09-27-2024 10:02 AM - edited 09-27-2024 10:04 AM
Hello,
I have a distributed ISE deployment as below:
ISE 3.1 patch 6
PSN: 3 physical & 3 VM
Admin: 1physical & 1VM
MnT: 1physical & 1VM
aaa group server radius ISERadius
server name ISE-VM
server name ISE-physical
ip radius source-interface xx
aaa server radius dynamic-author
client VM server-key 7 xxxx
client physical server-key 7 xxxx
When the radius server to pointed to physical ise server in radius server group, the cert based authentication works as expected but then pointed to aws ise server, it fails. The failure reason changes every time.
Failure reason: Authc fail. Authc failure reason: Cred Fail.
Authentication failed for client (abcd) with reason (No Response from Client) on Interface xx
Authentication failed for client (abcd) with reason (AAA Server Down) on Interface xx
The "Certificate Authentication Profile" is configured using option "Use Identity From" with Cert Attribute as "Subject-Common Name". As some machines are not part of AD so Identity Store option is not configured. I did use Cert Attribute as "Subject-Common Name - DNS" but no luck
Both physical & VM ise servers have dedicated EAP certificate issued by digicert and their Root & Intermediate certs are present in "Trusted Certificates". The Intermediate cert is trusted for Infrastructure only. Since infrastructure trust is working on physical ise server, I am not sure if ISE VM needs "Trust for client authentication and Syslog" option as well.
I have ran packet captures where the ISE is sending CA chain but its never seen on the switch during radius challenge. The dot1x challenge runs for the configured timer & fails. Sometimes I don't see Authentication tab under ethernet properties & I restart the wired auto config just to manually trigger the authentication although the service is set to start automatically.
I really need to get this issue fixed at earliest and I would appreciate any assistance from experts here.
09-27-2024 10:11 AM
Two ISE
You need to add both ISE to SAN (multi SAN) or use wildcard cert.
MHM
09-27-2024 10:26 AM
you mean add both admin nodes fqdn in PSN's SAN?
09-27-2024 10:22 AM
you mean add both admin nodes fqdn in PSN's SAN?
09-27-2024 10:26 AM
Both node fqdn in SAN of cert.
Endpoint when try auth via any ISE it will validate cert. Since it fqdn is.list.
MHM
09-27-2024 10:38 AM
endpoint with ise vm server supplicant >>> ise vm psn cert with Common Name = VM ise sever & SAN including physical & vm psn.
Will this still work after the physical server is shutdown and all the traffic failover to VM ise server only?
09-27-2024 02:15 PM
EAP-TLS authentication can take the "subject" or "identity" being authenticated, either from the Subject CN, or the Subject Alternative Name. Contrary to https connections, the SAN is not mandatory or as important here. ISE will expect a non-empty Subject CN. And the ISE Certificate Authentication Profile is the place where you define WHERE the identity should come from. For EAP-TLS to work, you must understand what your client certs look like - if the Subject CN contains a username/machine_name or whatever, that identifies the endpoint, then use the Subject CN - but it must be consistent across all clients.
And since Policy Set programming is the same for all PSNs, this logic will be applied to your on-prem PSNs, and your cloud PSNs.
As for the EAP System Certificate for each PSN, that should also be consistent - you don't need to purchase a separate Digicert cert for each PSN - you get one, and re-use that for all your PSNs (you can export a cert and its private key, and import that into all your PSN's that need an EAP System Cert)
In ISE Trusted Cert section, ensure that the entire CA cert chain that is involved in the ISE EAP System Cert (Digi Cert CA?) has these options set
The only other thing I can think of regarding cloud based PSN vs on-prem PSN is that the IP MTU might play a factor. With EAP-TLS, the RADIUS datagrams will mostly always exceed 1500 bytes during TLS negotiation, because the TLS client hello and server hello will contain the entire cert chain. ISE uses MTU 1500 bytes. If the PSN is connected to an L3 network that uses Jumbo frames then it will cause issue - not sure about AWS, but keep this in mind. Run a tcpdump on the cloud PSN and observe the RADIUS packets during a TLS negotiation. it's normal and expected to see UDP fragmentation to occur. Some firewall in the past have also struggled with UDP fragmentation and re-assembly.
09-27-2024 02:42 PM
The cloud psn is able to authenticate cert based wifi traffic but failing on all cert based LAN authentications. I will modify the usage Trust & test again
09-27-2024 03:44 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide