Solved: EAP-TLS issue on ISE & Windows 10

bluedogspider · ‎06-07-2017

Hello there,
I have a Cisco ISE 1.3 server running dot1x on wired and wireless.
Windows 10 is now being deployed and I have run into some issues regarding authenticating.

Windows 10 clients seems to take a while to get authenticated, and when it does, the client speed is very limited.

The authentication process looks the following

11001 : Received RADIUS Access-Request

11017 : RADIUS created a new session

15049 : Evaluating Policy Group

15008 : Evaluating Service Selection Policy

15048 : Queried PIP - Radius.Service-Type

15048 : Queried PIP - Radius.NAS-Port-Type

15004 : Matched rule - Dot1X

11507 : Extracted EAP-Response/Identity

12500 : Prepared EAP-Request proposing EAP-TLS with challenge

11006 : Returned RADIUS Access-Challenge

11001 : Received RADIUS Access-Request

11018 : RADIUS is re-using an existing session

12502 : Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated

12800 : Extracted first TLS record; TLS handshake started

12805 : Extracted TLS ClientHello message

12806 : Prepared TLS ServerHello message

12807 : Prepared TLS Certificate message

12809 : Prepared TLS CertificateRequest message

12505 : Prepared EAP-Request with another EAP-TLS challenge

11006 : Returned RADIUS Access-Challenge

11001 : Received RADIUS Access-Request

11018 : RADIUS is re-using an existing session

12504 : Extracted EAP-Response containing EAP-TLS challenge-response

12505 : Prepared EAP-Request with another EAP-TLS challenge

11006 : Returned RADIUS Access-Challenge

11001 : Received RADIUS Access-Request

11018 : RADIUS is re-using an existing session

12504 : Extracted EAP-Response containing EAP-TLS challenge-response

12505 : Prepared EAP-Request with another EAP-TLS challenge

11006 : Returned RADIUS Access-Challenge

11001 : Received RADIUS Access-Request

11018 : RADIUS is re-using an existing session

12504 : Extracted EAP-Response containing EAP-TLS challenge-response

12505 : Prepared EAP-Request with another EAP-TLS challenge

11006 : Returned RADIUS Access-Challenge

11001 : Received RADIUS Access-Request

11018 : RADIUS is re-using an existing session

12504 : Extracted EAP-Response containing EAP-TLS challenge-response

12505 : Prepared EAP-Request with another EAP-TLS challenge

11006 : Returned RADIUS Access-Challenge

11001 : Received RADIUS Access-Request

11018 : RADIUS is re-using an existing session

12504 : Extracted EAP-Response containing EAP-TLS challenge-response

12505 : Prepared EAP-Request with another EAP-TLS challenge

11006 : Returned RADIUS Access-Challenge

11001 : Received RADIUS Access-Request

11018 : RADIUS is re-using an existing session

12504 : Extracted EAP-Response containing EAP-TLS challenge-response

12505 : Prepared EAP-Request with another EAP-TLS challenge

11006 : Returned RADIUS Access-Challenge

11001 : Received RADIUS Access-Request

11018 : RADIUS is re-using an existing session

12504 : Extracted EAP-Response containing EAP-TLS challenge-response

12571 : ISE will continue to CRL verification if it is configured for specific CA - xxx

12571 : ISE will continue to CRL verification if it is configured for specific CA - certificate for xxx

12811 : Extracted TLS Certificate message containing client certificate

12812 : Extracted TLS ClientKeyExchange message

12813 : Extracted TLS CertificateVerify message

12804 : Extracted TLS Finished message

12801 : Prepared TLS ChangeCipherSpec message

12802 : Prepared TLS Finished message

12816 : TLS handshake succeeded

12509 : EAP-TLS full handshake finished successfully

12505 : Prepared EAP-Request with another EAP-TLS challenge

11006 : Returned RADIUS Access-Challenge

11001 : Received RADIUS Access-Request

11018 : RADIUS is re-using an existing session

12504 : Extracted EAP-Response containing EAP-TLS challenge-response

15041 : Evaluating Identity Policy

15006 : Matched Default Rule

22072 : Selected identity source sequence - _cert_seq

22070 : Identity name is taken from certificate attribute

22037 : Authentication Passed

12506 : EAP-TLS authentication succeeded

15036 : Evaluating Authorization Policy

15048 : Queried PIP - EndPoints.LogicalProfile

15048 : Queried PIP - Radius.Service-Type

15048 : Queried PIP - Radius.NAS-Port-Type

15048 : Queried PIP - Radius.Called-Station-ID

15004 : Matched rule - Wireless 802.1x

15016 : Selected Authorization Profile - VLAN_xxx

11503 : Prepared EAP-Success

11002 : Returned RADIUS Access-Accept

I know windows 10 is not officially supported until Cisco ISE 1.4 but maybe someone have seen this before.
Thanks in advance

/M

Jason Kunst · ‎06-07-2017

Speeds have nothing to do with ISE. ISE just authenticates. Its not an encrypted tunnel unless using MACSEC (which requests anyconnect supplicant).

View solution in original post

Jason Kunst · ‎06-07-2017

Would recommend working through the TAC, it looks like something is causing the device to negotiate over and over.

Make sure 1.3 is on latest patch and windows 10 has all relevant supplicant fixes installed (windows update critical important)

ISE 1.3 BTW is EOL

http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-737392.html

You also mentioned client speed is slow. I assume that means network transfers? Would look into network as ISE simply authenticates the device and has nothing to do with network speed

bluedogspider · ‎06-07-2017

Thanks for the reply.
I will check patch levels.

Yea, I realise it is quite an old release. Hopefully the customer agrees to upgrading it.

Yea the transfer speeds are slow, but when using Windows 7, everything is smooth and fast.
I have attempted forcing windows 10 to use EAP-TLS 1.0, but to no avail.

Jason Kunst · ‎06-07-2017

Speeds have nothing to do with ISE. ISE just authenticates. Its not an encrypted tunnel unless using MACSEC (which requests anyconnect supplicant).