02-18-2015 05:52 AM - edited 03-10-2019 10:27 PM
Hi,
I have stumbled into a strange issue trying to authenticate a user over wireless. I am using PEAP as the authentication protocol. I have configured my authentication and authorization policy but when I come to authenticate the authorization policy selected is the default which denies access.
I have used the 802.1x compound conditions for matching the machine authentication and then the user authentication
MACHINE AUTHENTICATION
match
framed
Wireless
AD group (machine)
USER AUTHENTICATION
match
framed
Wireless
AD group (USER)
was authenticated = true
Below are steps taken to authenticate any ideas would be great.
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15006 Matched Default Rule
11507 Extracted EAP-Response/Identity
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12810 Prepared TLS ServerDone message
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
15041 Evaluating Identity Policy
15006 Matched Default Rule
22072 Selected identity source sequence
15013 Selected Identity Source - AD1
24430 Authenticating user against Active Directory
24325 Resolving identity
24313 Search for matching accounts at join point
24315 Single matching account found in domain
24323 Identity resolution detected single matching account
24343 RPC Logon request succeeded
24402 User authentication against Active Directory succeeded
22037 Authentication Passed
11824 EAP-MSCHAP authentication attempt passed
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814 Inner EAP-MSCHAP authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12314 PEAP inner method finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
24423 ISE has not been able to confirm previous successful machine authentication
15036 Evaluating Authorization Policy
15048 Queried PIP
15048 Queried PIP
24432 Looking up user in Active Directory - xxx\zzz Support
24355 LDAP fetch succeeded
24416 User's Groups retrieval from Active Directory succeeded
15048 Queried PIP
15048 Queried PIP
15004 Matched rule - Default
15016 Selected Authorization Profile - DenyAccess
15039 Rejected per authorization profile
12306 PEAP authentication succeeded
11503 Prepared EAP-Success
11003 Returned RADIUS Access-Reject
5434 Endpoint conducted several failed authentications of the same scenario
Solved! Go to Solution.
02-19-2015 09:20 AM
Windows will only machine authentication when you are booting up, so when testing you can't just disconnect/connect the pc, you need to reboot. The solution to this is called cisco anyconnect nam, and eap-chaining.
02-18-2015 06:45 AM
24423 ISE has not been able to confirm previous successful machine authentication
Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
log off and on or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there.
02-18-2015 03:37 PM
I can confirm it is to do with the machine authentication not happening, I changed the Authorization rule to just do AD log in and client connected when using an IPhone failed with a corp laptop.
I have tested with MAR enabled and disabled and still no access.
I have requested a fresh build laptop with a new GP update just for this laptop for a true test.
Any further ideas?
02-19-2015 03:52 AM
you need to see why it is failing machine authentication, if it is being passed to ISE there will be an entry for it on the operations>authentications page. If you can get the output for a machine auth failure then we can troubleshoot from there.
02-19-2015 04:32 AM
That's the issue It doesn't seem to be even trying to authenticate...
Regardless of how I configure the windows adapter I always hit the default rule!
02-19-2015 09:20 AM
Windows will only machine authentication when you are booting up, so when testing you can't just disconnect/connect the pc, you need to reboot. The solution to this is called cisco anyconnect nam, and eap-chaining.
02-20-2015 03:24 AM
as JAN mentioned, how are you trying to get it to re-authenticate when testing? machine authentication on windows usually occurs on lo on/log off or a reboot.
secondly you may want to disable suppression on that particular machines mac address as this will prevent it from coming up in the live authentications.
if you're already applying the above then screenshot your peap setings from the client and let's see how its configured.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide