cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7645
Views
0
Helpful
9
Replies

AD Machine Authentication with Cisco ISE problem

contactabbas
Level 1
Level 1

Hi Experts,

I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.

Authentication policy:

Allowed protocol = PEAP & TLS

Authorization Policy:

Condition for computer to be checked in external identity store (AD) = Permit access

Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access

All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...

Switchport configuration:

===============================================

ip access-list extended ACL-DEFAULT

remark Allow DHCP

permit udp any eq bootpc any eq bootps

remark Allow DNS

permit udp any any eq domain

permit ip any host (AD)

permit icmp any any

permit ip any host (ISE-1)

permit ip any host  (ISE-2)

permit udp any host (CUCM-1) eq tftp

permit udp any host (CUCM-2)eq tftp

deny ip any any

===============================================

switchport config

===============================================

Switchport Access vlan 10

switchport mode access

switchport voice vlan 20

ip access-group ACL-DEFAULT in

authentication open

authentication event fail action next-method

authentication event server dead action authorize vlan 1

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity 180

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 100

====================================================

One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.

Your help will highly appreciated.

Regards,

9 Replies 9

contactabbas
Level 1
Level 1

anyone please...

Why do you think that it starts MAB?

you can turn on

debug radius

on the switch then connect the PC. Please copy here the debug and

show authen session int Fa0/x

harvisin
Level 3
Level 3

HEllo Mudasir,

Please send us the debug logs, so that we can verify it and resolve your issue as soon as possible.

sahseth
Level 1
Level 1

Hello Mudasir,

Please share detailed authentication failure logs for extensive troubleshooting and to find out where its getting stuck.

Thanks.

You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab.  If your switch configuration is on auth failure continue to next method, then this makes sense.  The question is why is the user failing auth but the machine is passing, could be something in the policy.  Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched.  Easy way to check is remove that rule from your policy and see if the same thing happens.

I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time.  The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.

I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining.  This is great because you can do two part authentication.  EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet.  I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy.

Hi Chris

Have you tried using EAP-FASTv2 with EAP-TLS inner for the machine auth and EAP-TLS inner for the user auth?

We can get EAP-FASTv2 withEAP-TLS inner for the machine auth and MSCHAPv2 inner for the user auth but we really want to use both machine and user certs.

Do you have any advice on the AnyConnect NAM setup and certificate profile requirements in ISE to achieve this? We've tried using CN and SAN Other but just can't get it working.

Regards

Roger

Roger,

Yes I have got EAP-TLS inner for both user and machine auth.  You should see if the issue is authentication failure or policy not matched.  If your policy is checking against AD groups then you may need to use common name field in the cert.  I have found that when using SAN I have problems getting the AD user attributes, but when using common name I can see the group memberships of the user.  Make sure you test both user and machine cert separately so you can identify that both will work when using common name.  In your Authentication policy you can match on wired 802.1x and use two cert stores, one that checks common name (user should pass this) and another that uses SAN (machine can use this) by making the common name the first one checked your users will always use that one, machines may fail to the one that uses SAN.

Main thing is test certs by themselves to see if they work alone, then you can look at EAP Chaining your certs.

Hi Chris

I would say that this is for wireless rather than wired bit it shouldn't really make any difference.

I haven't actually tried using CN for User and SAN for machine by using an Identity Store Sequence that picks up 2 certificate profiles. I'll try that.

Did you need to change anything on the user and machine auth elements of the AnyConnect profile.

I recall there is an unprotected identity set to anonymous and a protected identity that is set to something like [username].

Regards

Roger

Roger,

I can't remember but I may have set both the unprotected and protocted to [username] so that I didn't get anonymous logs in ISE. I have a fairly nice ISE lab and a laptop that is a member of the test domain with NAM and NAC, next time i'm in the office I can test this all out.  I've always used two part authentication with EAP-FASTv2 as I explain to customers it's extra protection.  If your Certs become compramised the the machine can't authenticate and your profile for full access should require both machine and user to pass.  If you read the TrustSec 2.1 guide their examples are with machine and user certificates, not two part like I do.  The document is pretty good and tells you how the NAM should be configured and also how your ISE policy should or could look.  The thing I love about ISE is how creative you can get with it to make this stuff shine.

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: