Solved: Re: EAP-chaining Machine Authentication with Certificates Failed

csco11552159 · ‎08-22-2016

Hi,

I m testing EAP-Chaining ISE2.1 with latest Anyconnect 4.3 in my lab. I ran into some problems with Machine Authentication with Cert.

I m using W2k8 CA in my lab and auto enroll setup for domain laptops, Machine Auth is using Cert, User Auth is using username/password. Everything looks OK, but i keep getting this error:

	12219	Selected identity type 'Machine'
	12125	EAP-FAST inner method started
	11521	Prepared EAP-Request/Identity for inner EAP method
	12105	Prepared EAP-Request with another EAP-FAST challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12104	Extracted EAP-Response containing EAP-FAST challenge-response
	12212	Identity type provided by client is equal to requested
	11522	Extracted EAP-Response/Identity for inner EAP method
	11806	Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
	12105	Prepared EAP-Request with another EAP-FAST challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12104	Extracted EAP-Response containing EAP-FAST challenge-response
	12523	Extracted EAP-Response/NAK for inner method requesting to use EAP-TLS instead
	12522	Prepared EAP-Request for inner method proposing EAP-TLS with challenge
	12625	Valid EAP-Key-Name attribute received
	12105	Prepared EAP-Request with another EAP-FAST challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12104	Extracted EAP-Response containing EAP-FAST challenge-response
	12524	Extracted EAP-Response containing EAP-TLS challenge-response for inner method and accepting EAP-TLS as negotiated
	12800	Extracted first TLS record; TLS handshake started
	12805	Extracted TLS ClientHello message
	12806	Prepared TLS ServerHello message
	12807	Prepared TLS Certificate message
	12808	Prepared TLS ServerKeyExchange message
	12809	Prepared TLS CertificateRequest message
	12527	Prepared EAP-Request for inner method with another EAP-TLS challenge
	12105	Prepared EAP-Request with another EAP-FAST challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12104	Extracted EAP-Response containing EAP-FAST challenge-response
	12526	Extracted EAP-Response for inner method containing TLS challenge-response
	12527	Prepared EAP-Request for inner method with another EAP-TLS challenge
	12105	Prepared EAP-Request with another EAP-FAST challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12104	Extracted EAP-Response containing EAP-FAST challenge-response
	12105	Prepared EAP-Request with another EAP-FAST challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12104	Extracted EAP-Response containing EAP-FAST challenge-response
	12526	Extracted EAP-Response for inner method containing TLS challenge-response
	12571	ISE will continue to CRL verification if it is configured for specific CA - certificate for WIN7DOMAIN2.ICNLAB.COM
	12811	Extracted TLS Certificate message containing client certificate
	12812	Extracted TLS ClientKeyExchange message
	12813	Extracted TLS CertificateVerify message
	12804	Extracted TLS Finished message
	12801	Prepared TLS ChangeCipherSpec message
	12802	Prepared TLS Finished message
	12816	TLS handshake succeeded
	12509	EAP-TLS full handshake finished successfully
	12527	Prepared EAP-Request for inner method with another EAP-TLS challenge
	12105	Prepared EAP-Request with another EAP-FAST challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12104	Extracted EAP-Response containing EAP-FAST challenge-response
	12526	Extracted EAP-Response for inner method containing TLS challenge-response
	15041	Evaluating Identity Policy
	15004	Matched rule - Default
	15006	Matched Default Rule
	22072	Selected identity source sequence - Certificate_Request_Sequence
	22070	Identity name is taken from certificate attribute
	15013	Selected Identity Source - ICNLABDC1
	24433	Looking up machine in Active Directory - ICNLABDC1
	24325	Resolving identity - WIN7DOMAIN2$@ICNLAB.COM
	24313	Search for matching accounts at join point - icnlab.com
	24318	No matching account found in forest - icnlab.com
	24363	Client certificate does not match AD account certificate - win7domain2$@icnlab.com
	24314	No matching account found in domain - icnlab.com
	24322	Identity resolution detected no matching account
	24352	Identity resolution failed - ERROR_NO_SUCH_USER
	24437	Machine not found in Active Directory - ICNLABDC1
	22016	Identity sequence completed iterating the IDStores
	22056	Subject not found in the applicable identity store(s)
	22058	The advanced option that is configured for an unknown user is used
	22061	The 'Reject' advanced option is configured in case of a failed authentication request
	12529	Inner EAP-TLS authentication failed
	11520	Prepared EAP-Failure for inner EAP method
	12117	EAP-FAST inner method finished with failure

Any ideas ?? It looks ISE found cert and try to auth with AD, but couldnt find. I do have this device in my AD. TEST from ISE is working.

hslai · ‎08-22-2016

Binary compare is enabled in the cert auth profile so it might be either that the computer certificate not published to AD or not the correct one published there. The auth should succeed either by disabling binary compare or by publishing the correct endpoint certificate.

View solution in original post

hariholla · ‎08-22-2016

What is the Certificate Authentication Profile you are using? Could you share that here?

csco11552159 · ‎08-22-2016

I configured "Certificate_request_Sequence" for authentication store. i dont know if there is anything wrong.

here is the authorz rule with EAP-Chaining, it seems I cannot put MSCHAP2 and TLS both in the rule.

Mikael Gustafsson · ‎08-22-2016

And when you do a test/lookup on the machine (test User) , whats the result, could you post it as well?

csco11552159 · ‎08-22-2016

11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	11027	Detected Host Lookup UseCase (Service-Type = Call Check (10))
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP - DEVICE.Device Type
	15048	Queried PIP - DEVICE.Location
	15048	Queried PIP - Radius.NAS-Port-Type
	15048	Queried PIP - Normalised Radius.RadiusFlowType
	15004	Matched rule - MAB
	15041	Evaluating Identity Policy
	15006	Matched Default Rule
	15013	Selected Identity Source - Internal Endpoints
	24209	Looking up Endpoint in Internal Endpoints IDStore - 00:0C:29:16:FA:3D
	24211	Found Endpoint in Internal Endpoints IDStore
	22037	Authentication Passed
	15036	Evaluating Authorization Policy
	15048	Queried PIP - Network Access.EapTunnel (3 times)
	15048	Queried PIP - EndPoints.LogicalProfile
	15004	Matched rule - Default
	15016	Selected Authorization Profile - INTERNET_ONLY_PROFILE
	11022	Added the dACL specified in the Authorization Profile
	11002	Returned RADIUS Access-Accept

here is the same laptop doing MAB authentication, has no problem.

csco11552159 · ‎08-22-2016

when i used Password for both user and machine, everything works good.

hslai · ‎08-22-2016

Binary compare is enabled in the cert auth profile so it might be either that the computer certificate not published to AD or not the correct one published there. The auth should succeed either by disabling binary compare or by publishing the correct endpoint certificate.

csco11552159 · ‎08-23-2016

you are right, i forgot to reenroll the cert after I published it to AD, it is working now.

Thank you.