08-22-2016 12:46 PM
Hi,
I m testing EAP-Chaining ISE2.1 with latest Anyconnect 4.3 in my lab. I ran into some problems with Machine Authentication with Cert.
I m using W2k8 CA in my lab and auto enroll setup for domain laptops, Machine Auth is using Cert, User Auth is using username/password. Everything looks OK, but i keep getting this error:
12219 | Selected identity type 'Machine' | |
12125 | EAP-FAST inner method started | |
11521 | Prepared EAP-Request/Identity for inner EAP method | |
12105 | Prepared EAP-Request with another EAP-FAST challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12104 | Extracted EAP-Response containing EAP-FAST challenge-response | |
12212 | Identity type provided by client is equal to requested | |
11522 | Extracted EAP-Response/Identity for inner EAP method | |
11806 | Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge | |
12105 | Prepared EAP-Request with another EAP-FAST challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12104 | Extracted EAP-Response containing EAP-FAST challenge-response | |
12523 | Extracted EAP-Response/NAK for inner method requesting to use EAP-TLS instead | |
12522 | Prepared EAP-Request for inner method proposing EAP-TLS with challenge | |
12625 | Valid EAP-Key-Name attribute received | |
12105 | Prepared EAP-Request with another EAP-FAST challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12104 | Extracted EAP-Response containing EAP-FAST challenge-response | |
12524 | Extracted EAP-Response containing EAP-TLS challenge-response for inner method and accepting EAP-TLS as negotiated | |
12800 | Extracted first TLS record; TLS handshake started | |
12805 | Extracted TLS ClientHello message | |
12806 | Prepared TLS ServerHello message | |
12807 | Prepared TLS Certificate message | |
12808 | Prepared TLS ServerKeyExchange message | |
12809 | Prepared TLS CertificateRequest message | |
12527 | Prepared EAP-Request for inner method with another EAP-TLS challenge | |
12105 | Prepared EAP-Request with another EAP-FAST challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12104 | Extracted EAP-Response containing EAP-FAST challenge-response | |
12526 | Extracted EAP-Response for inner method containing TLS challenge-response | |
12527 | Prepared EAP-Request for inner method with another EAP-TLS challenge | |
12105 | Prepared EAP-Request with another EAP-FAST challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12104 | Extracted EAP-Response containing EAP-FAST challenge-response | |
12105 | Prepared EAP-Request with another EAP-FAST challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12104 | Extracted EAP-Response containing EAP-FAST challenge-response | |
12526 | Extracted EAP-Response for inner method containing TLS challenge-response | |
12571 | ISE will continue to CRL verification if it is configured for specific CA - certificate for WIN7DOMAIN2.ICNLAB.COM | |
12811 | Extracted TLS Certificate message containing client certificate | |
12812 | Extracted TLS ClientKeyExchange message | |
12813 | Extracted TLS CertificateVerify message | |
12804 | Extracted TLS Finished message | |
12801 | Prepared TLS ChangeCipherSpec message | |
12802 | Prepared TLS Finished message | |
12816 | TLS handshake succeeded | |
12509 | EAP-TLS full handshake finished successfully | |
12527 | Prepared EAP-Request for inner method with another EAP-TLS challenge | |
12105 | Prepared EAP-Request with another EAP-FAST challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12104 | Extracted EAP-Response containing EAP-FAST challenge-response | |
12526 | Extracted EAP-Response for inner method containing TLS challenge-response | |
15041 | Evaluating Identity Policy | |
15004 | Matched rule - Default | |
15006 | Matched Default Rule | |
22072 | Selected identity source sequence - Certificate_Request_Sequence | |
22070 | Identity name is taken from certificate attribute | |
15013 | Selected Identity Source - ICNLABDC1 | |
24433 | Looking up machine in Active Directory - ICNLABDC1 | |
24325 | Resolving identity - WIN7DOMAIN2$@ICNLAB.COM | |
24313 | Search for matching accounts at join point - icnlab.com | |
24318 | No matching account found in forest - icnlab.com | |
24363 | Client certificate does not match AD account certificate - win7domain2$@icnlab.com | |
24314 | No matching account found in domain - icnlab.com | |
24322 | Identity resolution detected no matching account | |
24352 | Identity resolution failed - ERROR_NO_SUCH_USER | |
24437 | Machine not found in Active Directory - ICNLABDC1 | |
22016 | Identity sequence completed iterating the IDStores | |
22056 | Subject not found in the applicable identity store(s) | |
22058 | The advanced option that is configured for an unknown user is used | |
22061 | The 'Reject' advanced option is configured in case of a failed authentication request | |
12529 | Inner EAP-TLS authentication failed | |
11520 | Prepared EAP-Failure for inner EAP method | |
12117 | EAP-FAST inner method finished with failure |
Any ideas ?? It looks ISE found cert and try to auth with AD, but couldnt find. I do have this device in my AD. TEST from ISE is working.
Solved! Go to Solution.
08-22-2016 06:41 PM
Binary compare is enabled in the cert auth profile so it might be either that the computer certificate not published to AD or not the correct one published there. The auth should succeed either by disabling binary compare or by publishing the correct endpoint certificate.
08-22-2016 02:16 PM
What is the Certificate Authentication Profile you are using? Could you share that here?
08-22-2016 06:28 PM
I configured "Certificate_request_Sequence" for authentication store. i dont know if there is anything wrong.
here is the authorz rule with EAP-Chaining, it seems I cannot put MSCHAP2 and TLS both in the rule.
08-22-2016 02:39 PM
And when you do a test/lookup on the machine (test User) , whats the result, could you post it as well?
08-22-2016 06:21 PM
11001 | Received RADIUS Access-Request | |
11017 | RADIUS created a new session | |
11027 | Detected Host Lookup UseCase (Service-Type = Call Check (10)) | |
15049 | Evaluating Policy Group | |
15008 | Evaluating Service Selection Policy | |
15048 | Queried PIP - DEVICE.Device Type | |
15048 | Queried PIP - DEVICE.Location | |
15048 | Queried PIP - Radius.NAS-Port-Type | |
15048 | Queried PIP - Normalised Radius.RadiusFlowType | |
15004 | Matched rule - MAB | |
15041 | Evaluating Identity Policy | |
15006 | Matched Default Rule | |
15013 | Selected Identity Source - Internal Endpoints | |
24209 | Looking up Endpoint in Internal Endpoints IDStore - 00:0C:29:16:FA:3D | |
24211 | Found Endpoint in Internal Endpoints IDStore | |
22037 | Authentication Passed | |
15036 | Evaluating Authorization Policy | |
15048 | Queried PIP - Network Access.EapTunnel (3 times) | |
15048 | Queried PIP - EndPoints.LogicalProfile | |
15004 | Matched rule - Default | |
15016 | Selected Authorization Profile - INTERNET_ONLY_PROFILE | |
11022 | Added the dACL specified in the Authorization Profile | |
11002 | Returned RADIUS Access-Accept |
here is the same laptop doing MAB authentication, has no problem.
08-22-2016 06:33 PM
when i used Password for both user and machine, everything works good.
08-22-2016 06:41 PM
Binary compare is enabled in the cert auth profile so it might be either that the computer certificate not published to AD or not the correct one published there. The auth should succeed either by disabling binary compare or by publishing the correct endpoint certificate.
08-23-2016 06:11 AM
you are right, i forgot to reenroll the cert after I published it to AD, it is working now.
Thank you.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: