Cisco ise 1.3 - eap-tls user + machine auth problem

Augustgood · ‎08-21-2015

Hi all,

My eap-tls authentication and authorization policy do not work , this my rule:

Authentication:

WIREDDEVICE:

Device Type EQUALS Device Type#All Device Types#Swicth Cisco

AND
Radius:NAS-Port-Type EQUALS Ethernet

Authorization:

WIRED-MACHINE if (Wired_802.1X AND ADTP2:ExternalGroups EQUALS tp2.it/Users/Domain Computers

AND Network Access:EapTunnel EQUALS PEAP

AND Network Access:EapAuthentication EQUALS EAP-TLS )

then WIRED_AD_ONLY

WIRED-USER if (Wired_802.1X AND ADTP2:ExternalGroups EQUALS tp2.it/Users/Domain Users

AND Network Access:WasMachineAuthenticated EQUALS True

AND Network Access:EapTunnel EQUALS PEAP

AND Network Access:EapAuthentication EQUALS EAP-TLS )

then WIRED_PERMIT_ALL

Default if no matches, then DenyAccess

This is my error generated from ISE:

11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP - DEVICE.Device Type
	15048	Queried PIP - Radius.Service-Type
	15048	Queried PIP - Radius.NAS-Port-Type
	15048	Queried PIP - Network Access.UseCase
	15048	Queried PIP - Network Access.UseCase
	15006	Matched Default Rule
	11507	Extracted EAP-Response/Identity
	12500	Prepared EAP-Request proposing EAP-TLS with challenge
	12625	Valid EAP-Key-Name attribute received
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12502	Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
	12800	Extracted first TLS record; TLS handshake started
	12805	Extracted TLS ClientHello message
	12806	Prepared TLS ServerHello message
	12807	Prepared TLS Certificate message
	12809	Prepared TLS CertificateRequest message
	12505	Prepared EAP-Request with another EAP-TLS challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12504	Extracted EAP-Response containing EAP-TLS challenge-response
	12505	Prepared EAP-Request with another EAP-TLS challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12504	Extracted EAP-Response containing EAP-TLS challenge-response
	12505	Prepared EAP-Request with another EAP-TLS challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12504	Extracted EAP-Response containing EAP-TLS challenge-response
	12505	Prepared EAP-Request with another EAP-TLS challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12504	Extracted EAP-Response containing EAP-TLS challenge-response
	12571	ISE will continue to CRL verification if it is configured for specific CA - certificate for Users
	12571	ISE will continue to CRL verification if it is configured for specific CA - certificate for tp2-AD2K8-CA
	12811	Extracted TLS Certificate message containing client certificate
	12812	Extracted TLS ClientKeyExchange message
	12813	Extracted TLS CertificateVerify message
	12804	Extracted TLS Finished message
	12801	Prepared TLS ChangeCipherSpec message
	12802	Prepared TLS Finished message
	12816	TLS handshake succeeded
	12509	EAP-TLS full handshake finished successfully
	12505	Prepared EAP-Request with another EAP-TLS challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12504	Extracted EAP-Response containing EAP-TLS challenge-response
	15041	Evaluating Identity Policy
	15006	Matched Default Rule
	22072	Selected identity source sequence - TP2_SEQ
	22071	Identity name is taken from AD account Implicit UPN
	15013	Selected Identity Source - All_AD_Join_Points
	24432	Looking up user in Active Directory - All_AD_Join_Points
	24325	Resolving identity - CN=stefano nicoletti,CN=Users,DC=tp2,DC=it, stefano nicoletti, Users, st.nicoletti@tp2.it
	24313	Search for matching accounts at join point - tp2.it
	24362	Client certificate matches AD account certificate - st.nicoletti@tp2.it
	24319	Single matching account found in forest - tp2.it
	24362	Client certificate matches AD account certificate - st.nicoletti@tp2.it
	24315	Single matching account found in domain - tp2.it
	24323	Identity resolution detected single matching account
	24700	Identity resolution by certificate succeeded - All_AD_Join_Points
	22037	Authentication Passed
	12506	EAP-TLS authentication succeeded
	24423	ISE has not been able to confirm previous successful machine authentication
	15036	Evaluating Authorization Policy
	15004	Matched rule - Default
	15016	Selected Authorization Profile - DenyAccess
	15039	Rejected per authorization profile
	11503	Prepared EAP-Success
	11003	Returned RADIUS Access-Reject

------ iF i snff the traffic on pc--- see attach file ----

This is the error reported on swicth:

750x-nac#show authentication sessions interface Gi1/0/10: auth_bend_request -> auth_bend_request
*Mar 1 02:39:00.506: dot1x-sm(Gi1/0/10): 0x68000019:auth_bend_request_request_action called
*Mar 1 02:39:00.506: dot1x-sm(Gi1/0/10): 0x68000019:auth_bend_request_enter called
*Mar 1 02:39:00.506: dot1x-ev(Gi1/0/10): Sending EAPOL packet to 1060.4b4a.29fb
*Mar 1 02:39:00.506: dot1x-ev(Gi1/0/10): Role determination not required
*Mar 1 02:39:00.506: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 1 02:39:00.506: dot1x-ev(Gi1/0/10): Sending o
3750x-nac#show authentication sessions interface ut EAPOL packet
*Mar 1 02:39:00.506: EAPOL pak dump Tx
*Mar 1 02:39:00.506: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 1 02:39:00.506: EAP code: 0x1 id: 0xFF length: 0x0005 type: 0x1
*Mar 1 02:39:00.506: dot1x-packet(Gi1/0/10): EAPOL packet sent to client 0x68000019 (1060.4b4a.29fb)
*Mar 1 02:39:10.790: dot1x-ev(Gi1/0/10): Received an EAP Timeout
*Mar 1 02:39:10.799: dot1x-sm(Gi1/0/10): Posting EAP_TIMEOUT for 0x68000019
*Mar 1 02:39:10.799: dot1x_auth_bend Gi1/0/10: during stat
3750x-nac#show authentication sessions interface e auth_bend_request, got event 12(eapTimeout)
*Mar 1 02:39:10.799: @@@ dot1x_auth_bend Gi1/0/10: auth_bend_request -> auth_bend_timeout
*Mar 1 02:39:10.799: dot1x-sm(Gi1/0/10): 0x68000019:auth_bend_timeout_enter called
*Mar 1 02:39:10.799: dot1x-sm(Gi1/0/10): 0x68000019:auth_bend_request_timeout_action called
*Mar 1 02:39:10.799: dot1x_auth_bend Gi1/0/10: idle during state auth_bend_timeout
*Mar 1 02:39:10.799: @@@ dot1x_auth_bend Gi1/0/10: auth_bend_timeout -> auth_bend_idle
*Mar 1 02:39:1
3750x-nac#show authentication sessions interface 0.799: dot1x-sm(Gi1/0/10): 0x68000019:auth_bend_idle_enter called
*Mar 1 02:39:10.799: dot1x-sm(Gi1/0/10): Posting AUTH_TIMEOUT on Client 0x68000019
*Mar 1 02:39:10.799: dot1x_auth Gi1/0/10: during state auth_authenticating, got event 14(authTimeout)
*Mar 1 02:39:10.799: @@@ dot1x_auth Gi1/0/10: auth_authenticating -> auth_authc_result
*Mar 1 02:39:10.799: dot1x-sm(Gi1/0/10): 0x68000019:auth_authenticating_exit called
*Mar 1 02:39:10.799: dot1x-sm(Gi1/0/10): 0x68000019:auth_authc_result_enter
3750x-nac#show authentication sessions interface called
*Mar 1 02:39:10.799: %DOT1X-5-FAIL: Authentication failed for client (1060.4b4a.29fb) on Interface Gi1/0/10 AuditSessionID
*Mar 1 02:39:10.799: dot1x-ev(Gi1/0/10): Sending event (2) to Auth Mgr for 1060.4b4a.29fb
*Mar 1 02:39:10.799: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (1060.4b4a.29fb) on Interface Gi1/0/10 AuditSessionID 0AD2010A000000180090C942
*Mar 1 02:39:10.799: dot1x-ev(Gi1/0/10): Received Authz fail for the client 0x68000019 (1060.4b4a.29fb)

3750x-nac#show authentication sessions interface *Mar 1 02:39:10.799: dot1x-ev(Gi1/0/10): Deleting client 0x68000019 (1060.4b4a.29fb)
*Mar 1 02:39:10.799: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (1060.4b4a.29fb) on Interface Gi1/0/10 AuditSessionID 0AD2010A000000180090C942
*Mar 1 02:39:10.799: %AUTHMGR-5-START: Starting 'mab' for client (1060.4b4a.29fb) on Interface Gi1/0/10 AuditSessionID 0AD2010A000000180090C942
*Mar 1 02:39:10.799: dot1x-sm(Gi1/0/10): Posting_AUTHZ_FAIL on Client 0x68000019
*Mar 1 02:39:10.799: dot1x_aut
3750x-nac#show authentication sessions interface

Who can help ?? this is a lab environment and i don't find the solution...

The certificate are on pc for client and machine , AD join work perfectly, i changed junmbo mtu.. but do not workk.....:(

any help apprecciated....:)

Augustgood · ‎08-21-2015

The proble can be the binary comparison, on AD i haven't bind a certificate to host.... ?

jan.nielsen · ‎08-21-2015

Why do you have PEAP in your authz rules, if your doing EAP-TLS?, this will never match, you can't do both in the same rule.

Also, don't expect "WasMachineAuthenticated" to work properly, it's not a very stable feature. You should look into Cisco AnyConnect NAM and EAP-Chaining.

WIRED-MACHINE if (Wired_802.1X AND ADTP2:ExternalGroups EQUALS tp2.it/Users/Domain Computers

AND Network Access:EapTunnel EQUALS PEAP

AND Network Access:EapAuthentication EQUALS EAP-TLS )

then WIRED_AD_ONLY

WIRED-USER if (Wired_802.1X AND ADTP2:ExternalGroups EQUALS tp2.it/Users/Domain Users

AND Network Access:WasMachineAuthenticated EQUALS True

AND Network Access:EapTunnel EQUALS PEAP

AND Network Access:EapAuthentication EQUALS EAP-TLS )

then WIRED_PERMIT_ALL

phosawyer · ‎12-03-2015

I think jan is right, choose EAP-TLS or PEAP, not both.

However your rule is failing on the WasMachineAuthenticated attribute. This is not a very good feature and pretty much fails when using more than one PSN. The problem being machine authc happens with one PSN and gets logged, user authc happens with the other and the machine log authc that is checked does not replicate between PSNs and so fails.