Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1686
Views
0
Helpful
11
Replies

ACS5.1 + AD Authentication ,probelm is onlt fit "Default Ploicy"

fgao
Level 1
Level 1

‎01-11-2013 10:58 PM - edited ‎03-10-2019 07:58 PM

Hello Everyone

I am looking for a help here .

I have ACS 5.1+ AD for Wirelss user authentication ,

I created " Machine" and " User" Authentication , But it seems only hit "Default rules". Because my default rule is "deny access:", So right now , Nothing can passed authentication ,

Please take look my configuration ,

(1) In "Access Services" , I created a new service named : dot1x-Service"

Identity: AD1

No Group mapping

Authentication:

rule 1 : Was machine Authenticated :ANY; AD1: External GroupsL contain any (na.tlm.com/Workstations) Permit

rule 2: Was machine Authenticated = TRUE, AD1 External Groups contain any (na.tlm.com/NAUsers ;na.tlm.com/Users) Permit

1.PNG

         (2)           For Autjemtication Protocols:

Allow PEAP
     PEAP Inner Methods
     Allow EAP-MS-CHAPv2
         Allow Password Change  


========================

11001  Received RADIUS Access-Request

11017  RADIUS created a new session

Evaluating Service Selection Policy

15004  Matched rule

15012  Selected Access Service - dot1x-Service

11507  Extracted EAP-Response/Identity

12300  Prepared EAP-Request proposing PEAP with challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated

12319  Successfully negotiated PEAP version 1

12800  Extracted first TLS record; TLS handshake started.

12805  Extracted TLS ClientHello message.

12806  Prepared TLS ServerHello message.

12807  Prepared TLS Certificate message.

12810  Prepared TLS ServerDone message.

12305  Prepared EAP-Request with another PEAP challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12304  Extracted EAP-Response containing PEAP challenge-response

12319  Successfully negotiated PEAP version 1

12812  Extracted TLS ClientKeyExchange message.

12804  Extracted TLS Finished message.

12801  Prepared TLS ChangeCipherSpec message.

12802  Prepared TLS Finished message.

12816  TLS handshake succeeded.

12310  PEAP full handshake finished successfully

12305  Prepared EAP-Request with another PEAP challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12304  Extracted EAP-Response containing PEAP challenge-response

12313  PEAP inner method started

11521  Prepared EAP-Request/Identity for inner EAP method

12305  Prepared EAP-Request with another PEAP challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12304  Extracted EAP-Response containing PEAP challenge-response

11522  Extracted EAP-Response/Identity for inner EAP method

11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge

12305  Prepared EAP-Request with another PEAP challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12304  Extracted EAP-Response containing PEAP challenge-response

11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated

Evaluating Identity Policy

15006  Matched Default Rule

15013  Selected Identity Store - AD1

24431  Authenticating machine against Active Directory

24435  Machine Groups retrieval from Active Directory succeeded

24470  Machine authentication against Active Directory is successful.

22037  Authentication Passed

Evaluating Group Mapping Policy

11824  EAP-MSCHAP authentication attempt passed

12305  Prepared EAP-Request with another PEAP challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12304  Extracted EAP-Response containing PEAP challenge-response

11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response

11814  Inner EAP-MSCHAP authentication succeeded

11519  Prepared EAP-Success for inner EAP method

12314  PEAP inner method finished successfully

12305  Prepared EAP-Request with another PEAP challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12304  Extracted EAP-Response containing PEAP challenge-response

12306  PEAP authentication succeeded

11503  Prepared EAP-Success

Evaluating Exception Authorization Policy

15042  No rule was matched

Evaluating Authorization Policy

15006  Matched Default Rule

15016  Selected Authorization Profile - DenyAccess

15039  Selected Authorization Profile is DenyAccess

11003  Returned RADIUS Access-Reject

Labels:
0 Helpful
11 Replies 11

Amjad Abdullah
VIP Alumni
VIP Alumni

‎01-11-2013 11:50 PM

Hello,

Why are you using the AD groups in the condition?

You need only to use (Was machine authentication = True) and (Authentication status = AuthenticationPassed)

for machine authentication.

For user authentication you only need to use 

(Was machine authentication = False) and (Authentication status=AuthenticationPassed)

You don't have to choose the external group unless you want to restrict access to users in that group only (or if you want to allow different auth profiles depending on the AD group).

You can do one simple thing, do the policy for users only and allow machine authentication for everyone. (enable machine auth globally). This way users can connect and anyone on the domain can connect as well because machine auth is globally enabled.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

fgao
Level 1
Level 1
In response to Amjad Abdullah

‎01-12-2013 12:04 AM

Thanks for your reply , I need only company laptop able to access to wireless here + only domain account user can access .

Also in my last reply , I found something which I don't understand ,

The ACS said Authorization Profile is deny access,  it seems like my Authorization Profile is not in use??

