topic Re: TEAP Problem with Windows 10, ISE 3.2 with Patch 7 and EAP Chainin in Network Access Control

TEAP Problem with Windows 10, ISE 3.2 with Patch 7 and EAP Chaining...

rezaalikhani — Tue, 12 Nov 2024 12:06:11 GMT

Hi all;

Consider the following scenario:

The client is configured as follows:

The target computer and the user both have installed required certificates installed as you can see below:

Now, the client machine is booted up and the following event is recorded on ISE:

Now, the user tries to login to this client and the login operation is succeeded as expected, but in ISE:

As you can see above, the login operation for the user does not match with any authorization policy configured. When I click on the "Detail" button:

Any ideas?

Thanks

Re: TEAP Problem with Windows 10, ISE 3.2 with Patch 7 and EAP Chainin

MHM Cisco World — Tue, 12 Nov 2024 12:13:45 GMT

there are three conditions for each policy
remove two and keep only the EAP-chain
it can other condition failed not eap chain remember you use ""AND"" not ""OR""
and for wired-802.1x it already use in authc policy so no need it again under authz policy

MHM

Re: TEAP Problem with Windows 10, ISE 3.2 with Patch 7 and EAP Chainin

andrewswanson — Tue, 12 Nov 2024 13:30:20 GMT

Do you have "user or computer authentication" mode selected on the supplicant?

hth
Andy

Re: TEAP Problem with Windows 10, ISE 3.2 with Patch 7 and EAP Chainin

bryan-cruz — Wed, 13 Nov 2024 00:26:35 GMT

Additionally, you must verify that you have the certificate issued for the machine as well.

Re: TEAP Problem with Windows 10, ISE 3.2 with Patch 7 and EAP Chainin

rezaalikhani — Wed, 13 Nov 2024 09:00:53 GMT

Thanks for your reply;

As you can see, I aready enabled the required option:

Re: TEAP Problem with Windows 10, ISE 3.2 with Patch 7 and EAP Chainin

rezaalikhani — Wed, 13 Nov 2024 09:02:15 GMT

Based on my first post, the machine has the required cert...

Re: TEAP Problem with Windows 10, ISE 3.2 with Patch 7 and EAP Chainin

rezaalikhani — Wed, 13 Nov 2024 09:08:32 GMT

Thanks for your reply;

I do not think the problem relates to the two not-related to EAP Chaining rules, as when I removed them, the same problem occured...

Re: TEAP Problem with Windows 10, ISE 3.2 with Patch 7 and EAP Chainin

bryan-cruz — Wed, 13 Nov 2024 13:59:47 GMT

Hi, can you check if this parameter is active in your protocols?

On the other hand, to see the live logs, have you tried restarting services or the node?

Re: TEAP Problem with Windows 10, ISE 3.2 with Patch 7 and EAP Chainin

rezaalikhani — Thu, 14 Nov 2024 06:43:51 GMT

Thanks for your reply. But I have already enabled this option:

Re: TEAP Problem with Windows 10, ISE 3.2 with Patch 7 and EAP Chainin

MHM Cisco World — Thu, 14 Nov 2024 06:48:56 GMT

in live log detail check

11627 Starting EAP chaining <<-

Re: TEAP Problem with Windows 10, ISE 3.2 with Patch 7 and EAP Chainin

rezaalikhani — Fri, 15 Nov 2024 11:24:46 GMT

This is the full log for the machine authentication:

Steps

	11001	Received RADIUS Access-Request - DomainInc.
	11017	RADIUS created a new session - domain.com
	15049	Evaluating Policy Group - DomainInc.
	15008	Evaluating Service Selection Policy - domain.com
	15048	Queried PIP - DomainInc.
	11507	Extracted EAP-Response/Identity - DomainInc.
	12756	Prepared EAP-Request proposing TEAP with challenge
	12625	Valid EAP-Key-Name attribute received
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12758	Extracted EAP-Response containing TEAP challenge-response and accepting TEAP as negotiated
	12800	Extracted first TLS record; TLS handshake started
	12805	Extracted TLS ClientHello message
	12806	Prepared TLS ServerHello message
	12807	Prepared TLS Certificate message
	12808	Prepared TLS ServerKeyExchange message
	12809	Prepared TLS CertificateRequest message
	12810	Prepared TLS ServerDone message
	11596	Prepared EAP-Request with another TEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	11595	Extracted EAP-Response containing TEAP challenge-response
	11596	Prepared EAP-Request with another TEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	11595	Extracted EAP-Response containing TEAP challenge-response
	11596	Prepared EAP-Request with another TEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	11595	Extracted EAP-Response containing TEAP challenge-response
	11596	Prepared EAP-Request with another TEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	11595	Extracted EAP-Response containing TEAP challenge-response
	12810	Prepared TLS ServerDone message
	12811	Extracted TLS Certificate message containing client certificate
	12812	Extracted TLS ClientKeyExchange message
	12803	Extracted TLS ChangeCipherSpec message
	12804	Extracted TLS Finished message
	12801	Prepared TLS ChangeCipherSpec message
	12802	Prepared TLS Finished message
	12816	TLS handshake succeeded
	11559	Client certificate was requested but not received inside the tunnel. Will continue with inner method.
	11620	TEAP full handshake finished successfully
	11596	Prepared EAP-Request with another TEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	11595	Extracted EAP-Response containing TEAP challenge-response
	11627	Starting EAP chaining
	11573	Selected identity type 'User'
	11564	TEAP inner method started
	11521	Prepared EAP-Request/Identity for inner EAP method
	11596	Prepared EAP-Request with another TEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	11595	Extracted EAP-Response containing TEAP challenge-response
	11567	Identity type provided by client is equal to requested
	11522	Extracted EAP-Response/Identity for inner EAP method
	12522	Prepared EAP-Request for inner method proposing EAP-TLS with challenge
	12625	Valid EAP-Key-Name attribute received
	11596	Prepared EAP-Request with another TEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	11595	Extracted EAP-Response containing TEAP challenge-response
	11515	Supplicant declined inner EAP method selected by Authentication Policy but did not proposed another one; inner EAP negotiation failed
	11520	Prepared EAP-Failure for inner EAP method
	11566	TEAP inner method finished with failure
	22028	Authentication failed and the advanced options are ignored
	33517	Sent TEAP Intermediate Result TLV indicating failure
	11596	Prepared EAP-Request with another TEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	11595	Extracted EAP-Response containing TEAP challenge-response
	11574	Selected identity type 'Machine'
	11564	TEAP inner method started
	11521	Prepared EAP-Request/Identity for inner EAP method
	11596	Prepared EAP-Request with another TEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	11595	Extracted EAP-Response containing TEAP challenge-response
	11567	Identity type provided by client is equal to requested
	11522	Extracted EAP-Response/Identity for inner EAP method
	12522	Prepared EAP-Request for inner method proposing EAP-TLS with challenge
	12625	Valid EAP-Key-Name attribute received
	11596	Prepared EAP-Request with another TEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	11595	Extracted EAP-Response containing TEAP challenge-response
	12524	Extracted EAP-Response containing EAP-TLS challenge-response for inner method and accepting EAP-TLS as negotiated
	12800	Extracted first TLS record; TLS handshake started
	12545	Client requested EAP-TLS session ticket
	12546	The EAP-TLS session ticket received from supplicant. Inner EAP-TLS does not support stateless session resume. Performing full authentication
	12805	Extracted TLS ClientHello message
	12806	Prepared TLS ServerHello message
	12807	Prepared TLS Certificate message
	12808	Prepared TLS ServerKeyExchange message
	12809	Prepared TLS CertificateRequest message
	12810	Prepared TLS ServerDone message
	12527	Prepared EAP-Request for inner method with another EAP-TLS challenge
	11596	Prepared EAP-Request with another TEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	11595	Extracted EAP-Response containing TEAP challenge-response
	12526	Extracted EAP-Response for inner method containing TLS challenge-response
	12527	Prepared EAP-Request for inner method with another EAP-TLS challenge
	11596	Prepared EAP-Request with another TEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	11595	Extracted EAP-Response containing TEAP challenge-response
	12526	Extracted EAP-Response for inner method containing TLS challenge-response
	12527	Prepared EAP-Request for inner method with another EAP-TLS challenge
	11596	Prepared EAP-Request with another TEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	11595	Extracted EAP-Response containing TEAP challenge-response
	12526	Extracted EAP-Response for inner method containing TLS challenge-response
	12527	Prepared EAP-Request for inner method with another EAP-TLS challenge
	11596	Prepared EAP-Request with another TEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request (Step latency=15046 ms)
	11018	RADIUS is re-using an existing session
	11595	Extracted EAP-Response containing TEAP challenge-response
	11596	Prepared EAP-Request with another TEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	11595	Extracted EAP-Response containing TEAP challenge-response
	12526	Extracted EAP-Response for inner method containing TLS challenge-response
	12527	Prepared EAP-Request for inner method with another EAP-TLS challenge
	11596	Prepared EAP-Request with another TEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	11595	Extracted EAP-Response containing TEAP challenge-response
	12526	Extracted EAP-Response for inner method containing TLS challenge-response
	12810	Prepared TLS ServerDone message
	12568	Lookup user certificate status in OCSP cache - certificate for
	12569	User certificate status was not found in OCSP cache - certificate for
	12988	Take OCSP servers list from OCSP service configuration - certificate for
	12550	Sent an OCSP request to the primary OCSP server for the CA - External OCSP Server
	12561	Connection to OCSP server failed - certificate for
	12552	Conversation with OCSP server ended with failure - certificate for
	12572	OCSP response not cached - certificate for
	12571	ISE will continue to CRL verification if it is configured for specific CA - certificate for
	12811	Extracted TLS Certificate message containing client certificate
	12812	Extracted TLS ClientKeyExchange message
	12813	Extracted TLS CertificateVerify message
	12803	Extracted TLS ChangeCipherSpec message
	12804	Extracted TLS Finished message
	12801	Prepared TLS ChangeCipherSpec message
	12802	Prepared TLS Finished message
	12816	TLS handshake succeeded
	12509	EAP-TLS full handshake finished successfully
	12527	Prepared EAP-Request for inner method with another EAP-TLS challenge
	11596	Prepared EAP-Request with another TEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	11595	Extracted EAP-Response containing TEAP challenge-response
	12526	Extracted EAP-Response for inner method containing TLS challenge-response
	61025	Open secure connection with TLS peer
	15041	Evaluating Identity Policy
	15048	Queried PIP - Network Access.EapTunnel
	22072	Selected identity source sequence - All_User_ID_Stores
	22071	Identity name is taken from AD account Implicit UPN
	15013	Selected Identity Source - DomainInc.
	24433	Looking up machine in Active Directory - DomainInc.
	24325	Resolving identity - Win10-PC2.domain.com
	24313	Search for matching accounts at join point - domain.com
	24362	Client certificate matches AD account certificate - win10-pc2$@domain.com
	24319	Single matching account found in forest - domain.com
	24323	Identity resolution detected single matching account
	24700	Identity resolution by certificate succeeded - DomainInc.
	22037	Authentication Passed
	12528	Inner EAP-TLS authentication succeeded
	11519	Prepared EAP-Success for inner EAP method
	11565	TEAP inner method finished successfully
	33516	Sent TEAP Intermediate Result TLV indicating success
	11596	Prepared EAP-Request with another TEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	11595	Extracted EAP-Response containing TEAP challenge-response
	11637	Inner method supports EMSK but the client provided only MSK. Allow downgrade as per configuration
	11576	TEAP cryptobinding verification passed
	15036	Evaluating Authorization Policy
	24209	Looking up Endpoint in Internal Endpoints IDStore - WIN10-PC2$@domain.com
	24211	Found Endpoint in Internal Endpoints IDStore
	24433	Looking up machine in Active Directory - WIN10-PC2$@domain.com
	24355	LDAP fetch succeeded
	24435	Machine Groups retrieval from Active Directory succeeded
	24355	LDAP fetch succeeded
	24458	Not all Active Directory attributes are retrieved successfully
	24100	Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes
	15048	Queried PIP - DomainInc..ExternalGroups
	15016	Selected Authorization Profile - DC_DHCP_ISE_Access
	11022	Added the dACL specified in the Authorization Profile
	22081	Max sessions policy passed
	22080	New accounting session created in Session cache
	33514	Sent TEAP Result TLV indicating success
	11596	Prepared EAP-Request with another TEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	11595	Extracted EAP-Response containing TEAP challenge-response
	11597	TEAP authentication phase finished successfully
	11503	Prepared EAP-Success
	11002	Returned RADIUS Access-Accept

