topic Re: C9800 Admin access through GUI with MFA in Wireless

C9800 Admin access through GUI with MFA

JPavonM — Fri, 31 May 2024 10:53:48 GMT

Hi wireless colleagues,

After multiple tries with the configurations I have managed to enable MFA on the C9800 for admin access through CLI by using TACACS+. The integration is done via ISE with NPS as Proxy RADIUS to Entra ID MFA Service in the cloud.

Now, I've created a RADIUS Policy cloned from the TACACS+ one on ISE, and similar in the C9800 configuration, but the problem is that when I enter my credentials on the GUI login page, the MS Authenticator App returns me the code (like it happen on CLI access), but before that the GUI timeouts the session and returns me "Wrong Credentials. Please Login again", but tehre aren't any pop-up asking for the code.

I doubt this is related to a timeout as it is set to 30 seconds.

Have any of you managed to have this integration working on C9800 GUI access with ISE+NPS+EntraID for MFA?

Below you can find the log record for the failure if it could be of any help.

Re: C9800 Admin access through GUI with MFA

Mark Elsen — Fri, 31 May 2024 10:59:04 GMT

- Check NPS (radius server) logs for this failing authentication and also check the C9800's logs ,
(just after trying to use the GUI)

Re: C9800 Admin access through GUI with MFA

JPavonM — Fri, 31 May 2024 11:54:50 GMT

@Mark Elsen that does not return any clue about what is happening on the C9800:
C9800:

May 31 2024 11:49:33.719 UTC: %WEBSERVER-5-SESS_TIMEOUT: Chassis 1 Session timeout from host x.y.z.1 by user 'user1' using crypto cipher 'ECDHE-RSA-AES128-GCM-SHA256'
May 31 2024 11:49:38.319 UTC: %HA_EM-6-LOG: catchall: show banner loginMay 31 2024 11:49:38.297 UTC: %WEBSERVER-5-LOGIN_FAILED: Chassis 1 Login Un-Successful from host x.y.z.1

ISE:

11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11117 Generated a new session ID
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - Radius.NAS-Port-Type
15048 Queried PIP - Network Access.Protocol
15048 Queried PIP - DEVICE.Location
15048 Queried PIP - DEVICE.Device Type
15041 Evaluating Identity Policy
15048 Queried PIP - Network Access.UserName
15048 Queried PIP - Network Access.AuthenticationMethod
22072 Selected identity source sequence - ISE_NS_ENTRA_AD_Sequence
15013 Selected Identity Source - NPS_ENTRAID_MFA_Proxy
24638 Passcode cache is not enabled in the RADIUS token identity store configuration - NPS_ENTRAID_MFA_Proxy
24609 RADIUS token identity store is authenticating against the primary server - NPS_ENTRAID_MFA_Proxy
11100 RADIUS-Client about to send request - ( port = 1812 )
11101 RADIUS-Client received response (step latency=2565 ms Step latency=2565 ms)
24615 RADIUS token identity store received access challenge response
11006 Returned RADIUS Access-Challenge
11041 RADIUS PAP session timed out (step latency=120000 ms Step latency=120000 ms)
5416 RADIUS PAP session cleaned up

Re: C9800 Admin access through GUI with MFA

Mark Elsen — Fri, 31 May 2024 13:41:32 GMT

- Ok , but I was also asking about the - NPS_ENTRAID_MFA_Proxy (radius server) logs and if the logs from
Entra ID MFA Service for the attempted authentications ,

Re: C9800 Admin access through GUI with MFA

JPavonM — Mon, 03 Jun 2024 10:08:05 GMT

I don't have any interpreter for NPS Logs working with MFA Extension, and the online interpreter I'm using for standard NPS Logs does not return useful information.

"NPSMFA","IAS",06/03/2024,11:58:48,1,"user1","domain.net/Administrators/User1",,,,,,"10.1.1.231",,0,"10.1.1.161","isepsn001",,,,,,,1,"Cisco WLC - Superuser - Proxy RADIUS Auth - AAD MFA",0,"311 1 10.1.1.159 06/01/2024 20:28:24 15",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
"NPSMFA","IAS",06/03/2024,11:58:48,11,,"domain.net/Administrators/User1",,,,,,,,0,"10.1.1.161","isepsn001",,,,,,,1,"Cisco WLC - Superuser - Proxy RADIUS Auth - AAD MFA",0,"311 1 10.1.1.159 06/01/2024 20:28:24 15",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,

Re: C9800 Admin access through GUI with MFA

Mark Elsen — Mon, 03 Jun 2024 10:15:21 GMT

- It comes down to that you also need to be able to view the logs from the Entra ID MFA Service in the cloud
and check the status of the particular attempted authentication(s)

Re: C9800 Admin access through GUI with MFA

JPavonM — Mon, 03 Jun 2024 11:33:57 GMT

Unfortunately I have no access to Entra ID MFA service so I can't check them, BUT this is working for CLI access.

THE problem is that C9800 GUI is not poping up a windoes asking to enter teh coed I'm receiving from the MS Authenticator App, so the authentication fail becuase I don't have any mean to enter the MFA code.

Re: C9800 Admin access through GUI with MFA

Mark Elsen — Mon, 03 Jun 2024 11:46:35 GMT

>...Unfortunately I have no access to Entra ID MFA service
- Following the arguments you mentioned later (too) , this should be considered essential (to be able to query it) ; perhaps contact provider (support) for the service and ask for the info's that you need.

- For the rest check controller logs when the GUI attempt fails ;
- What is the controller software version ?
- Found https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwj28151 ; not sure if it that is indicative ,

Re: C9800 Admin access through GUI with MFA

JPavonM — Mon, 10 Jun 2024 07:36:23 GMT

The solution pointed out in the bug that @Mark Elsen shared is the workaround I'm using at this time, having first an ISE policy to match NAS-Port-Type virtual plus NAS-Port-Id containing the string "tty", and a second policy only with NAS-Port-Type, as that is the only difference between both requests from IOS-XE:

Re: C9800 Admin access through GUI with MFA

Rich R — Sun, 04 Aug 2024 23:24:45 GMT

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/R6BGArNQ/TECSEC-3416.pdf says "Web UI uses CLI commands in the background" so I think it's a limitation in the GUI coding - probably needs an enhancement request via your account team. Frankly it's shocking that this could have been overlooked! I expect that the new UK Telecoms Security Act will make this mandatory so Cisco might be forced to review it...

Re: C9800 Admin access through GUI with MFA

Farooq Mohammed — Fri, 29 Aug 2025 04:30:47 GMT

@JPavonM Does the above workaround prompt for inline MFA on C9800 GUI ?

Re: C9800 Admin access through GUI with MFA

JPavonM — Fri, 29 Aug 2025 09:41:18 GMT

We are using Notifications in the Auth App, but when I was also testing TOTP codes inline, yes it was working.