03-13-2015 08:46 AM - edited 03-10-2019 10:32 PM
Hello all,
I am working on authentication Dot1x with Cisco ISE 1.2 and Switches Catalyst 2960 and 2950.
I need to know if there is a command that can make the port reauthenticating when the user change his AD account on the host?
unpluging/pluging cables is frustrating :(
Many thanks.
Solved! Go to Solution.
03-17-2015 06:38 AM
this would let both user and machine authenticate. for"5434Endpoint conducted several failed authentications of the same scenario" check Suppress Anomalous Clients option. This issue comes in to picture when endpoint attempts a couple of failed authentications and if Suppress Anomalous Clients option with Reject Requests After Detection is enabled then ISE Policy nodes protect themselves from overwhelming numbers of authentication requests by sending an immediate reject for suppressed clients as opposed to processing all the steps in a normal authentication. So if that user did some authentication failure, he will be locked for 1 hours (bydefault).
03-13-2015 09:59 AM
How is the supplicant on the endpoint configured? Do you have "computer authentication" only? You should have it configured with "computer or user authentication"
Thank you for rating helpful posts!
03-17-2015 10:23 AM
Hello Neno, Yes It is configured with 'computer or user authentication' ..
03-13-2015 10:20 AM
Here is a link on how to enable 802.1X on the end device for a wired or wireless network.
http://windows.microsoft.com/en-us/windows/enable-802-1x-authentication#1TC=windows-7
If the switch receives the EAP-Logoff message from the pc/supplicant, it should terminate the existing session.
To manually re-authenticate a client, enter:
dot1x re-authenticate interface g0/1
to configure a port to periodically re-authenticate enter:
dot1x re-authentication
dot1x timeout re-authperiod 4000
Here are two links on configuring 802.1x.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_9_ea1/configuration/guide/scg/Sw8021x.html#wp1036106
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-8021x-rad-supp-sess-t.html
03-13-2015 11:05 AM
Ooh !! My problem is bigger than that it seems, on seeing the logs of authentication I found that the access was permitted by the default rule 'if no matches' bacause the supplicant (Win7) use only PEAP for authentication. The ISE recognise the Identity store and locate the user succesfully but It doesn't grant access to user based on this rule. How can I make ISE Communicate succesfully with PEAP. Here are the Logs:
11001 | Received RADIUS Access-Request | |
11017 | RADIUS created a new session | |
15049 | Evaluating Policy Group | |
15008 | Evaluating Service Selection Policy | |
15048 | Queried PIP | |
15048 | Queried PIP | |
15004 | Matched rule | |
11507 | Extracted EAP-Response/Identity | |
12500 | Prepared EAP-Request proposing EAP-TLS with challenge | |
12625 | Valid EAP-Key-Name attribute received | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12301 | Extracted EAP-Response/NAK requesting to use PEAP instead | |
12300 | Prepared EAP-Request proposing PEAP with challenge | |
12625 | Valid EAP-Key-Name attribute received | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12302 | Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated | |
12318 | Successfully negotiated PEAP version 0 | |
12800 | Extracted first TLS record; TLS handshake started | |
12805 | Extracted TLS ClientHello message | |
12806 | Prepared TLS ServerHello message | |
12807 | Prepared TLS Certificate message | |
12810 | Prepared TLS ServerDone message | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12318 | Successfully negotiated PEAP version 0 | |
12812 | Extracted TLS ClientKeyExchange message | |
12804 | Extracted TLS Finished message | |
12801 | Prepared TLS ChangeCipherSpec message | |
12802 | Prepared TLS Finished message | |
12816 | TLS handshake succeeded | |
12310 | PEAP full handshake finished successfully | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12313 | PEAP inner method started | |
11521 | Prepared EAP-Request/Identity for inner EAP method | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
11522 | Extracted EAP-Response/Identity for inner EAP method | |
11806 | Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
11808 | Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated | |
15041 | Evaluating Identity Policy | |
15006 | Matched Default Rule | |
15013 | Selected Identity Source - AD1 | |
24430 | Authenticating user against Active Directory | |
24402 | User authentication against Active Directory succeeded | |
22037 | Authentication Passed | |
11824 | EAP-MSCHAP authentication attempt passed | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
11810 | Extracted EAP-Response for inner method containing MSCHAP challenge-response | |
11814 | Inner EAP-MSCHAP authentication succeeded | |
11519 | Prepared EAP-Success for inner EAP method | |
12314 | PEAP inner method finished successfully | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
24422 | ISE has confirmed previous successful machine authentication for user in Active Directory | |
15036 | Evaluating Authorization Policy | |
24432 | Looking up user in Active Directory - ********\******* | |
24416 | User's Groups retrieval from Active Directory succeeded | |
15048 | Queried PIP | |
15048 | Queried PIP | |
15048 | Queried PIP | |
15004 | Matched rule - Default | |
15016 | Selected Authorization Profile - DenyAccess | |
15039 | Rejected per authorization profile | |
12306 | PEAP authentication succeeded | |
11503 | Prepared EAP-Success | |
11003 | Returned RADIUS Access-Reject | |
5434 | Endpoint conducted several failed authentications of the same scenario |
03-17-2015 06:38 AM
this would let both user and machine authenticate. for"5434Endpoint conducted several failed authentications of the same scenario" check Suppress Anomalous Clients option. This issue comes in to picture when endpoint attempts a couple of failed authentications and if Suppress Anomalous Clients option with Reject Requests After Detection is enabled then ISE Policy nodes protect themselves from overwhelming numbers of authentication requests by sending an immediate reject for suppressed clients as opposed to processing all the steps in a normal authentication. So if that user did some authentication failure, he will be locked for 1 hours (bydefault).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide