topic Re: Cisco Ise using default policy in Network Security

Cisco Ise using default policy

Tutu — Thu, 01 Oct 2020 11:30:35 GMT

Hello

I have implemented some policies on Cisco ISE but it is using default policies instead of the ones i configured.

Can i please get help on it.

I have attached the the image below

Re: Cisco Ise using default policy

Rob Ingram — Thu, 01 Oct 2020 12:10:14 GMT

Hi @Tutu

In the authentication policy you should be more specific and specify which protocol to use, such as MSCHAPv2, EAP-FAST, EAP-TLS rather just 802.1x or MAB, as 802.1x could apply to EAP-FAST, EAP-TLS or MCHAPv2 and may need to specify a different ID store.

HTH

Re: Cisco Ise using default policy

Tutu — Thu, 01 Oct 2020 11:56:44 GMT

Hello,

You mean under the wired policy that i have created ?

Im new to this so im not sure where i need to change it.

Thanks,

Re: Cisco Ise using default policy

Rob Ingram — Thu, 01 Oct 2020 12:25:50 GMT

It's common to specify multiple Policy Sets, i.e. one for 802.1x and another for MAB.

Example below is just for 802.1x, using the protocol as the condition.

In your scenario, is the NAD (the switch) you are testing with a member of the NAD Group "Switches" that you using as a condition for your policy set? If not then the policy above will not apply and the user will match the default policy.

Please provide the screenshot of your authentication log when it hits default.

Re: Cisco Ise using default policy

Tutu — Thu, 01 Oct 2020 12:53:11 GMT

Hi Rob,

Yes, my device is part of the NAD Group. I have changed it back to #alldeivcetypeswired, instead of switches.

Please see attached screenshot of the logs with the authentication set - default.

For testing purposes, I have added the mac address of a windows 10 Pc (not part of the domain) on cisco ISE - and when I connect it to the switch the authentication fails but he can still access the network. Yet I see no hits on wired policies. And when I check the radius logs I do not see information regarding the pc. Although under Endpoints the pc username was displaying whereas before there was no such information.

Re: Cisco Ise using default policy

Rob Ingram — Thu, 01 Oct 2020 14:09:37 GMT

So if the PC is not part of the domain then it is using Wired MAB, if it hits the default policy, it should just match "Basic_Authenticated_Access" authorisation rule without you having to add the MAC address to the Endpoint database.

Have you modified the default policies?

The username is hidden, select the disclose invalid username option as per screenshot below.

Re: Cisco Ise using default policy

Tutu — Thu, 01 Oct 2020 16:32:09 GMT

OKay thank you i will try that out. What is the radius-test under identity? why is it trying to authenticate against it ?

Re: Cisco Ise using default policy

Tutu — Fri, 02 Oct 2020 10:04:48 GMT

Hi Rob,

this is the policy that i have set now. i deleted the enpoint and tried connecting again. This is the result i am getting now.

He is still able to access the network so i m not sure what is going on even though the authentication is failing.

Re: Cisco Ise using default policy

Rob Ingram — Fri, 02 Oct 2020 10:24:02 GMT

Does the client computer trust the certificate presented by ISE?

The probable reason he can still access the network is because the switchport interface is configured in "open" mode?

Re: Cisco Ise using default policy

Tutu — Fri, 02 Oct 2020 10:25:07 GMT

This is my switch port config.

Yes i configured open mode.

Let me remove it and try again.

interface GigabitEthernet1/0/10
switchport access vlan 105
switchport mode access
switchport voice vlan 301
ip device tracking maximum 65535
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 25.00
storm-control multicast level 25.00
storm-control unicast level 25.00
spanning-tree portfast edge
!

Re: Cisco Ise using default policy

Tutu — Fri, 02 Oct 2020 10:42:57 GMT

Okay, it works now. But what if I just wanted him to access the internet?

And it shows that he is authenticated using wired Dot1x the policy I have created but doesn't show that there are any hits against it.

Re: Cisco Ise using default policy

Rob Ingram — Fri, 02 Oct 2020 10:47:23 GMT

It's not working as it says "Authentication Failed" if you showed me the entire output of the logged I'd be able to determine why.

You didn't answer my previous question, does the client computer trust the certificate (EAP) presented by ISE?

Re: Cisco Ise using default policy

Tutu — Fri, 02 Oct 2020 10:58:55 GMT

Dear Rob,

My apologies - it does not ask for any trust certificate on the client computer.

