Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
804
Views
0
Helpful
1
Replies

CISCO ISE 1.4 EAPCHAINING NAM - USER CREDENTIALS PROMPTED

ndemers
Cisco Employee
Cisco Employee

‎12-07-2015 01:13 PM - edited ‎03-10-2019 11:18 PM

I have setup EAP-FAST with EAP-Chaining for a Win7 box.  I am getting a credential prompt on the Cisco NAM and I cant figure out why.  When I connect both user and machine seem to pass but then the NAM prompts for credentials and CoA reverts to Internet only.  I have followed this guide but obviously not getting the same result.

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

When User fails but machine passes

Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new sessionF
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - Radius.Service-Type
15048 Queried PIP - Radius.NAS-Port-Type
15004 Matched rule - EXAMPLE-EAP-TLS
11507 Extracted EAP-Response/Identity
12100 Prepared EAP-Request proposing EAP-FAST with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12102 Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated
12800 Extracted first TLS record; TLS handshake started
12175 Received Tunnel PAC
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12804 Extracted TLS Finished message
12816 TLS handshake succeeded
12132 EAP-FAST built PAC-based tunnel for purpose of authentication
12209 Starting EAP chaining
12210 Received User Authorization PAC
12211 Received Machine Authorization PAC
12218 Selected identity type 'User'
15041 Evaluating Identity Policy
15006 Matched Default Rule
22072 Selected identity source sequence - EXAMPLE_IDS
15013 Selected Identity Source - EXAMPLE
24432 Looking up user in Active Directory - EXAMPLE
24326 Searching subject object by UPN - USER1@internal.EXAMPLE.net
24328 Subject object not found in a cache
24330 Lookup SID By Name request succeeded
24332 Lookup Object By SID request succeeded
24336 Subject object cached
24351 Account validation succeeded
24420 User's Attributes retrieval from Active Directory succeeded - EXAMPLE
22037 Authentication Passed
12124 EAP-FAST inner method skipped
12219 Selected identity type 'Machine'
15041 Evaluating Identity Policy
15004 Matched rule - Default
15006 Matched Default Rule
22072 Selected identity source sequence - EXAMPLE_IDS
15013 Selected Identity Source - EXAMPLE
24433 Looking up machine in Active Directory - EXAMPLE
24326 Searching subject object by UPN - C0001-USER1$@internal.EXAMPLE.net
24327 Subject object found in a cache
24329 Subject cache entry expired
24330 Lookup SID By Name request succeeded
24332 Lookup Object By SID request succeeded
24336 Subject object cached
24351 Account validation succeeded
24439 Machine Attributes retrieval from Active Directory succeeded - EXAMPLE
22037 Authentication Passed
12124 EAP-FAST inner method skipped
12964 Sent EAP Result TLV indicating success
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12106 EAP-FAST authentication phase finished successfully
11503 Prepared EAP-Success
15036 Evaluating Authorization Policy
15048 Queried PIP - Radius.Service-Type
15048 Queried PIP - Radius.NAS-Port-Type
15048 Queried PIP - Network Access.EapTunnel
24432 Looking up user in Active Directory - EXAMPLE
24325 Resolving identity - USER1
24313 Search for matching accounts at join point - internal.EXAMPLE.net
24319 Single matching account found in forest - EXAMPLE.net
24323 Identity resolution detected single matching account
24355 LDAP fetch succeeded - internal.EXAMPLE.net
24416 User's Groups retrieval from Active Directory succeeded - EXAMPLE
24433 Looking up machine in Active Directory - EXAMPLE
24325 Resolving identity - host/C0001-USER1
24313 Search for matching accounts at join point - internal.EXAMPLE.net
24319 Single matching account found in forest - EXAMPLE.net
24323 Identity resolution detected single matching account
24355 LDAP fetch succeeded - internal.EXAMPLE.net
24435 Machine Groups retrieval from Active Directory succeeded - EXAMPLE
15048 Queried PIP - EXAMPLE.ExternalGroups
15004 Matched rule - WIRED_MACH_EAP-TLS
15016 Selected Authorization Profile - D_INTERNET_ONLY
11022 Added the dACL specified in the Authorization Profile
11002 Returned RADIUS Access-Accept

Labels:
0 Helpful
1 Reply 1

ndemers
Cisco Employee
Cisco Employee

‎12-08-2015 10:58 PM

bump

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents