Solved: Cisco ISE: Changing the domain user doesn't trigger automatic reauthentication

Bouchaib EL-GHOREFY · ‎03-13-2015

Hello all,

I am working on authentication Dot1x with Cisco ISE 1.2 and Switches Catalyst 2960 and 2950.

I need to know if there is a command that can make the port reauthenticating when the user change his AD account on the host?

unpluging/pluging cables is frustrating :(

Many thanks.

Venkatesh Attuluri · ‎03-17-2015

this would let both user and machine authenticate. for"5434Endpoint conducted several failed authentications of the same scenario" check Suppress Anomalous Clients option. This issue comes in to picture when endpoint attempts a couple of failed authentications and if Suppress Anomalous Clients option with Reject Requests After Detection is enabled then ISE Policy nodes protect themselves from overwhelming numbers of authentication requests by sending an immediate reject for suppressed clients as opposed to processing all the steps in a normal authentication. So if that user did some authentication failure, he will be locked for 1 hours (bydefault).

View solution in original post

nspasov · ‎03-13-2015

How is the supplicant on the endpoint configured? Do you have "computer authentication" only? You should have it configured with "computer or user authentication"

Thank you for rating helpful posts!

Bouchaib EL-GHOREFY · ‎03-17-2015

Hello Neno, Yes It is configured with 'computer or user authentication' ..

Charles Hill · ‎03-13-2015

Here is a link on how to enable 802.1X on the end device for a wired or wireless network.

http://windows.microsoft.com/en-us/windows/enable-802-1x-authentication#1TC=windows-7

If the switch receives the EAP-Logoff message from the pc/supplicant, it should terminate the existing session.

To manually re-authenticate a client, enter:
dot1x re-authenticate interface g0/1

to configure a port to periodically re-authenticate enter:
dot1x re-authentication
dot1x timeout re-authperiod 4000

Here are two links on configuring 802.1x.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_9_ea1/configuration/guide/scg/Sw8021x.html#wp1036106
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-8021x-rad-supp-sess-t.html

Bouchaib EL-GHOREFY · ‎03-13-2015

Ooh !! My problem is bigger than that it seems, on seeing the logs of authentication I found that the access was permitted by the default rule 'if no matches' bacause the supplicant (Win7) use only PEAP for authentication. The ISE recognise the Identity store and locate the user succesfully but It doesn't grant access to user based on this rule. How can I make ISE Communicate succesfully with PEAP. Here are the Logs:

11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP
	15048	Queried PIP
	15004	Matched rule
	11507	Extracted EAP-Response/Identity
	12500	Prepared EAP-Request proposing EAP-TLS with challenge
	12625	Valid EAP-Key-Name attribute received
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12301	Extracted EAP-Response/NAK requesting to use PEAP instead
	12300	Prepared EAP-Request proposing PEAP with challenge
	12625	Valid EAP-Key-Name attribute received
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12302	Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
	12318	Successfully negotiated PEAP version 0
	12800	Extracted first TLS record; TLS handshake started
	12805	Extracted TLS ClientHello message
	12806	Prepared TLS ServerHello message
	12807	Prepared TLS Certificate message
	12810	Prepared TLS ServerDone message
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	12318	Successfully negotiated PEAP version 0
	12812	Extracted TLS ClientKeyExchange message
	12804	Extracted TLS Finished message
	12801	Prepared TLS ChangeCipherSpec message
	12802	Prepared TLS Finished message
	12816	TLS handshake succeeded
	12310	PEAP full handshake finished successfully
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	12313	PEAP inner method started
	11521	Prepared EAP-Request/Identity for inner EAP method
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	11522	Extracted EAP-Response/Identity for inner EAP method
	11806	Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	11808	Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
	15041	Evaluating Identity Policy
	15006	Matched Default Rule
	15013	Selected Identity Source - AD1
	24430	Authenticating user against Active Directory
	24402	User authentication against Active Directory succeeded
	22037	Authentication Passed
	11824	EAP-MSCHAP authentication attempt passed
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	11810	Extracted EAP-Response for inner method containing MSCHAP challenge-response
	11814	Inner EAP-MSCHAP authentication succeeded
	11519	Prepared EAP-Success for inner EAP method
	12314	PEAP inner method finished successfully
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	24422	ISE has confirmed previous successful machine authentication for user in Active Directory
	15036	Evaluating Authorization Policy
	24432	Looking up user in Active Directory - ******\*****
	24416	User's Groups retrieval from Active Directory succeeded
	15048	Queried PIP
	15048	Queried PIP
	15048	Queried PIP
	15004	Matched rule - Default
	15016	Selected Authorization Profile - DenyAccess
	15039	Rejected per authorization profile
	12306	PEAP authentication succeeded
	11503	Prepared EAP-Success
	11003	Returned RADIUS Access-Reject
	5434	Endpoint conducted several failed authentications of the same scenario

Venkatesh Attuluri · ‎03-17-2015

this would let both user and machine authenticate. for"5434Endpoint conducted several failed authentications of the same scenario" check Suppress Anomalous Clients option. This issue comes in to picture when endpoint attempts a couple of failed authentications and if Suppress Anomalous Clients option with Reject Requests After Detection is enabled then ISE Policy nodes protect themselves from overwhelming numbers of authentication requests by sending an immediate reject for suppressed clients as opposed to processing all the steps in a normal authentication. So if that user did some authentication failure, he will be locked for 1 hours (bydefault).