I'm pasting the log below:

Overview
Event 5400 Authentication failed
Username INVALID
Endpoint Id 70:5A:0F:62:92:CF
Endpoint Profile
Authentication Policy Wired >> TCRA Dot1x
Authorization Policy Wired
Authorization Result

Authentication Details
Source Timestamp 2020-10-02 10:34:03.205
Received Timestamp 2020-10-02 10:34:03.205
Policy Server TCRA-ISE-PAN
Event 5400 Authentication failed
Failure Reason 22056 Subject not found in the applicable identity store(s)
Resolution Check whether the subject is present in any one of the chosen identity stores. Note that some identity stores may have been skipped due to identity resoultion settings or if they do not support the current authentication protocol.
Root cause Subject not found in the applicable identity store(s).
Username INVALID
Endpoint Id 70:5A:0F:62:92:CF
Calling Station Id 70-5A-0F-62-92-CF
IPv4 Address 10.100.105.59
Audit Session Id 0AC8D0640000001F05C2B02B
Authentication Method dot1x
Authentication Protocol PEAP (EAP-MSCHAPv2)
Service Type Framed
Network Device Test
Device Type All Device Types#Wired
Location All Locations#TCRA-HQ
NAS IPv4 Address 10.200.208.100
NAS Port Id GigabitEthernet1/0/10
NAS Port Type Ethernet
Response Time 4 milliseconds

Other Attributes
ConfigVersionId 123
Device Port 1645
DestinationPort 1812
RadiusPacketType AccessRequest
Protocol Radius
NAS-Port 50110
Framed-MTU 1500
State 37CPMSessionID=0AC8D0640000001F05C2B02B;38SessionID=TCRA-ISE-PAN/390237529/74355;
NetworkDeviceProfileId b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow false
AcsSessionID TCRA-ISE-PAN/390237529/74355
DetailedInfo Invalid username or password specified
SelectedAuthenticationIdentityStores TCRA-AD
IdentityPolicyMatchedRule TCRA Dot1x
EndPointMACAddress 70-5A-0F-62-92-CF
ISEPolicySetName Wired
IdentitySelectionMatchedRule TCRA Dot1x
StepLatency 52=24137
IsMachineIdentity false
TLSCipher ECDHE-RSA-AES256-GCM-SHA384
TLSVersion TLSv1.2
DTLSSupport Unknown
Network Device Profile Cisco
Location Location#All Locations#TCRA-HQ
Device Type Device Type#All Device Types#Wired
IPSEC IPSEC#Is IPSEC Device#No
RADIUS Username INVALID
Device IP Address 10.200.208.100
CPMSessionID 0AC8D0640000001F05C2B02B
Called-Station-ID 3C:41:0E:F2:25:0A
CiscoAVPair service-type=Framed,
audit-session-id=0AC8D0640000001F05C2B02B,
method=dot1x

Result
RadiusPacketType AccessReject

Session Events

Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - DEVICE.Device Type
15048 Queried PIP - Normalised Radius.RadiusFlowType
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12808 Prepared TLS ServerKeyExchange message
12810 Prepared TLS ServerDone message
12811 Extracted TLS Certificate message containing client certificate
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request (step latency=24137 ms Step latency=24137 ms)
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
15041 Evaluating Identity Policy
15013 Selected Identity Source - TCRA-AD
24430 Authenticating user against Active Directory - TCRA-AD
24325 Resolving identity - INVALID
24313 Search for matching accounts at join point - tcra.go.tz
24318 No matching account found in forest - tcra.go.tz
24322 Identity resolution detected no matching account
24352 Identity resolution failed - ERROR_NO_SUCH_USER
24412 User not found in Active Directory - TCRA-AD
22056 Subject not found in the applicable identity store(s)
22058 The advanced option that is configured for an unknown user is used
22061 The 'Reject' advanced option is configured in case of a failed authentication request
11823 EAP-MSCHAP authentication attempt failed
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
15041 Evaluating Identity Policy
15013 Selected Identity Source - TCRA-AD
24430 Authenticating user against Active Directory - TCRA-AD
24325 Resolving identity - INVALID
24313 Search for matching accounts at join point - tcra.go.tz
24318 No matching account found in forest - tcra.go.tz
24322 Identity resolution detected no matching account
24352 Identity resolution failed - ERROR_NO_SUCH_USER
24412 User not found in Active Directory - TCRA-AD
15013 Selected Identity Source - TCRA-AD
24430 Authenticating user against Active Directory - TCRA-AD
24325 Resolving identity - INVALID
24313 Search for matching accounts at join point - tcra.go.tz
24318 No matching account found in forest - tcra.go.tz
24322 Identity resolution detected no matching account
24352 Identity resolution failed - ERROR_NO_SUCH_USER
24412 User not found in Active Directory - TCRA-AD
22016 Identity sequence completed iterating the IDStores
22056 Subject not found in the applicable identity store(s)
22058 The advanced option that is configured for an unknown user is used
22061 The 'Reject' advanced option is configured in case of a failed authentication request
11815 Inner EAP-MSCHAP authentication failed
11520 Prepared EAP-Failure for inner EAP method
22028 Authentication failed and the advanced options are ignored
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
61025 Open secure connection with TLS peer
12307 PEAP authentication failed
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject

Re: Cisco Ise using default policy

Rob Ingram — Fri, 02 Oct 2020 11:09:05 GMT

The username says it's INVALID, which is why it's not found in the identity store and fails authentication.

To aid debugging, you can force Cisco ISE to display the invalid usernames. To do this, check the Disclose Invalid Usernames check box under Administration > System > Settings > Security Settings. You can also configure the Disclose Invalid Usernames option to time out, so that you do not have to manually turn it off

Re: Cisco Ise using default policy

Tutu — Fri, 02 Oct 2020 11:34:54 GMT

Okay thank you. I tried connecting a laptop thats part of the domain and it is asking for anyconnect - wired user name and password but when the the user puts in the username and password it does not connect.

Re: Cisco Ise using default policy

Rob Ingram — Fri, 02 Oct 2020 11:50:07 GMT

Right ok, so the initial computer/user you were troubleshooting with wasn't joined to the domain, so could have been sending the wrong identity to ISE. Disclosing the username on ISE would have revealed that

AnyConnect needs correctly configuring, it doesn't just work

Re: Cisco Ise using default policy

Tutu — Fri, 02 Oct 2020 12:03:14 GMT

The first PC i was troubleshooting is called Ian after enabling the disclosed invalid username it displayed the name Ian when connecting and the details as well as in the below screenshot.

But for the PC that's part of the domain, it is displaying as anonymous and when connected to the same port 10 on the switch it is bringing u the anyconnect pop-up

Re: Cisco Ise using default policy

Tutu — Mon, 05 Oct 2020 08:59:01 GMT

Hello Rob,

I tried connecting the pc thats part of the domain but i keep getting this error when trying to connet.

Overview
Event 5434 Endpoint conducted several failed authentications of the same scenario
Username anonymous
Endpoint Id E8:D8:D1:40:35:DD
Endpoint Profile
Authentication Policy Wired
Authorization Policy Wired
Authorization Result

Authentication Details
Source Timestamp 2020-10-05 08:46:16.186
Received Timestamp 2020-10-05 08:46:16.186
Policy Server TCRA-ISE-PAN
Event 5434 Endpoint conducted several failed authentications of the same scenario
Failure Reason 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate
Resolution Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.
Root cause EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate
Username anonymous
Endpoint Id E8:D8:D1:40:35:DD
Audit Session Id 0AC8D0640000002514D361EB
Authentication Method dot1x
Authentication Protocol EAP-FAST
Service Type Framed
Network Device Test
Device Type All Device Types#Wired
Location All Locations#TCRA-HQ
NAS IPv4 Address 10.200.208.100
NAS Port Id GigabitEthernet1/0/10
NAS Port Type Ethernet

Other Attributes
ConfigVersionId 128
Device Port 1645
DestinationPort 1812
RadiusPacketType AccessRequest
UserName anonymous
Protocol Radius
NAS-IP-Address 10.200.208.100
NAS-Port 50110
Framed-MTU 1500
State 37CPMSessionID=0AC8D0640000002514D361EB;39SessionID=TCRA-ISE-PAN/390237529/100194;
IsEndpointInRejectMode false
NetworkDeviceProfileName Cisco
NetworkDeviceProfileId b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow false
RadiusFlowType Wired802_1x
SSID 3C-41-0E-F2-25-0A
AcsSessionID TCRA-ISE-PAN/390237529/100194
OpenSSLErrorMessage SSL alert: code=0x230=560 ; source=remote ; type=fatal ; message="unknown CA.s3_pkt.c:1498 error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca [error=336151576 lib=20 func=148 reason=1048]"
OpenSSLErrorStack 2695:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1498:SSL alert number 48
CPMSessionID 0AC8D0640000002514D361EB
EndPointMACAddress E8-D8-D1-40-35-DD
EapChainingResult No chaining
ISEPolicySetName Wired
StepData 4= DEVICE.Device Type
StepData 5= Normalised Radius.RadiusFlowType
DTLSSupport Unknown
Network Device Profile Cisco
Location Location#All Locations#TCRA-HQ
Device Type Device Type#All Device Types#Wired
IPSEC IPSEC#Is IPSEC Device#No
Called-Station-ID 3C:41:0E:F2:25:0A
CiscoAVPair service-type=Framed
audit-session-id 0AC8D0640000002514D361EB
method dot1x

Result
RadiusPacketType AccessReject

Session Events

Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12101 Extracted EAP-Response/NAK requesting to use EAP-FAST instead
12100 Prepared EAP-Request proposing EAP-FAST with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12102 Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12808 Prepared TLS ServerKeyExchange message
12810 Prepared TLS ServerDone message
12811 Extracted TLS Certificate message containing client certificate
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12815 Extracted TLS Alert message
12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate
61025 Open secure connection with TLS peer
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
5434 Endpoint conducted several failed authentications of the same scenario

Re: Cisco Ise using default policy

Rob Ingram — Mon, 05 Oct 2020 09:06:49 GMT

Like I said before "Does the client computer trust the certificate presented by ISE?"

From your output:-

Failure Reason 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate
Resolution Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ).

Re: Cisco Ise using default policy

Tutu — Mon, 05 Oct 2020 09:08:13 GMT

Ok i realized where the issue is. I havent done the certificate part yet and im facing issues binding the certificate signing requests.