- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Cisco ISE - Authentication fails but client still authorized
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2017 06:16 AM - edited 03-11-2019 12:21 AM
Hi!
I have an issue with Cisco ISE which is:
I have an authentication policy that checks both username and password and certificate for a client . (We use Cisco AnyConnect at the client side).
We have revokded the certificate in order for the client not the be accepted on the network. The revocation check goes fine and it says in the logs that the authentication has failed.
But, it still continues to check the authorization policy, and since the connecting user matches one of the Authorization policies, the user is both authenticated and authorized in the system. I have added some of the log here:
You can see that it says "Authentication failed...", but on the bottom it starts evaluating the Authorization Policy, which is a success.
|
|
22028 |
Authentication failed and the advanced options are ignored |
|
|
12967 |
Sent EAP Intermediate Result TLV indicating failure |
|
|
12105 |
Prepared EAP-Request with another EAP-FAST challenge |
|
|
11006 |
Returned RADIUS Access-Challenge |
|
|
11001 |
Received RADIUS Access-Request |
|
|
11018 |
RADIUS is re-using an existing session |
|
|
12104 |
Extracted EAP-Response containing EAP-FAST challenge-response |
|
|
24423 |
ISE has not been able to confirm previous successful machine authentication |
|
|
15036 |
Evaluating Authorization Policy |
|
|
24432 |
Looking up user in Active Directory - ise_user,host/TODLAP05358.toll.intern.toll.no |
I have also added a screenshot of the policy The identity source chosen is an identity source which selects both certificate and the usage of AD to authenticate username and password for the client.
Any ideas?
Thank you!
- Labels:
-
AAA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2017 05:07 PM
Can you post the entire authentication detail that the ISE went through? also what version of ISE are you running?
There is a setting under EAP-FAST protocol to allow for expired certificate to complete authentication - in order to re-enroll for a new certificate. Can you check if the setting seen in the screenshot (attached in this reply) is not checked?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2017 11:09 PM
Hi! Thank you for your reply.
ISE version: 2.1
Regarding the EAP-FAST setting: It is NOT checked in my configuration either.
Here is the whole authentication detail:
|
11001 |
Received RADIUS Access-Request |
|
11017 |
RADIUS created a new session |
|
11117 |
Generated a new session ID for a 3rd party NAD |
|
15049 |
Evaluating Policy Group |
|
15008 |
Evaluating Service Selection Policy |
|
15048 |
Queried PIP |
|
15004 |
Matched rule |
|
11507 |
Extracted EAP-Response/Identity |
|
12500 |
Prepared EAP-Request proposing EAP-TLS with challenge |
|
12625 |
Valid EAP-Key-Name attribute received |
|
11006 |
Returned RADIUS Access-Challenge |
|
11001 |
Received RADIUS Access-Request |
|
11018 |
RADIUS is re-using an existing session |
|
12101 |
Extracted EAP-Response/NAK requesting to use EAP-FAST instead |
|
12100 |
Prepared EAP-Request proposing EAP-FAST with challenge |
|
12625 |
Valid EAP-Key-Name attribute received |
|
11006 |
Returned RADIUS Access-Challenge |
|
11001 |
Received RADIUS Access-Request |
|
11018 |
RADIUS is re-using an existing session |
|
12102 |
Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated |
|
12800 |
Extracted first TLS record; TLS handshake started |
|
12175 |
Received Tunnel PAC |
|
12805 |
Extracted TLS ClientHello message |
|
12806 |
Prepared TLS ServerHello message |
|
12801 |
Prepared TLS ChangeCipherSpec message |
|
12802 |
Prepared TLS Finished message |
