Re: 802.1X with ISE

AbelBurgos5029 · ‎05-12-2020

Hello everyone,

I am looking for some troubleshooting advice and/or ideas on 802.1x configuration that I am working on my network. Here are some details:

1- The authentication server is cisco ISE

2- The authenticator is a Cisco 9300 3-switch stack

3- Supplicant is windows 10 supplicant software

I have everything working fine. The supplicant is able to communicate with the authenticator via PEAP and then the Authenticator is able to get credentials from Active Directory (through ISE of course), authenticate the user and then the authenticator is able to receive the DACL and applies it to the port.

Here is the issue:

For some reason when a new user tries to login, access to the network is granted, but when I check the Radius logs on ISE, it does not log the successful authentication log. It is not until I manually disable and enable the NIC on the supplicant that the "windows security sign in" windows pops up asking for the credentials one more time. Once the user provides those credentials on the "windows security sign in" windows, then the NIC shows that it is connected to the domain and the ISE logs the sucessful authentication.

Is there a way to make the windows security sign in pop up automatically once the user logs into the machine? Any ideas on whats going on?

Any help will be appreciated!

Thanks!

Abel

Rob Ingram · ‎05-12-2020

Hi,
What is the configuration of your switches?
Do you have aaa accounting configured on the switches?

If the computers are joined to Active Directory, you should configure a GPO to configure the Windows native supplicant. This will transparently authenticate the computer and user, so no prompt for authentication credentials required. Guide here.

HTH

AbelBurgos5029 · ‎05-12-2020

Hello,

I do have a GPO with all the supplicant configuration being pushed to the supplicants for 802.1x supplicant configuration.

After reading the link you sent me I noticed that the only things different from my current configuration to the one in the link is that I am not selecting the "validate server certificate." I do not currently have a Root CA configured and was hoping to be able to not have to use that option.

What do you think?

Rob Ingram · ‎05-12-2020

When using PEAP/MSCHAPv2 this will still use a server side certificate.
ISE will have a certificate for "EAP Authentication" the CA that signed this can be imported to the computers certificate store.

AbelBurgos5029 · ‎05-13-2020

Thanks for this info. I will give it a try and share the results

AbelBurgos5029 · ‎05-15-2020

Hello,

I did some troubleshooting on this today and here are some updates:

I imported the ISE self signed certificate into one of the workstations user and local computer trusted certificates stores. It seems to be working although it gives me the untrusted warning every time I try to authenticate (Which is fine).

Here is the real issue I am running into:

Every time I log in the computer, and go to the NIC properties, it will show "attempting to authenticate" and will not complete the authentication until I either reset the NIC or I click switch user and log back in with the same user. Once I do one of those two things, the "windows security login" pops up asking for the credentials once again. Once I re-enter the credentials thats when the authentication is completed and the log appears in the ISE Radius Log as successful.

Any ideas why the "windows security login" doesnt appear without having to mess with the computer NIC?

Thanks

AbelBurgos5029 · ‎05-12-2020

Also,

I could share some of the switch config tomorrow if needed.