Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2922
Views
0
Helpful
6
Replies

Cisco ISE 1.3 using 802.1x Authentication for wireless clients

Go to solution
aevans
Level 1
Level 1

‎02-18-2015 05:52 AM - edited ‎03-10-2019 10:27 PM

Hi,

 

I have stumbled into a strange issue trying to authenticate a user over wireless. I am using PEAP as the authentication protocol. I have configured my authentication and authorization policy but when I come to authenticate the authorization policy selected is the default which denies access.

 

I have used the 802.1x compound conditions for matching the machine authentication and then the user authentication

 

MACHINE AUTHENTICATION

match

framed

Wireless

AD group (machine)

 

USER AUTHENTICATION

match

framed

Wireless

AD group (USER)

was authenticated = true

 

Below are steps taken to authenticate any ideas would be great.

 

11001  Received RADIUS Access-Request  
  11017  RADIUS created a new session  
  15049  Evaluating Policy Group  
  15008  Evaluating Service Selection Policy  
  15048  Queried PIP  
  15048  Queried PIP  
  15048  Queried PIP  
  15006  Matched Default Rule  
  11507  Extracted EAP-Response/Identity  
  12300  Prepared EAP-Request proposing PEAP with challenge  
  11006  Returned RADIUS Access-Challenge  
  11001  Received RADIUS Access-Request  
  11018  RADIUS is re-using an existing session  
  12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated  
  12318  Successfully negotiated PEAP version 0  
  12800  Extracted first TLS record; TLS handshake started  
  12805  Extracted TLS ClientHello message  
  12806  Prepared TLS ServerHello message  
  12807  Prepared TLS Certificate message  
  12810  Prepared TLS ServerDone message  
  12305  Prepared EAP-Request with another PEAP challenge  
  11006  Returned RADIUS Access-Challenge  
  11001  Received RADIUS Access-Request  
  11018  RADIUS is re-using an existing session  
  12304  Extracted EAP-Response containing PEAP challenge-response  
  12305  Prepared EAP-Request with another PEAP challenge  
  11006  Returned RADIUS Access-Challenge  
  11001  Received RADIUS Access-Request  
  11018  RADIUS is re-using an existing session  
  12304  Extracted EAP-Response containing PEAP challenge-response  
  12305  Prepared EAP-Request with another PEAP challenge  
  11006  Returned RADIUS Access-Challenge  
  11001  Received RADIUS Access-Request  
  11018  RADIUS is re-using an existing session  
  12304  Extracted EAP-Response containing PEAP challenge-response  
  12318  Successfully negotiated PEAP version 0  
  12812  Extracted TLS ClientKeyExchange message  
  12804  Extracted TLS Finished message  
  12801  Prepared TLS ChangeCipherSpec message  
  12802  Prepared TLS Finished message  
  12816  TLS handshake succeeded  
  12310  PEAP full handshake finished successfully  
  12305  Prepared EAP-Request with another PEAP challenge  
  11006  Returned RADIUS Access-Challenge  
  11001  Received RADIUS Access-Request  
  11018  RADIUS is re-using an existing session  
  12304  Extracted EAP-Response containing PEAP challenge-response  
  12313  PEAP inner method started  
  11521  Prepared EAP-Request/Identity for inner EAP method  
  12305  Prepared EAP-Request with another PEAP challenge  
  11006  Returned RADIUS Access-Challenge  
  11001  Received RADIUS Access-Request  
  11018  RADIUS is re-using an existing session  
  12304  Extracted EAP-Response containing PEAP challenge-response  
  11522  Extracted EAP-Response/Identity for inner EAP method  
  11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge  
  12305  Prepared EAP-Request with another PEAP challenge  
  11006  Returned RADIUS Access-Challenge  
  11001  Received RADIUS Access-Request  
  11018  RADIUS is re-using an existing session  
  12304  Extracted EAP-Response containing PEAP challenge-response  
  11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated  
  15041  Evaluating Identity Policy  
  15006  Matched Default Rule  
  22072  Selected identity source sequence  
  15013  Selected Identity Source - AD1  
  24430  Authenticating user against Active Directory  
  24325  Resolving identity  
  24313  Search for matching accounts at join point  
  24315  Single matching account found in domain  
  24323  Identity resolution detected single matching account  
  24343  RPC Logon request succeeded  
  24402  User authentication against Active Directory succeeded  
  22037  Authentication Passed  
  11824  EAP-MSCHAP authentication attempt passed  
  12305  Prepared EAP-Request with another PEAP challenge  
  11006  Returned RADIUS Access-Challenge  
  11001  Received RADIUS Access-Request  
  11018  RADIUS is re-using an existing session  
  12304  Extracted EAP-Response containing PEAP challenge-response  
  11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response  
  11814  Inner EAP-MSCHAP authentication succeeded  
  11519  Prepared EAP-Success for inner EAP method  
  12314  PEAP inner method finished successfully  
  12305  Prepared EAP-Request with another PEAP challenge  
  11006  Returned RADIUS Access-Challenge  
  11001  Received RADIUS Access-Request  
  11018  RADIUS is re-using an existing session  
  12304  Extracted EAP-Response containing PEAP challenge-response  
  24423  ISE has not been able to confirm previous successful machine authentication  
  15036  Evaluating Authorization Policy  
  15048  Queried PIP  
  15048  Queried PIP  
  24432  Looking up user in Active Directory - xxx\zzz Support  
  24355  LDAP fetch succeeded  
  24416  User's Groups retrieval from Active Directory succeeded  
  15048  Queried PIP  
  15048  Queried PIP  
  15004  Matched rule - Default  
  15016  Selected Authorization Profile - DenyAccess  
  15039  Rejected per authorization profile  
  12306  PEAP authentication succeeded  
  11503  Prepared EAP-Success  
  11003  Returned RADIUS Access-Reject  
  5434  Endpoint conducted several failed authentications of the same scenario  