|
12105 |
Prepared EAP-Request with another EAP-FAST challenge |
|
11006 |
Returned RADIUS Access-Challenge |
|
11001 |
Received RADIUS Access-Request |
|
11018 |
RADIUS is re-using an existing session |
|
12104 |
Extracted EAP-Response containing EAP-FAST challenge-response |
|
12804 |
Extracted TLS Finished message |
|
12816 |
TLS handshake succeeded |
|
12132 |
EAP-FAST built PAC-based tunnel for purpose of authentication |
|
12209 |
Starting EAP chaining |
|
12218 |
Selected identity type 'User' |
|
12125 |
EAP-FAST inner method started |
|
11521 |
Prepared EAP-Request/Identity for inner EAP method |
|
12105 |
Prepared EAP-Request with another EAP-FAST challenge |
|
11006 |
Returned RADIUS Access-Challenge |
|
11001 |
Received RADIUS Access-Request |
|
11018 |
RADIUS is re-using an existing session |
|
12104 |
Extracted EAP-Response containing EAP-FAST challenge-response |
|
12212 |
Identity type provided by client is equal to requested |
|
11522 |
Extracted EAP-Response/Identity for inner EAP method |
|
11806 |
Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge |
|
12105 |
Prepared EAP-Request with another EAP-FAST challenge |
|
11006 |
Returned RADIUS Access-Challenge |
|
11001 |
Received RADIUS Access-Request |
|
11018 |
RADIUS is re-using an existing session |
|
12104 |
Extracted EAP-Response containing EAP-FAST challenge-response |
|
11808 |
Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated |
|
15041 |
Evaluating Identity Policy |
|
15006 |
Matched Default Rule |
|
22072 |
Selected identity source sequence |
|
15013 |
Selected Identity Source - TOD-AD |
|
24430 |
Authenticating user against Active Directory |
|
24325 |
Resolving identity |
|
24313 |
Search for matching accounts at join point |
|
24319 |
Single matching account found in forest |
|
24323 |
Identity resolution detected single matching account |
|
24343 |
RPC Logon request succeeded |
|
24402 |
User authentication against Active Directory succeeded |
|
22037 |
Authentication Passed |
|
11824 |
EAP-MSCHAP authentication attempt passed |
|
12105 |
Prepared EAP-Request with another EAP-FAST challenge |
|
11006 |
Returned RADIUS Access-Challenge |
|
11001 |
Received RADIUS Access-Request |
|
11018 |
RADIUS is re-using an existing session |
|
12104 |
Extracted EAP-Response containing EAP-FAST challenge-response |
|
11810 |
Extracted EAP-Response for inner method containing MSCHAP challenge-response |
|
11814 |
Inner EAP-MSCHAP authentication succeeded |
|
11519 |
Prepared EAP-Success for inner EAP method |
|
12128 |
EAP-FAST inner method finished successfully |
|
12966 |
Sent EAP Intermediate Result TLV indicating success |
|
12105 |
Prepared EAP-Request with another EAP-FAST challenge |
|
11006 |
Returned RADIUS Access-Challenge |
|
11001 |
Received RADIUS Access-Request |
|
11018 |
RADIUS is re-using an existing session |
|
12104 |
Extracted EAP-Response containing EAP-FAST challenge-response |
|
12126 |
EAP-FAST cryptobinding verification passed |
|
12219 |
Selected identity type 'Machine' |
|
12125 |
EAP-FAST inner method started |
|
11521 |
Prepared EAP-Request/Identity for inner EAP method |
|
12105 |
Prepared EAP-Request with another EAP-FAST challenge |
|
11006 |
Returned RADIUS Access-Challenge |
|
11001 |
Received RADIUS Access-Request |
|
11018 |
RADIUS is re-using an existing session |
|
12104 |
Extracted EAP-Response containing EAP-FAST challenge-response |
|
12212 |
Identity type provided by client is equal to requested |
|
11522 |
Extracted EAP-Response/Identity for inner EAP method |
|
11806 |
Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge |
|
12105 |
Prepared EAP-Request with another EAP-FAST challenge |
|
11006 |
Returned RADIUS Access-Challenge |
|
11001 |
Received RADIUS Access-Request |
