topic Re: 802.1x authentication failed in Network Access Control

802.1x authentication failed

lin.yang2 — Mon, 16 May 2022 08:51:16 GMT

Overview

Event	5434 Endpoint conducted several failed authentications of the same scenario
Username	USERNAME
Endpoint Id	DC:A2:66:1A:0C:4B
Endpoint Profile
Authentication Policy	Ordos_802.1x_AD_auth
Authorization Policy	Ordos_802.1x_AD_auth
Authorization Result

Authentication Details

Source Timestamp	2022-05-16 16:40:50.601
Received Timestamp	2022-05-16 16:40:50.601
Policy Server	ise
Event	5434 Endpoint conducted several failed authentications of the same scenario
Failure Reason	12309 PEAP handshake failed
Resolution	Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is properly installed in client's supplicant. Check the previous steps in the log for this PEAP conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.
Root cause	PEAP handshake failed.
Username	USERNAME
Endpoint Id	DC:A2:66:1A:0C:4B
Audit Session Id	033CCC0A00000197CDBA6B2E
Authentication Method	dot1x
Authentication Protocol	PEAP
Service Type	Framed
Network Device	Ordos_C9800
Device Type	All Device Types
Location	All Locations
NAS IPv4 Address	10.204.60.3
NAS Port Id	capwap_90000005
NAS Port Type	Wireless - IEEE 802.11
Response Time	9 milliseconds

Other Attributes

ConfigVersionId	82
Device Port	57622
DestinationPort	1812
RadiusPacketType	AccessRequest
UserName	USERNAME
Protocol	Radius
NAS-IP-Address	10.204.60.3
NAS-Port	91920
Framed-MTU	1485
State	37CPMSessionID=033CCC0A00000197CDBA6B2E;29SessionID=ise/441870738/71681;
Airespace-Wlan-Id	2
IsEndpointInRejectMode	false
NetworkDeviceProfileName	Cisco
NetworkDeviceProfileId	b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow	false
RadiusFlowType	Wireless802_1x
SSID	48-8b-0a-33-eb-20:Envision-AESC
AcsSessionID	ise/441870738/71681
OpenSSLErrorMessage	SSL alert: code=0x246=582 ; source=local ; type=fatal ; message="protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]"
OpenSSLErrorStack	140005319513856:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:
CPMSessionID	033CCC0A00000197CDBA6B2E
EndPointMACAddress	DC-A2-66-1A-0C-4B
ISEPolicySetName	Ordos_802.1x_AD_auth
StepData	4= Normalised Radius.RadiusFlowType
StepData	5= Radius.Called-Station-ID
DTLSSupport	Unknown
Network Device Profile	Cisco
Location	Location#All Locations
Device Type	Device Type#All Device Types
IPSEC	IPSEC#Is IPSEC Device#No
Called-Station-ID	48-8b-0a-33-eb-20:Envision-AESC
CiscoAVPair	service-type=Framed
audit-session-id	033CCC0A00000197CDBA6B2E
method	dot1x
client-iif-id	3607103665
vlan-id	602
cisco-wlan-ssid	Envision-AESC
wlan-profile-name	Envision-AESC

Result

RadiusPacketType

AccessReject

Steps

	11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP
	15048	Queried PIP
	11507	Extracted EAP-Response/Identity
	12300	Prepared EAP-Request proposing PEAP with challenge
	12625	Valid EAP-Key-Name attribute received
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12302	Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
	12318	Successfully negotiated PEAP version 0
	12800	Extracted first TLS record; TLS handshake started
	12805	Extracted TLS ClientHello message
	12814	Prepared TLS Alert message
	12817	TLS handshake failed
	12309	PEAP handshake failed
	12307	PEAP authentication failed
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	61025	Open secure connection with TLS peer
	11504	Prepared EAP-Failure
	11003	Returned RADIUS Access-Reject
	5434	Endpoint conducted several failed authentications of the same scenario

I have many PC terminals, and there are a batch of windows10 802.1x authentication failures. I have not found the specific reason. Other Androids, iphones, etc. are all certified without problems, why? This is one of the reasons for the error. Why do some PCs have problems with the same configuration, and some have no problems?

Re: 802.1x authentication failed

ahollifield — Mon, 16 May 2022 12:15:36 GMT

Looks like those client PCs do not have the ISE certificate as a trusted certificate/CA in their trusted store. Are these machines managed via AD/GPO? Are you using an internal, external, or self-signed certificate on ISE? Is your expected EAP type PEAP?

