topic Thanks everyone for your in Network Security

Finding out root cause for ISE 802.1x failure ?

rfreytag — Fri, 21 Feb 2020 13:14:17 GMT

I am trying to get a MacBook up on our internal Wifi.

For that, I create an XML file using IPhone Configuration Utility. Pretty straightforward. You tell it what SSID, PEAP, certs to use, then I import that file into the MacBook.

Bottom line is it never matches my ISE rules, so I get the default Deny.

This is the first attempt to get a Mac on this network. Windows machines are set up and working fine on the internal Wifi.

I confirmed with the AD administrator that this machine name is in their system. As you can see, it authenticates to AD.

So it appears that it 802.1x is failing. How do I find out *exactly* why? I cannot tell if it is a cert issue, or something else.

Any suggestions on finding the root cause?

Thanks!

From ISE, for my Mac's MAC address:

[snip]

11001 : Received RADIUS Access-Request

11018 : RADIUS is re-using an existing session

12302 : Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated

12319 : Successfully negotiated PEAP version 1

12800 : Extracted first TLS record; TLS handshake started

12805 : Extracted TLS ClientHello message

12806 : Prepared TLS ServerHello message

12807 : Prepared TLS Certificate message

12810 : Prepared TLS ServerDone message

12305 : Prepared EAP-Request with another PEAP challenge

11006 : Returned RADIUS Access-Challenge

11001 : Received RADIUS Access-Request

11018 : RADIUS is re-using an existing session

12304 : Extracted EAP-Response containing PEAP challenge-response

12305 : Prepared EAP-Request with another PEAP challenge

11006 : Returned RADIUS Access-Challenge

11001 : Received RADIUS Access-Request

11018 : RADIUS is re-using an existing session

12304 : Extracted EAP-Response containing PEAP challenge-response

12305 : Prepared EAP-Request with another PEAP challenge

11006 : Returned RADIUS Access-Challenge

11001 : Received RADIUS Access-Request

11018 : RADIUS is re-using an existing session

12304 : Extracted EAP-Response containing PEAP challenge-response

12305 : Prepared EAP-Request with another PEAP challenge

11006 : Returned RADIUS Access-Challenge

11001 : Received RADIUS Access-Request

11018 : RADIUS is re-using an existing session

12304 : Extracted EAP-Response containing PEAP challenge-response

12305 : Prepared EAP-Request with another PEAP challenge

11006 : Returned RADIUS Access-Challenge

11001 : Received RADIUS Access-Request

11018 : RADIUS is re-using an existing session

12304 : Extracted EAP-Response containing PEAP challenge-response

12305 : Prepared EAP-Request with another PEAP challenge

11006 : Returned RADIUS Access-Challenge

11001 : Received RADIUS Access-Request

11018 : RADIUS is re-using an existing session

12304 : Extracted EAP-Response containing PEAP challenge-response

12319 : Successfully negotiated PEAP version 1

12812 : Extracted TLS ClientKeyExchange message

12804 : Extracted TLS Finished message

12801 : Prepared TLS ChangeCipherSpec message

12802 : Prepared TLS Finished message

12816 : TLS handshake succeeded

12310 : PEAP full handshake finished successfully

12305 : Prepared EAP-Request with another PEAP challenge

11006 : Returned RADIUS Access-Challenge

11001 : Received RADIUS Access-Request

11018 : RADIUS is re-using an existing session

12304 : Extracted EAP-Response containing PEAP challenge-response

12313 : PEAP inner method started

11521 : Prepared EAP-Request/Identity for inner EAP method

12305 : Prepared EAP-Request with another PEAP challenge

11006 : Returned RADIUS Access-Challenge

11001 : Received RADIUS Access-Request

11018 : RADIUS is re-using an existing session

12304 : Extracted EAP-Response containing PEAP challenge-response

11522 : Extracted EAP-Response/Identity for inner EAP method

11806 : Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge

12305 : Prepared EAP-Request with another PEAP challenge

11006 : Returned RADIUS Access-Challenge

11001 : Received RADIUS Access-Request

11018 : RADIUS is re-using an existing session

12304 : Extracted EAP-Response containing PEAP challenge-response

11808 : Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated

15041 : Evaluating Identity Policy

15006 : Matched Default Rule

15013 : Selected Identity Source - AD-myconame

24430 : Authenticating user against Active Directory

24402 : User authentication against Active Directory succeeded

22037 : Authentication Passed

11824 : EAP-MSCHAP authentication attempt passed

12305 : Prepared EAP-Request with another PEAP challenge

11006 : Returned RADIUS Access-Challenge

11001 : Received RADIUS Access-Request

11018 : RADIUS is re-using an existing session

12304 : Extracted EAP-Response containing PEAP challenge-response

11810 : Extracted EAP-Response for inner method containing MSCHAP challenge-response

11814 : Inner EAP-MSCHAP authentication succeeded

11519 : Prepared EAP-Success for inner EAP method

12314 : PEAP inner method finished successfully

12305 : Prepared EAP-Request with another PEAP challenge

11006 : Returned RADIUS Access-Challenge

11001 : Received RADIUS Access-Request

11018 : RADIUS is re-using an existing session

12304 : Extracted EAP-Response containing PEAP challenge-response

24423 : ISE has not been able to confirm previous successful machine authentication for user in Active Directory

15036 : Evaluating Authorization Policy

24432 : Looking up user in Active Directory - myfirstname.mylastname

24416 : User's Groups retrieval from Active Directory succeeded

15048 : Queried PIP

15048 : Queried PIP

15048 : Queried PIP

15048 : Queried PIP

15048 : Queried PIP

15004 : Matched rule - Default

15016 : Selected Authorization Profile - DenyAccess

15039 : Rejected per authorization profile

12306 : PEAP authentication succeeded

11503 : Prepared EAP-Success

11003 : Returned RADIUS Access-Reject

24423 ISE has not been able

mohanak — Thu, 17 Jul 2014 10:47:55 GMT

24423 ISE has not been able to confirm previous successful machine authentication for user in Active Directory.

If you manually register the device, using the my devices portal, then you can get the user on.

It would look like its trying to authenticate their machine in the directory, which would fail since their device won't be in the directory.

Can you post a screen shot of

nspasov — Tue, 22 Jul 2014 16:49:26 GMT

Can you post a screen shot of your authorization rules?

Adding a System profile-

Saurav Lodh — Fri, 01 Aug 2014 06:33:57 GMT

Adding a System profile--recommended method for adding an 802.1X System profile

If you will be using TLS authentication, before doing anything else you will need to install a user or system certificate/private key pair as appropriate. We recommend that this is done by your System Administrator.

Connect to the network and use the Directory Utility to make sure you're bound to an applicable Server such as Open Directory (OD), or Active Directory (AD) needed for your network homes and authentication.
This will normally be done over a wired ethernet Network connection.
For Open Directory you may not have to bind as Mac OS X supports Anonymous binding, and the OD information can be sent via DHCP. This means you can create the connection and log in with an OD account, providing the 802.1X authentication succeeds first and the DHCP server is configured to send the OD server data.
Choose Apple > System Preferences > Network.
From the Location pop-up menu select Edit Locations.
Click Add (+) at the bottom of the Locations, and create a new Location and name it to remind you of what this Location is for, then click Done.
Select the appropriate network service to set up, such as Ethernet or AirPort from the network connection services list, and then click Advanced.
Click the 802.1X tab.
Click Add (+) at the bottom of the profiles list, and choose Add System Profile. (If you wish, rename the Untitled profile to something else.)
Enter the User Name and Password
Choose a network from the Wireless Network pop-up menu. If you are setting up a 'wireless' 802.1X connection and your wireless network name (SSID) is hidden, you will need to manually type it in exactly. It is case sensitive.
Select and configure the appropriate EAP Authentication types for your network. The default is PEAP and TTLS.
Click OK to save the profile.
Click Apply to save the 802.1X configuration.
You may be prompted to trust a certificate from the server if it was issued from a non-trusted CA, in which case you will see a new entry added in Login keychain.
You'll be asked for your admin password so you can set the required level of trust on that certificate.
If you want to be able rejoin the network after waking from sleep you also have to ensure the network is checked in the Preferred Network list (or the Remember networks option is checked).

check if you are hitting

Venkatesh Attuluri — Fri, 01 Aug 2014 16:21:55 GMT

check if you are hitting correct authorization rule, check if "ACCESS_REJECT " attribute is selected.The authorization profile with the ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate authorization policy rule-results

Thanks everyone for your

rfreytag — Mon, 18 Aug 2014 19:46:27 GMT

Thanks everyone for your suggestions.

It turns out there were a couple of issues.

1) I was using the wrong client to configure the MacBook supplicant. IPhone Configuration Utility did not work. Then another one was tried - I think it was Apple configurator. The one that worked was Mac Server (according to our Mac guy)

2) I was unknowingly hitting a bug on Cisco wireless LAN controller. I had to upgrade from 7.6.120.0 to 7.6.120.1 I only found out about this by performing a debug. I had to get the 7.6.120.1 file from the TAC Engineer. It is not available for download otherwise.
The symptoms was that periodically no one could connect to one of the several SSID's on our WLC. However the other SSID's were fine; people were able to connect. However it cleared itself up - people would be able to connect again to all SSID, and then it start all over. There didn't seem to be a pattern.

Details of the bug are :

Error Message %APF-1-USER_ADD_FAILED: Unable to create username [chars] for
mobile[hex]:[hex]:[hex]:[hex]:[hex]:[hex]

Explanation Could not create the associated username entry for a mobile due to internal error.

Recommended Action Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the issue using the tools and utilities provided at http://www.cisco.com/tac. With some messages, these tools and utilities will supply clarifying information. Search for resolved software issues using the Bug Toolkit at http://tools.cisco.com/Support/BugToolKit/ . If you still require assistance, open a case with the Technical Assistance Center via the Internet at http://tools.cisco.com/ServiceRequestTool/create/launch.do, or contact your Cisco technical support representative and provide the representative with the information you have gathered.

This is resolved.

Thanks for taking the time to

nspasov — Mon, 18 Aug 2014 19:46:28 GMT

Thanks for taking the time to come back and share the solution to the problem (+5 from me). Can you also share the bug ID that you were hitting?

Also, you should mark the thread as "Answered" if your issue is resolved 🙂