topic Re: One PC working but can't get others authorised in ISE in Network Access Control

One PC working but can't get others authorised in ISE

alliasneo1 — Tue, 30 Apr 2024 10:22:55 GMT

Hi all,

I've managed to get one PC up and running using dot1x and it's all authenticating correctly. However when I try another PC it just fails.

What can I do to troubleshoot this? I've confirmed that the PC's have the same certificates and are in the same AD groups. The port configs are the same on both ports.

on the switch I'm seeing Authentication failed for client Username: host/XXXXXXX.domain

When I check the logs in ISE I can see the following for the authenticated machine:

1001	Received RADIUS Access-Request - XXXX-DC-002
	11017	RADIUS created a new session - XXX.domain.uk
	15049	Evaluating Policy Group - XXXX -DC-002
	15008	Evaluating Service Selection Policy
	15048	Queried PIP - Normalised Radius.RadiusFlowType
	11507	Extracted EAP-Response/Identity
	12500	Prepared EAP-Request proposing EAP-TLS with challenge
	12625	Valid EAP-Key-Name attribute received
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12502	Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated

and for the machine that fails it's not sending through the domain information:

11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP - Normalised Radius.RadiusFlowType
	11507	Extracted EAP-Response/Identity
	12500	Prepared EAP-Request proposing EAP-TLS with challenge
	12625	Valid EAP-Key-Name attribute received
	11006	Returned RADIUS Access-Challenge
	5440	Endpoint abandoned EAP session and started new ( Step latency=1018 ms)

Re: One PC working but can't get others authorised in ISE

ahollifield — Tue, 30 Apr 2024 12:20:01 GMT

Looks like a supplicant configuration issue to me. The expected EAP type is EAP-TLS? Are the certificates correct on the second machine? What is the endpoint? What is the NAD? Machine certificate or user certificate?

https://community.cisco.com/t5/security-documents/how-to-ask-the-community-for-help/ta-p/3704356

Re: One PC working but can't get others authorised in ISE

alliasneo1 — Tue, 30 Apr 2024 12:28:18 GMT

It is EAP-TLS yes.

The certificate is exactly the same on the second machine.

The endpoint is a HP PC - both the same make and model.

The NAD - Cisco 9200

Machine Certificate

Re: One PC working but can't get others authorised in ISE

ahollifield — Tue, 30 Apr 2024 12:41:07 GMT

“Exactly the same” each device should have its own unique certificate. Why are two machines sharing the same certificate? What type of certificate is on ISE? Public? Private? Is that certificate trusted by the second machine?

What version of IOS-XE?

Re: One PC working but can't get others authorised in ISE

alliasneo1 — Tue, 30 Apr 2024 13:55:42 GMT

This is a certificate pushed to the machine via Group Policy.

It is a private certificate. Under 'Issued-By' it has our company name.

How do I check if the certificate is trusted by the second machine?

Re: One PC working but can't get others authorised in ISE

ahollifield — Tue, 30 Apr 2024 14:05:09 GMT

Check in MMC under the trusted certificates.

Re: One PC working but can't get others authorised in ISE

alliasneo1 — Tue, 30 Apr 2024 14:33:03 GMT

When I open MMC and go to Local Computer>Personal>Certificates

I can see the ISE cert in there.

Re: One PC working but can't get others authorised in ISE

ahollifield — Tue, 30 Apr 2024 18:54:56 GMT

"The ISE cert"? Why isn't it the root and issuing CAs? From the internal PKI? There should be no need to trust the ISE EAP Certificate itself as long as you are trusting the roots.

That's also not the trusted CA store. That's the certificates issues to that local computer.

Re: One PC working but can't get others authorised in ISE

alliasneo1 — Thu, 02 May 2024 08:24:10 GMT

We have created an intermediate certificate which we will push to devices. This is trusted by the Root CA. The Root C certificate is uploaded to ISE. Sorry, I don't know much about certificates but that is how it has been setup to my knowledge.

In ISE, if I look under Certificates>Trusted Certificates this is where I see our organisations Root Cert and this is trusted for client authentication.

I then have the ISE cert being pushed from Group Policy which is created from the PKI and under 'External Identity Store' the preloaded certificate profile is pointed to Active Directory and the certificate attribute is looking at 'Subject alternative name'.