Re: Cisco ISE 802.1X Configuration

AbrarMukit · ‎09-01-2022

Hi, I am new to Cisco ISE. Trying to set up authentication and authorization based on the certificate but it's not working. I have configured my router for the AAA model as well my test laptop got a certificate. I have uploaded the same root cert to cisco ISE as a trusted cert.

When it's authenticating its using the MAB authenticating method instead of 802.1x

ammahend · ‎09-01-2022

If it’s going mab then make sure your supplicant (endpoint) is properly configured for EAP-TLS. The picture you attached is blurr so I can not confirm your policy.

follow this guide, even if you have different version of ISE concept is same : https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html

-hope this helps-

AbrarMukit · ‎09-01-2022

AbrarMukit · ‎09-01-2022

AbrarMukit · ‎09-01-2022

Steps

	11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	11027	Detected Host Lookup UseCase (Service-Type = Call Check (10))
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP
	15048	Queried PIP
	15041	Evaluating Identity Policy
	15048	Queried PIP
	15048	Queried PIP
	22072	Selected identity source sequence
	15013	Selected Identity Source -
	24210	Looking up User in Internal Users IDStore - 60:6D:3C:D3:F3:F1
	24216	The user is not found in the internal users identity store
	15013	Selected Identity Source -
	24497	Selected Active Directory Scope is empty
	15013	Selected Identity Source -
	24631	Looking up User in Internal Guests IDStore
	24633	The user is not found in the internal guests identity store
	22016	Identity sequence completed iterating the IDStores
	22056	Subject not found in the applicable identity store(s)
	22058	The advanced option that is configured for an unknown user is used
	22060	The 'Continue' advanced option is configured in case of a failed authentication request
	24715	ISE has not confirmed locally previous successful machine authentication for user in Active Directory
	15036	Evaluating Authorization Policy
	24209	Looking up Endpoint in Internal Endpoints IDStore - 60:6D:3C:D3:F3:F1
	24211	Found Endpoint in Internal Endpoints IDStore
	15048	Queried PIP
	15016	Selected Authorization Profile - DenyAccess
	15039	Rejected per authorization profile
	11003	Returned RADIUS Access-Reject
	5434	Endpoint conducted several failed authentications of the same scenario

AbrarMukit · ‎09-01-2022

Overview

Event	5434 Endpoint conducted several failed authentications of the same scenario
Username	60:6D:3C:D3:F3:F1
Endpoint Id	60:6D:3C:D3:F3:F1
Endpoint Profile	Unknown
Authentication Policy	Nomad_Test >> Nomad_R1
Authorization Policy	Nomad_Test >> Default
Authorization Result	DenyAccess

Authentication Details

Source Timestamp	2022-09-02 11:10:25.992
Received Timestamp	2022-09-02 11:10:25.992
Policy Server	didge-lab-ise1
Event	5434 Endpoint conducted several failed authentications of the same scenario
Failure Reason	15039 Rejected per authorization profile
Resolution	Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
Root cause	Selected Authorization Profile contains ACCESS_REJECT attribute
Username	60:6D:3C:D3:F3:F1
Endpoint Id	60:6D:3C:D3:F3:F1
Endpoint Profile	Unknown
IPv4 Address	10.200.130.57
Identity Group	Unknown
Audit Session Id	0AC8823400000FFB13D7B942
Authentication Method	mab
Authentication Protocol	Lookup
Service Type	Call Check
Network Device	DidgeLab_3850
Device Type	All Device Types
Location	All Locations#h
NAS IPv4 Address	10.200.130.52
NAS Port Id	GigabitEthernet1/0/17
NAS Port Type	Ethernet
Authorization Profile	DenyAccess

Other Attributes

ConfigVersionId	6827
Device Port	1645
DestinationPort	1812
RadiusPacketType	AccessRequest
UserName	60-6D-3C-D3-F3-F1
Protocol	Radius
NAS-IP-Address	10.200.130.52
NAS-Port	60000
Framed-MTU	1500
OriginalUserName	606d3cd3f3f1
IsEndpointInRejectMode	false
NetworkDeviceProfileName	Cisco
NetworkDeviceProfileId	b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow	false
RadiusFlowType	WiredMAB
SSID	C8-00-84-D3-F8-11
AcsSessionID	didge-lab-ise1/448433138/2982
UseCase	Host Lookup
SelectedAuthenticationIdentityStores	Internal Users
SelectedAuthenticationIdentityStores	All_AD_Join_Points
SelectedAuthenticationIdentityStores	Guest Users
IdentityPolicyMatchedRule	Nomad_R1
AuthorizationPolicyMatchedRule	Default
CPMSessionID	0AC8823400000FFB13D7B942
EndPointMACAddress	60-6D-3C-D3-F3-F1
ISEPolicySetName	Nomad_Test
IdentitySelectionMatchedRule	Nomad_R1
StepData	5= Radius.Service-Type
StepData	6= Network Access.Protocol
StepData	8= Radius.Service-Type
StepData	9= Network Access.Protocol
StepData	10=All_User_ID_Stores
StepData	11=Internal Users
StepData	14=All_AD_Join_Points
StepData	15=All_AD_Join_Points
StepData	16=Guest Users
StepData	27= Normalised Radius.RadiusFlowType
DTLSSupport	Unknown
HostIdentityGroup	Endpoint Identity Groups:Unknown
Network Device Profile	Cisco
Location	Location#All Locations#h
Device Type	Device Type#All Device Types
IPSEC	IPSEC#Is IPSEC Device
Called-Station-ID	C8:00:84:D3:F8:11
CiscoAVPair	service-type=Call Check
audit-session-id	0AC8823400000FFB13D7B942
method	mab

Result

RadiusPacketType	AccessReject
AuthenticationResult	UnknownUser

Session Events

2022-09-02 11:08:54.27

Authentication failed

Marcelo Morais · ‎09-01-2022

Hi @AbrarMukit ,

please double check your NAD configuration, special attention to the:

(config-if)# authentication order dot1x mab
(config-if)# authentication priority dot1x mab

also, use the debug radius all to check EAP packets from the Endpoint to the NAD.

Hope this helps !!!

AbrarMukit · ‎09-01-2022

Thats what it giving when I am trying to configure the NAD
Switch(config-if)#authentication order dot1x mab
Command deprecated (authentication order dot1x mab) - use cpl config