03-27-2019 05:58 PM
Hi all,
We've got a large global ISE 2.4 P6 installation running our global wired and wireless NAC (dot1x and MAB with profiling) as well as our AnyConnect AAA with posture compliance. At present it works perfectly integrated directly with AD.
A request has come through from our auditors to enable MFA on the VPN and our MFA of choice is Azure AD MFA as we have a hybrid connected on-prem/Azure AD estate and already use Azure MFA for o365 and other 3rd party cloud apps so all our users are already enrolled using the MS Authenticator Phone App.
Due to the lack of Azure AD MFA support in ISE, and as a quick'n'dirty solution, I built a win2016 NPS server and installed the MFA extension and then changed my VPN policy to use the External Radius sequence. So far, so good.
When my test user connects, the radius request is forwarded from ISE to NPS which performs the initial AD authentication before handing off to MFA. My phone pings and the app requests approval. I tap to approve and the NPS sends an "access-accept" back to the ISE PSN that initiated the request. So I know ISE and the NPS server are talking fine. I wiresharked the NPS server and see the access-request and access-accept packets going from/to the chosen PSN nodes with the 9 second delay while I tried to unlock my mobile phone (smudged fingerprints).
However, the ISE server then logs an authentication failure (rejected as per authorization profile) showing the username as "USERNAME\USERNAME" rather than the real username that was sent to NPS - the real username is shown in the NPS logs so I know it is being sent over correctly, processed etc. (You can see my domain name starts UK in the NPS log below)
The radius request id in the access-request packet sent to the NPS matches the id in the access-accept packet returned. My "Radius Server Sequences" has a tick for "On Access-Accept, continue to Authorization Policy" so that does agree that we are hitting my authorization policies that checks the user membership of a specific AD group - but with the wrong username, this fails and it drops out with the DenyAccess from the default Authorization.
It seems like ISE forwards the radius packet over to the NPS but forgets to keep track of any of the details so is unable to join the access-accept to the original request id so loses the username.
Just out of curiosity, I disabled MFA on the NPS and re-ran the test. Once again, the NPS authenticated the user against AD and then immediately replied with an "access-accept" packet but ISE had the same USERNAME/USERNAME failure.
Has anyone else come across anything like this with NPS or A.N.Other external radius server?
All help gladly received!
JB.
(Oh and yes, I know NPS is plain nasty - searching child domains to find a matching username has to be enabled via a registry setting! I'd prefer not to touch it with the proverbial stick but the key for us is that we already have the AAD MFA licensing so it's free.)
Solved! Go to Solution.
03-29-2019 06:49 PM
I would suggest to start with Solved: Client Authenticating Incorrectly in IS... - Cisco Community.
And, examine your authorization policy rules and see any reason why nothing matched other than the default, which results in Deny-Access.
03-29-2019 06:49 PM
I would suggest to start with Solved: Client Authenticating Incorrectly in IS... - Cisco Community.
And, examine your authorization policy rules and see any reason why nothing matched other than the default, which results in Deny-Access.
03-30-2019 09:00 AM
Thanks so much - I have seen that Radius option before but didn't event think of using it. A search for "USERNAME/USERNAME" doesn't help either. That other community post was perfect explanation of this feature!
Long and short from my side was the masking of the username meant I was unable to see that the user that was failing was due to not being a member of the VPN users group.
Simple answer, simple solution.
Many thanks!
JB.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide