cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6486
Views
0
Helpful
20
Replies

Ask the Expert: Identity Services Engine - 802.1x, Identity Management and BYOD

ciscomoderator
Community Manager
Community Manager

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Identity Service Engine (ISE) with subject matter expert Nicolas Darchis.

Cisco Identity Service Engine is a security policy management and control platform that automates and simplifies access control and security compliance for wired, wireless, and VPN connectivity. It is primarily used to provide secure access and guest access, support BYOD initiatives, and enforce usage policies in conjunction with Cisco TrustSec. 

Nicolas Darchis is a wireless and authentication, authorization, and accounting expert for the Technical Assistance Center at Cisco Europe. He has been troubleshooting wireless networks, wireless management tools, and security products, including Cisco Secure Access Control Server, since 2007. He also focuses on filing technical and documentation bugs. Darchis holds a bachelor's degree in computer networking from the Haute Ecole Rennequin Sualem and a master's degree in computer science from the University of Liege. He also holds CCIE Wireless certification (no. 25344).

Remember to use the rating system to let Nicolas know if you have received an adequate response.

Because of the volume expected during this event, our expert might not be able to answer every question. Remember that you can continue the conversation in the Security community under subcommunity AAA, Identity, and NAC shortly after the event. This event lasts through June 20, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

20 Replies 20

KASPER FOSS
Level 1
Level 1

Hi Nicolas I have some ongoing issue that I hope you can help me with.

The ISE env. are running on 1.1.0.665 which I know less than optimal.

First of all I'm working on a setup,where wired as well as wireless clients looses lan connectivity as if they/the system are loosing their validation credentials (which means that they are redirected to the web portal).

It occurs both when the clients are starting up in the morning, as well as during the day - but it's not consistent.

The wired clients use a combination of domain pc and certificate validation, whereas the wifi clients uses domain pc and eap-tls.

Untill now I haven't been able to find any reasons for the validation loss in the log server - it just sort of initialize a webauthentication.

 

My second question is regarding Apple "smart device" authentication on the ISP guest portal. I'm aware of that it's a broadly discussed topic, and I know of the Captive-bypass solution.

Is this really the only way to solve the CNA issue ?. If so what is the consequence for other smart devices ?.

 

My final question is regarding wifi clients that when being connected to a wired network looses connective with the following log entry:

"Identity policy result is configured for password based authentication methods but received certificate based authentication request".

I have just seen this message today, and I'm wondering whether it would solve the issue if I added certificate authentication as a secondary option, with eap-tls as the primary ?.

If so what new issues would that raise (if any)

 

I hope just some of it made sense smiley.

Hi.

 

1) It is not "ISE loses the credentials and asks for web portal again". Once a user is authenticated, it is authenticated as long as it stays connected. Possibilities are :

-You are returning a session timeout (attribute radius 27) in the authz profile of the user. Therefore user has to reauthenticate after X seconds. But you would see a pattern, then.

-Over wireless, many clients are not capable of doing fast roaming (smartphones is the biggest example) and will therefore reauthenticate with dot1x everytime they roam. A small coverage hole would be enough for the cached credentials to disappear and web portal to show up again

-Over wired, this cannot really occur but the idea is that it's probably the switch resetting the connection and contacting ISE again. The idea to troubleshoot this is to monitor the access device (WLC/switch) and check if the port goes up/down, if the MAB session gets reset or something and why.

 

2) The captive bypass issue is that Apple devices will probe apple.com website to check if there is internet connectivity. If they can reach it, then fine, if they sense that they are redirected, they open a small window pop up with the login portal. The problem (and I still cannot understand why) is that this is not Safari, it's some nameless feature-less browser that doesn't work properly.

By enabling the captive bypass feature, the WLC intercepts the requests to the Apple testpage and replies with HTTP OK. The apple device then thinks "ok I have internet connectivity" and it's up to the user to bring up a real browser to login to the portal page.

It therefore does not affect non-Apple device to have the feature enabled.

The problem is that in IOS 7.x, Apple decided to not just use Apple.com anymore but a whole list of testpages on different websites.

 

3) "whether it would solve the issue if I added certificate authentication as a secondary option, with eap-tls as the primary"

=> This is disturbing because EAP-TLS is a certificate authentication method. But ISE message seems to imply that the user is hitting an authnetication rule that only provides PEAP or EAP-FAST with mschap or something similar ...

If you have the windows default supplicant you have close to no control on what the client will submit. I can imagine that moving from wired to wireless, the laptop would sometimes try to send password instead of certificate and/or vice-versa. Anyconnect with fixed network profiles would solve the problem elegantly.

I cannot comment on your auth policies as I do not know them :-)

 

Regards,

Nicolas

Hi Nicolas,

 

  We´ve seen the following error during our guest login:

 

“Your session has expired.  Please login again".  The error in ISE is show up as Guest authentication failed: 86017: Session cache entry missing.” 

  After you disassociate  the user on WLC, users are able to authenticate normally.

That can be many different things.

However, legitimate scenarios are if the client hits another ISE portal than the ISE he authenticated with.

Typically people would configure their CWA authorization result with a static ip/hostname instead of the default automatic setting and then you cannot be sure that the portal the client is redirected to is the ISE the client authenticated with. By having the automatic redirection URL pointing to the FQDN of the ISE the client authenticated with, this problem does not happen.

The same can then also occur in case of load balancers.

 

Another case is if you force the discovery host of the nac agent, then the same problem will happen for posture. Posture will only work if it automatically discovers the ISE that authenticated its radius session.

 

Weirder cases can happen if there is some radius mess. For example, if you have a central webauth scenario with a foreign-anchor WLC scenario and both controllers are configured for accounting, then they will both send a different session id in their accounting packets and the client session might be terminated as soon as it started. Workaround there is to only enable accounting on one WLC or to turn it off completely.

 

those are common gotchas. Like I said, it can be more complex and less legitimate, but that would need severe TAC troubleshooting to pinpoint further

 

 Nicolas,

 

   " Weirder cases can happen if there is some radius mess. For example, if you have a central webauth scenario with a foreign-anchor WLC scenario and both controllers are configured for accounting, then they will both send a different session id in their accounting packets and the client session might be terminated as soon as it started. Workaround there is to only enable accounting on one WLC or to turn it off completely."

  My scenario may fall in this case. How can I troubleshoot it in order to make sure?

 

  Thanks in advanced!!

neil.j.bishop
Level 1
Level 1

Hi, I have a couple of questions regarding the setup of the ISE 2.3 which have been picked up by security testing;

1st; Why does ISE Cache login's to the web GUI and how do i switch it off as it is a security vulnerability on my networks?

2nd; When I use SSH to login to the CIMC or the ISE CLI it allows 10 failed password attempts before it kicks you out, My Company have strict Security rules and I want to change this to only allow 3 password attempts before kicking the user out of the SSH session, How do I do this?

 

Kind Regards

 

Neil Bishop