0 Helpful

Amjad Abdullah
VIP Alumni
VIP Alumni
In response to fgao

‎01-16-2013 12:33 AM

The two rules you use:

rule 1 : Was machine Authenticated :ANY; AD1: External GroupsL contain any (na.tlm.com/Workstations) Permit

rule 2: Was machine Authenticated = TRUE, AD1 External Groups contain any (na.tlm.com/NAUsers ;na.tlm.com/Users) Permit

I noticed something with your rules. The rule1 mandates machines in group workstations to authenticates regardless if it is a machine auth or not (Here "was machine auth" must be True because it should look into workstations group only for machine auth).

rule2: was machine auth = TRUE while it looks in groups of the users! this rule will never match because there are no users that can do a machine auth! users can do a user auth only.

for testing I would put the "was machine auth" in rule 1 to be TRUE and put it in rule 2 to be ANY.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

fgao
Level 1
Level 1

‎01-12-2013 12:00 AM

I think problem is from "Authorization Profile" ,But I don't know why !

ACS said Authorization Profile is Deny Access , But it never set up at Deny Access

Authorization Profile has 3 attributes:

Tunnel-Medium-Type : 802

Tunnel Type:                VLAN

Tunnel-Private-Froup-ID: VLAN 88

So Why my "Authorization Profile" is not work , And ACS is keep use default????

0 Helpful

Amjad Abdullah
VIP Alumni
VIP Alumni
In response to fgao

‎01-12-2013 12:11 AM

Hi,

If no rule matched then the DEFAULT authorization profile in your case is configured as Deny Access which is the default if no configured ruled are matched. (look at the bottom of the image you provided just above the buttons, it says the default profile is denyaccess.).

Now, you  can simply configure one rule:

(Was machine authentication = True) and (Authentication status = AuthenticationPassed)

This should do what you want to achieve, only domain users are able to go to the network providing that domain users machines are configured for machine authentication.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni

‎01-12-2013 09:41 AM

Hi,

For your workstations policy please remove the was machine authenticated condition. Looks like your machines can't authenticate because of this condition.


Sent from Cisco Technical Support Android App

0 Helpful

fgao
Level 1
Level 1
In response to Tarik Admani

‎01-12-2013 10:34 AM

But base on the logs , machine authentication passed

24431 Authenticating machine against Active Directory

24435 Machine Groups retrieval from Active Directory succeeded

24470 Machine authentication against Active Directory is successful.

22037 Authentication Passed

0 Helpful

fgao
Level 1
Level 1
In response to fgao

‎01-12-2013 10:48 AM

BTW, It was works last year ,

This is 1 log from last DEC, you can see ACS authorization profile beed selected ,

But now , the profile is still here , why ACS does not select it ?

Evaluating Authorization Policy

15004 Matched rule

15016 Selected Authorization Profile - corpwireless

11002 Returned RADIUS Access-Accept

Evaluating Identity Policy

15006  Matched Default Rule

15013  Selected Identity Store - AD1

24430  Authenticating user against Active Directory

24416  User's Groups retrieval from Active Directory succeeded

24402  User authentication against Active Directory succeeded

22037  Authentication Passed

Evaluating Group Mapping Policy

15006  Matched Default Rule

11824  EAP-MSCHAP authentication attempt passed

12305  Prepared EAP-Request with another PEAP challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12304  Extracted EAP-Response containing PEAP challenge-response

11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response

11814  Inner EAP-MSCHAP authentication succeeded

11519  Prepared EAP-Success for inner EAP method

12314  PEAP inner method finished successfully

12305  Prepared EAP-Request with another PEAP challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12304  Extracted EAP-Response containing PEAP challenge-response

12306  PEAP authentication succeeded

11503  Prepared EAP-Success

24422  ACS has confirmed previous successful machine authentication for user in Active Directory

Evaluating Exception Authorization Policy

15042  No rule was matched

Evaluating Authorization Policy

15004  Matched rule

15016  Selected Authorization Profile - corpwireless

11002  Returned RADIUS Access-Accept

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni

‎01-12-2013 02:15 PM

Hi,

Can you verify if the user is still in the same AD group. Also what happens if you reboot acs? Also keep in mind that there have been numerous fixes and updates since 5.1 with respect to AD. Did you recently upgrade the AD environment?

Thanks


Sent from Cisco Technical Support Android App

0 Helpful

fgao
Level 1
Level 1
In response to Tarik Admani

‎01-14-2013 12:32 PM

No change were found from AD group.

I made this change , and seems it works now . change AD external to ANY, and add System User name in conditions .

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to fgao

‎01-14-2013 06:38 PM

Hi,

The workaround you posted above leaves you open for unauthorized access. Please find out if the workstation accounts have moved to a different group.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents