cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3307
Views
3
Helpful
7
Replies

802.1x auth sequence

nkingsbury
Level 1
Level 1

Hello,

I am implementing an 802.1x environment using Cisco NAM for user+machine auth. I am using "Connect before Logon". When I put in my credentials and press enter I can immediately see the connection attempt in the ISE RADIUS logs, but it is only passing the host/machinename, which of course fails. It takes about three minutes before the machine passes username,host/machinename and then is connected.

Is there some way I can get the first connection request to pass the username and machinename?

1 Accepted Solution

Accepted Solutions

Recommend add Authorization Policy rule based on Machine Auth Only match and assign permissions to access AD domain controllers.  This will allow initial Machine Only auth to complete and allow needed access to complete User Auth.  In that second auth, the PAC received from Machine Auth will be combined with that of User Auth so that you can match your existing rule.

View solution in original post

7 Replies 7

Craig Hyps
Level 10
Level 10

Machine Auth should happen before User Auth.  That is expected behavior.  Not sure I follow "but it is only passing the host/machinename, which of course fails."  It would be expected for machine auth to start.  Why do you expect it to fail?  Make sure to check ISE logs to determine failure reason.

Sorry, I will try to be more detailed. This is my first time deploying Cisco NAM and using EAP-FAST so perhaps I am missing something.

The authentication is done via AD username/pass and AD machine join. My authorization policy is set as "EAPChainingResult equals User and Machine both succeeed".

When the computer boots up and hits the log in screen, the host/machinename is set as the identity and it hits the BLACKHOLE policy. After the log in credentials are added, the NAM dialog box comes up and shows "Associating, Stopping" for the 40 second time period and the logs in. After a 30 seconds to 2 minutes after being at the windows desktop the username+machine name is passed as idenity and then the machine hits the EMPLOEE-ACCESS policy. Here is the connection from the the ISE log.

Capture.PNG

I guess what I am hoping for is that it will succeed on the first attempt and make the login process a bit shorter. With it doing the Associating, Stopping" for the 40 second, I have a feeling I am going to get some push back from the executives because its slowing down there log in process to much. I know I have the option to connect after logon, but I want network drives to attach properly.

Recommend add Authorization Policy rule based on Machine Auth Only match and assign permissions to access AD domain controllers.  This will allow initial Machine Only auth to complete and allow needed access to complete User Auth.  In that second auth, the PAC received from Machine Auth will be combined with that of User Auth so that you can match your existing rule.

Just to add some background on Craig's note on why you need to allow machine only policy to AD resources:

When the PC boots up (Or when no user is logged in), the PC authenticates itself to the network using the machine account and that is when you see host/machinename. You need to provide access to the AD resources for machine only login for proper operation of Windows PC that are part of the domain. During this state, PC downloads GPO and more importantly, it allows your user login to happen successfully against AD. If network access is blocked, PC may try reaching to the domain controllers which could take few minutes to fail and eventually login with cached credentials. When this happens, you will see that user+machine authentication eventually succeeds, but you will see long delay which is what you are experiencing. By allowing access to AD resources during machine only state, your Windows login will be able to authenticate against AD server without delay and transition from machine only 802.1X state to user+machine state.

nkingsbury
Level 1
Level 1

You guys are brilliant! I created a new DACL allowing only authentication access to AD and set a policy to allow "user failed and machine passed". I could see that the computer would get that policy at login screen. Logging into the computer, the NAM dialog immediately showed "authenticating" and I can see the username,host\machine passed to ISE where it is authenticated and everything works perfectly.

Thank you again for the help.

Great.  Glad this resolved the issue.  Thanks for following up to confirm solution.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: