cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

617
Views
3
Helpful
7
Replies
Beginner

802.1x auth sequence

Hello,

I am implementing an 802.1x environment using Cisco NAM for user+machine auth. I am using "Connect before Logon". When I put in my credentials and press enter I can immediately see the connection attempt in the ISE RADIUS logs, but it is only passing the host/machinename, which of course fails. It takes about three minutes before the machine passes username,host/machinename and then is connected.

Is there some way I can get the first connection request to pass the username and machinename?

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Advocate

Re: 802.1x auth sequence

Recommend add Authorization Policy rule based on Machine Auth Only match and assign permissions to access AD domain controllers.  This will allow initial Machine Only auth to complete and allow needed access to complete User Auth.  In that second auth, the PAC received from Machine Auth will be combined with that of User Auth so that you can match your existing rule.

7 REPLIES 7
Advocate

Re: 802.1x auth sequence

Machine Auth should happen before User Auth.  That is expected behavior.  Not sure I follow "but it is only passing the host/machinename, which of course fails."  It would be expected for machine auth to start.  Why do you expect it to fail?  Make sure to check ISE logs to determine failure reason.

Contributor

Re: 802.1x auth sequence

Beginner

Re: 802.1x auth sequence

Sorry, I will try to be more detailed. This is my first time deploying Cisco NAM and using EAP-FAST so perhaps I am missing something.

The authentication is done via AD username/pass and AD machine join. My authorization policy is set as "EAPChainingResult equals User and Machine both succeeed".

When the computer boots up and hits the log in screen, the host/machinename is set as the identity and it hits the BLACKHOLE policy. After the log in credentials are added, the NAM dialog box comes up and shows "Associating, Stopping" for the 40 second time period and the logs in. After a 30 seconds to 2 minutes after being at the windows desktop the username+machine name is passed as idenity and then the machine hits the EMPLOEE-ACCESS policy. Here is the connection from the the ISE log.

Capture.PNG

I guess what I am hoping for is that it will succeed on the first attempt and make the login process a bit shorter. With it doing the Associating, Stopping" for the 40 second, I have a feeling I am going to get some push back from the executives because its slowing down there log in process to much. I know I have the option to connect after logon, but I want network drives to attach properly.

Advocate

Re: 802.1x auth sequence

Recommend add Authorization Policy rule based on Machine Auth Only match and assign permissions to access AD domain controllers.  This will allow initial Machine Only auth to complete and allow needed access to complete User Auth.  In that second auth, the PAC received from Machine Auth will be combined with that of User Auth so that you can match your existing rule.

Cisco Employee

Re: 802.1x auth sequence

Just to add some background on Craig's note on why you need to allow machine only policy to AD resources:

When the PC boots up (Or when no user is logged in), the PC authenticates itself to the network using the machine account and that is when you see host/machinename. You need to provide access to the AD resources for machine only login for proper operation of Windows PC that are part of the domain. During this state, PC downloads GPO and more importantly, it allows your user login to happen successfully against AD. If network access is blocked, PC may try reaching to the domain controllers which could take few minutes to fail and eventually login with cached credentials. When this happens, you will see that user+machine authentication eventually succeeds, but you will see long delay which is what you are experiencing. By allowing access to AD resources during machine only state, your Windows login will be able to authenticate against AD server without delay and transition from machine only 802.1X state to user+machine state.

Beginner

Re: 802.1x auth sequence

You guys are brilliant! I created a new DACL allowing only authentication access to AD and set a policy to allow "user failed and machine passed". I could see that the computer would get that policy at login screen. Logging into the computer, the NAM dialog immediately showed "authenticating" and I can see the username,host\machine passed to ISE where it is authenticated and everything works perfectly.

Thank you again for the help.

Highlighted
Advocate

Re: 802.1x auth sequence

Great.  Glad this resolved the issue.  Thanks for following up to confirm solution.