|
11018 |
RADIUS is re-using an existing session |
|
12104 |
Extracted EAP-Response containing EAP-FAST challenge-response |
|
12523 |
Extracted EAP-Response/NAK for inner method requesting to use EAP-TLS instead |
|
12522 |
Prepared EAP-Request for inner method proposing EAP-TLS with challenge |
|
12625 |
Valid EAP-Key-Name attribute received |
|
12105 |
Prepared EAP-Request with another EAP-FAST challenge |
|
11006 |
Returned RADIUS Access-Challenge |
|
11001 |
Received RADIUS Access-Request |
|
11018 |
RADIUS is re-using an existing session |
|
12104 |
Extracted EAP-Response containing EAP-FAST challenge-response |
|
12524 |
Extracted EAP-Response containing EAP-TLS challenge-response for inner method and accepting EAP-TLS as negotiated |
|
12800 |
Extracted first TLS record; TLS handshake started |
|
12805 |
Extracted TLS ClientHello message |
|
12806 |
Prepared TLS ServerHello message |
|
12807 |
Prepared TLS Certificate message |
|
12808 |
Prepared TLS ServerKeyExchange message |
|
12809 |
Prepared TLS CertificateRequest message |
|
12527 |
Prepared EAP-Request for inner method with another EAP-TLS challenge |
|
12105 |
Prepared EAP-Request with another EAP-FAST challenge |
|
11006 |
Returned RADIUS Access-Challenge |
|
11001 |
Received RADIUS Access-Request |
|
11018 |
RADIUS is re-using an existing session |
|
12104 |
Extracted EAP-Response containing EAP-FAST challenge-response |
|
12526 |
Extracted EAP-Response for inner method containing TLS challenge-response |
|
12527 |
Prepared EAP-Request for inner method with another EAP-TLS challenge |
|
12105 |
Prepared EAP-Request with another EAP-FAST challenge |
|
11006 |
Returned RADIUS Access-Challenge |
|
11001 |
Received RADIUS Access-Request |
|
11018 |
RADIUS is re-using an existing session |
|
12104 |
Extracted EAP-Response containing EAP-FAST challenge-response |
|
12526 |
Extracted EAP-Response for inner method containing TLS challenge-response |
|
12527 |
Prepared EAP-Request for inner method with another EAP-TLS challenge |
|
12105 |
Prepared EAP-Request with another EAP-FAST challenge |
|
11006 |
Returned RADIUS Access-Challenge |
|
11001 |
Received RADIUS Access-Request |
|
11018 |
RADIUS is re-using an existing session |
|
12104 |
Extracted EAP-Response containing EAP-FAST challenge-response |
|
12526 |
Extracted EAP-Response for inner method containing TLS challenge-response |
|
12527 |
Prepared EAP-Request for inner method with another EAP-TLS challenge |
|
12105 |
Prepared EAP-Request with another EAP-FAST challenge |
|
11006 |
Returned RADIUS Access-Challenge |
|
11001 |
Received RADIUS Access-Request |
|
11018 |
RADIUS is re-using an existing session |
|
12104 |
Extracted EAP-Response containing EAP-FAST challenge-response |
|
12526 |
Extracted EAP-Response for inner method containing TLS challenge-response |
|
12527 |
Prepared EAP-Request for inner method with another EAP-TLS challenge |
|
12105 |
Prepared EAP-Request with another EAP-FAST challenge |
|
11006 |
Returned RADIUS Access-Challenge |
|
11001 |
Received RADIUS Access-Request |
|
11018 |
RADIUS is re-using an existing session |
|
12104 |
Extracted EAP-Response containing EAP-FAST challenge-response |
|
12105 |
Prepared EAP-Request with another EAP-FAST challenge |
|
11006 |
Returned RADIUS Access-Challenge |
|
11001 |
Received RADIUS Access-Request |
|
11018 |
RADIUS is re-using an existing session |
|
12104 |
Extracted EAP-Response containing EAP-FAST challenge-response |
|
12105 |
Prepared EAP-Request with another EAP-FAST challenge |
|
11006 |
Returned RADIUS Access-Challenge |
|
11001 |
Received RADIUS Access-Request |
|
11018 |
RADIUS is re-using an existing session |
|
12104 |
Extracted EAP-Response containing EAP-FAST challenge-response |
|