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jan.nielsen
Level 7
Level 7
In response to aevans

‎02-19-2015 09:20 AM

Windows will only machine authentication when you are booting up, so when testing you can't just disconnect/connect the pc, you need to reboot. The solution to this is called cisco anyconnect nam, and eap-chaining.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
KiloBravo
Level 1
Level 1

‎02-18-2015 06:45 AM

 24423  ISE has not been able to confirm previous successful machine authentication  

 

Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.

 

first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.

 

log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

0 Helpful

Go to solution
aevans
Level 1
Level 1
In response to KiloBravo

‎02-18-2015 03:37 PM

I can confirm it is to do with the machine authentication not happening, I changed the Authorization rule to just do AD log in and client connected when using an IPhone failed with a corp laptop.

 

I have tested with MAR enabled and disabled and still no access.

 

I have requested a fresh build laptop with a new GP update just for this laptop for a true test.

 

Any further ideas?

 

 

0 Helpful

Go to solution
KiloBravo
Level 1
Level 1
In response to aevans

‎02-19-2015 03:52 AM

you need to see why it is failing machine authentication, if it is being passed to ISE there will be an entry for it on the operations>authentications page. If you can get the output for a machine auth failure then we can troubleshoot from there. 

0 Helpful

Go to solution
aevans
Level 1
Level 1
In response to KiloBravo

‎02-19-2015 04:32 AM

That's the issue It doesn't seem to be even trying to authenticate...

 

Regardless of how I configure the windows adapter I always hit the default rule! 

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to aevans

‎02-19-2015 09:20 AM

Windows will only machine authentication when you are booting up, so when testing you can't just disconnect/connect the pc, you need to reboot. The solution to this is called cisco anyconnect nam, and eap-chaining.

0 Helpful

Go to solution
KiloBravo
Level 1
Level 1
In response to aevans

‎02-20-2015 03:24 AM

as JAN mentioned, how are you trying to get it to re-authenticate when testing? machine authentication on windows usually occurs on lo on/log off or a reboot. 

 

secondly you may want to disable suppression on that particular machines mac address as this will prevent it from coming up in the live authentications. 

 

if you're already applying the above then screenshot your peap setings from the client and let's see how its configured. 

0 Helpful
Customers Also Viewed These Support Documents