Solved: Cisco ISE Authentication Methods

Admin Eastland · ‎12-06-2018

I have a five year old deployment running 2.4 patch 4. When I built ISE I originally wanted domain computers to authenticate using EAP-TLS. For reasons I can't remember I could not get that working and I settled for MAB for machine authentication and PEAP-MSCHAPv2 for user authentication.

Yesterday I started to work with EAP-TLS authentication again and I got a wired authentication working for EAP-TLS. The problem is that I had several machines drop their sessions and try to use EAP-TLS. This totally locked their authentication and I was forced to turn of my EAP-TLS rule. The problem was that I created a whole new rule for EAP-TLS, but I made the mistake of putting the rule above my PEEP rule. I have since moved the EAP-TLS below PEAP, but my test machine stops at the PEAP rule with the error saying that I had a computer using a rule for authentication using username and password, but the machine is configured for certificate authentication.

I need some assistance with an authentication rule that will allow both EAP methods to live together without interference of each other. I'm wondering if under the PEAP and EAP-TLS authentication rules if I need to set the advanced options i.e. "if authentication failes" set it to "continue" rather than "reject" or something like that. Since I am making headway on EAP-TLS I would like to continue to get this working for wireless so I can have it complete to where all I have to do is set the GPO to pull the machine/user certificate and go live. Any assistance would be great. Thank you.

Surendra · ‎12-06-2018

Use All_User_ID_Stores and make sure you choose Default Network Access as the allowed protocols which usually has all the protocols enabled including EAP-TLS and PEAP-MsCHAPv2.

This should do.

View solution in original post

Surendra · ‎12-06-2018

Can you send us the screenshot of the authentication policies you have configured and also the screenshots of identity source sequences you have used in respective authentication policies?

Admin Eastland · ‎12-06-2018

All Auth rulesPEAPEAP-TLS

Surendra · ‎12-06-2018

Use All_User_ID_Stores and make sure you choose Default Network Access as the allowed protocols which usually has all the protocols enabled including EAP-TLS and PEAP-MsCHAPv2.

This should do.

Admin Eastland · ‎12-06-2018

My concern with this is that when I look at the source sequence for All_User_ID_Stores the certificate authentication profile is not listed. How will it know to use that when it sees and EAP-TLS session?

Admin Eastland · ‎12-06-2018

That's appears to have worked, but I will probably take this up with TAC. I would really like to see the individual authentication methods used in the live logs rather than having to expand the authentication detail. At any rate, thanks for your input.

Surendra · ‎12-06-2018

You can do that without expanding the Authentication details. PFA the screenshot.

Just check those check boxes and drag them up or down to place the column where you want and this will help you check the auth method/protocol without opening live logs.

Arne Bier · ‎12-06-2018

The way I do this is to create one Policy Set called Wireless 802.1X (or Wired 802.1X) and then in the allowed protocols you select PEAP and EAP-TLS only.

In the Authentication Rules you have one Rule for EAP-TLS where you specify your certificate profile, and for EAP-PEAP you can use whatever Identity Source Sequence that applies to you (e.g. AD Join Points etc.)

In Authorization you can perform all the necessary checks - again have one Rule per EAP Method.

Surendra · ‎12-06-2018

That will not fly if you want both of them to be in the same rule and that is the reason why you see the error that ISE is configured to use cert based authentication only.

If you do it the way I have mentioned, you can have clients use whatever protocol they would like to and ISE will accept whatever protocol client prefers.

Admin Eastland · ‎12-06-2018

I would really like to see the authentication method used in the live logs. This is why I asked if I could just change “REJECT” under “if with fails to “CONTINUE” for PEAP ? My thought is that it would continue to the next rule. I would then set EAP-TLS to “CONTINUE” as well so that if an PEAP session fails the first time it would loop rather than hard stop at EAP-TLS if a supplicant is the problem. I would rather send a building tech to fix a misconfigured supplicant than to have it hard stop on the wrong rule. Will this work?

Surendra · ‎12-06-2018

Continue option does not work for EAP or PEAP

Admin Eastland · ‎12-06-2018

When I created my authorization rules I never really set authentication method as part of the rule since I knew that I was using pretty much the default authentication method of PEAP-MSCHAPv2. It sounds like what I would need to do is explicitly name EAP methods for each rule in my policies for this to work, correct?

Surendra · ‎12-06-2018

From the screenshot that was sent, It seems like you have explicitly configure separate rules for each protocol. What I am suggesting is to use one rule for all types of EAP methods.

Admin Eastland · ‎12-06-2018

I’ll give it a shot, but I see this to be a shortcoming for ISE not being able to see what specific method was used with out opening the full authentication report.

paul · ‎12-06-2018

The authentication protocol is listed in the live logs Authentication Protocol column. Also if you have a good naming convention on your authorization profiles you should know exactly what happened:

Wired_Dot1x_EAP-TLS_Domain_Computer

I have no questions when I see that in my logs.