEAP yet. You can see more on that here:

http://www.networkworld.com/article/2466000/security0/industry-standards-for-secure-network-access.html

Tim