12105 |
Prepared EAP-Request with another EAP-FAST challenge |
|
11006 |
Returned RADIUS Access-Challenge |
|
11001 |
Received RADIUS Access-Request |
|
11018 |
RADIUS is re-using an existing session |
|
12104 |
Extracted EAP-Response containing EAP-FAST challenge-response |
|
12526 |
Extracted EAP-Response for inner method containing TLS challenge-response |
|
12568 |
Lookup user certificate status in OCSP cache |
|
12569 |
User certificate status was not found in OCSP cache |
|
12987 |
Take OCSP servers list from AIA extension of client certificate |
|
12989 |
Sent an OCSP request to the next OCSP server in the list |
|
12553 |
Received OCSP response |
|
12555 |
OCSP status of user certificate is revoked |
|
12811 |
Extracted TLS Certificate message containing client certificate |
|
12814 |
Prepared TLS Alert message |
|
12817 |
TLS handshake failed |
|
12517 |
EAP-TLS failed SSL/TLS handshake because of a revoked certificate in the client certificate chain |
|
12529 |
Inner EAP-TLS authentication failed |
|
12527 |
Prepared EAP-Request for inner method with another EAP-TLS challenge |
|
12105 |
Prepared EAP-Request with another EAP-FAST challenge |
|
11006 |
Returned RADIUS Access-Challenge |
|
11001 |
Received RADIUS Access-Request |
|
11018 |
RADIUS is re-using an existing session |
|
12104 |
Extracted EAP-Response containing EAP-FAST challenge-response |
|
12526 |
Extracted EAP-Response for inner method containing TLS challenge-response |
|
11520 |
Prepared EAP-Failure for inner EAP method |
|
12117 |
EAP-FAST inner method finished with failure |
|
22028 |
Authentication failed and the advanced options are ignored |
|
12967 |
Sent EAP Intermediate Result TLV indicating failure |
|
12105 |
Prepared EAP-Request with another EAP-FAST challenge |
|
11006 |
Returned RADIUS Access-Challenge |
|
11001 |
Received RADIUS Access-Request |
|
11018 |
RADIUS is re-using an existing session |
|
12104 |
Extracted EAP-Response containing EAP-FAST challenge-response |
|
24423 |
ISE has not been able to confirm previous successful machine authentication |
|
15036 |
Evaluating Authorization Policy |
|
24432 |
Looking up user in Active Directory - ise_user,host/TODLAP05358.toll.intern.toll.no |
|
24325 |
Resolving identity |
|
24313 |
Search for matching accounts at join point |
|
24319 |
Single matching account found in forest |
|
24323 |
Identity resolution detected single matching account |
|
24355 |
LDAP fetch succeeded |
|
24416 |
User's Groups retrieval from Active Directory succeeded |
|
15048 |
Queried PIP |
|
15004 |
Matched rule |
|
15016 |
Selected Authorization Profile - TODadminAccess |
|
12964 |
Sent EAP Result TLV indicating success |
|
12105 |
Prepared EAP-Request with another EAP-FAST challenge |
|
11006 |
Returned RADIUS Access-Challenge |
|
11001 |
Received RADIUS Access-Request |
|
11018 |
RADIUS is re-using an existing session |
|
12104 |
Extracted EAP-Response containing EAP-FAST challenge-response |
|
12106 |
EAP-FAST authentication phase finished successfully |
|
11503 |
Prepared EAP-Success |
|
11002 |
Returned RADIUS Access-Accept |
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2017 09:23 PM
Está pasando la autenticación porque tienes la opción avanzada en modo "ignore", esto se observa en el log 22028:
|
22028 |
Authentication failed and the advanced options are ignored |
Seguramente no esta haciendo match con la politica de autenticacion "Sertifikat", sino con una posterior
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2017 08:14 AM
Hi Angel,
I am not running yet 2.1 but I was wondering if you could provide me the path to the "IGNORE MODE"...I am currently on version 1.4 and I am looking for something like that.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide