Re: 802.1x Configuration

AbelBurgos5029 · ‎03-12-2020

Hello everyone,

I am currently in the process of configure 802.1x for my classified network. Here is what I am working with:

Windows 10 workstations (suplicants using windows suplicant software)

C3900 switch stack (authenticator)

Cisco ISE (Radius authentication server)

I configured the supplicants. Configured the switches with global aaa commands and interface with dot1x commands, and configured the Radius server in the cisco ISE.

Here is the problem... When I try to authenticate from the workstation, it authenticates my user sucessfully but the workstation is denied. When I look at the Radius logs in the ISE, it tells me that authentication is resulting in pass for my user credentials, but the workstation is being denied. As a result, I am allowed to login in the workstation, but no access to the network is granted.

I was hoping someone can point me in the right direction on how to fix this issue. I could provide more details if necessary.

Thanks

Marius Gunnerud · ‎03-12-2020

Would need to see your dot1x configuration that you have on the switch along with the error message you are getting on ISE in the Live Logs.

--
Please remember to select a correct answer and rate helpful posts

AbelBurgos5029 · ‎03-13-2020

Since its on a classified environment, I cant share the full configurations, but the port I am testing has the following 802.1x configs on it:

#ip access-group PRE-AUTH in - this is a ACL i created to allow access to some things prior authorization such as DHCP.

#authentication open

#authentication port-control auto

#dot1x pae authenticator

The ISE server Radius Live logs is giving me the following error:

"The client stopped responding to EAP session and started a new one"

I tried different options on the client authentication tab, but nothing seems to fix the issue.

The "Automatically use my Windows logon name and password (and domain if any)" checkbox is not selected because it is not allowing me to select it. I assume this is something that needs to be changed in the Group Policy, but have not been able to figure out how to do that.

Hope this helps. Thanks

Cristian Matei · ‎03-13-2020

Hi,

1. You need to make sure that the Windows supplicant is properly configured for the EAP(802.1x) method that ISE expects.

2. Make sure "aaa authorization network" is configured if you receive any authorisations from ISE (like ACL or VLAN), if you receive a VLAN make sure the VLAN is created on the switch, if you receive a VLAN name, make sure a VLAN on the switch with the exact same name exists. Use this document as a reference to validate your configuration:

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

Regards,

Cristian Matei.

balaji.bandi · ‎03-13-2020

As @Marius Gunnerud suggested we need to see yourconfig with logs on ISE

here is some reference guide if you like to investigate and read for your intrest:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/sec/b_166_sec_9300_cg/configuring_ieee_802_1x_port_based_authentication.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Mike.Cifelli · ‎03-13-2020

From a 8021x onboarding perspective what exactly are you trying to accomplish? What I mean by this is, what sec protocol are you attempting to use? Are you wishing to accomplish both user and computer authentication prior to pushing authz policy? If so, eap-chaining is supported via EAP-Fast that requires you to use Cisco AnyConnect NAM. Or are you looking to utilize eap-tls for comp auth only? Can you share how you have the native supplicant configured? It will help us better assist you.

Marius Gunnerud · ‎03-19-2020

How are you trying to authenticate the machines (MAC, certificate, etc.)?

--
Please remember to select a correct answer and rate helpful posts