Re: TEAP Problem with Windows 10, ISE 3.2 with Patch 7 and EAP Chainin

Eric Iannone — Thu, 14 Nov 2024 20:00:25 GMT

Collect an endpoint debug for Client and TCP dump from NAD under Operations > Diagnostic tools. Any clues?

What happens if you add an 'and' to also check AD for computer under your 'user and computer' AuthZ? I only see user condition.

Re: TEAP Problem with Windows 10, ISE 3.2 with Patch 7 and EAP Chainin

rezaalikhani — Fri, 15 Nov 2024 13:32:11 GMT

After conducting an in-depth investigation, I discovered that after the user logs in, the operating system enters the authentication phase by sending six consecutive EAPoL-Start messages without receiving any response from the switch. At this point, after approximately one minute, the endpoint repeats this process and then stops sending EAPoL-Start messages.

From this finding, I concluded that the issue lies with the switch, not the operating system. Consequently, I proceeded with my investigation by analyzing the switch's configuration. Initially, I removed all unnecessary 802.1X configurations from the endpoint-facing interface and tested again. This time, everything worked perfectly! I realized that one or more configurations on the interface were causing the issue. After thoroughly examining all the commands, I identified the one causing the problem: dot1x timeout ratelimit-period. This command, dot1x timeout ratelimit-period, defines the rate limit period, which throttles EAP-START packets from misbehaving supplicants. By using this command, the switch interprets the second round of EAPoL-Start messages from the endpoint (during user authentication) as coming from a malfunctioning endpoint and subsequently throttles the messages.

Conclusion: If you are using user-based authentication alongside computer authentication, avoid using the dot1x timeout ratelimit-period command.

Thanks