Re: 802.1x authentication failed

MHM Cisco World — Mon, 16 May 2022 13:35:50 GMT

@lin.yang2 if PC don't have ISE certificate as @ahollifield mention, please add it
if have ISE certificate then there is issue in ISE certificate.

Re: 802.1x authentication failed

lin.yang2 — Tue, 17 May 2022 16:18:06 GMT

Authentication Details

Source Timestamp	2022-05-18 00:11:23.996
Received Timestamp	2022-05-18 00:11:23.996
Policy Server	ise
Event	5200 Authentication succeeded
Username	hwuser001
Endpoint Id	9C:DA:3E:6F:8A:01
Calling Station Id	9c-da-3e-6f-8a-01
Endpoint Profile	Windows10-Workstation
IPv4 Address	10.204.24.194
IPv6 Address	fe80::14fb:2c56:31bf:47d
Authentication Identity Store	sslvpnadmin
Identity Group	GuestEndpoints
Audit Session Id	033CCC0A000001CED4601835
Authentication Method	dot1x
Authentication Protocol	PEAP (EAP-MSCHAPv2)
Service Type	Framed
Network Device	Ordos_C9800
Device Type	All Device Types
Location	All Locations
NAS IPv4 Address	10.204.60.3
NAS Port Id	capwap_90000002
NAS Port Type	Wireless - IEEE 802.11
Authorization Profile	PermitAccessVLAN602
Response Time	783 milliseconds

Other Attributes

ConfigVersionId	82
DestinationPort	1812
Protocol	Radius
NAS-Port	91920
Framed-MTU	1485
State	37CPMSessionID=033CCC0A000001CED4601835;30SessionID=ise/441870738/113986;
NetworkDeviceProfileId	b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow	false
AcsSessionID	ise/441870738/113986
SelectedAuthenticationIdentityStores	Internal Users
SelectedAuthenticationIdentityStores	All_AD_Join_Points
SelectedAuthenticationIdentityStores	Guest Users
SelectedAuthenticationIdentityStores	Internal Endpoints
SelectedAuthenticationIdentityStores	sslvpnadmin
AuthenticationStatus	AuthenticationPassed
IdentityPolicyMatchedRule	Default
AuthorizationPolicyMatchedRule	Authorization Rule 1
EndPointMACAddress	9C-DA-3E-6F-8A-01
ISEPolicySetName	Ordos_802.1x_AD_auth
IdentitySelectionMatchedRule	Default
AD-User-Resolved-Identities	hwuser001@ch.envision-aesc.com
AD-User-Candidate-Identities	hwuser001@ch.envision-aesc.com
TotalAuthenLatency	1243
ClientLatency	460
AD-User-Resolved-DNs	CN=hwuser001,OU=外包人员,OU=用户,DC=ch,DC=envision-aesc,DC=com
AD-User-DNS-Domain	ch.envision-aesc.com
AD-User-NetBios-Name	CH
IsMachineIdentity	false
UserAccountControl	512
AD-User-SamAccount-Name	hwuser001
AD-User-Qualified-Name	hwuser001@ch.envision-aesc.com
TLSCipher	ECDHE-RSA-AES256-GCM-SHA384
TLSVersion	TLSv1.2
DTLSSupport	Unknown
HostIdentityGroup	Endpoint Identity Groups:GuestEndpoints
Network Device Profile	Cisco
Location	Location#All Locations
Device Type	Device Type#All Device Types
IPSEC	IPSEC#Is IPSEC Device#No
IdentityAccessRestricted	false
RADIUS Username	hwuser001
NAS-Identifier	Envision-AESC
Device IP Address	10.204.60.3
CPMSessionID	033CCC0A000001CED4601835
Called-Station-ID	48-8b-0a-33-eb-20:Envision-AESC
CiscoAVPair	service-type=Framed, audit-session-id=033CCC0A000001CED4601835, method=dot1x, addrv6=fe80::14fb:2c56:31bf:47d, client-iif-id=2801803242, vlan-id=602, cisco-wlan-ssid=Envision-AESC, wlan-profile-name=Envision-AESC, AuthenticationIdentityStore=sslvpnadmin, FQSubjectName=2f61b640-bedf-11ec- -e2f1729a5b7f#hwuser001@ch.envision-aesc.com, UniqueSubjectID=a4b6cca657c08a89b07cdd7bbf2720b8558c0248 ------------------------------------------------------------------- The above is the record of successful authentication Yes, all of my PCs are domain-added PCs. Most of the PCs are capable of 802.1x authentication. At present, it is found that some people cannot be 802.1x authenticated and cannot connect.