Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3233
Views
30
Helpful
9
Replies

Cisco ISE machine and user level authentication rules issue

Go to solution
laurathaqi
Level 3
Level 3

‎05-22-2021 01:49 PM

Dear community, 

 

Have configured wired 802.1x with two separated rules on the AuthZ part. One is for Domain Computers->if true->DomainComputer DACL, and the other one for Domain Users->if part of DomainUsers group->DomainUserDACL. 

However, the issue is that, when testing, only the DomainComputers rules passes successfully, by downloading the DACL and letting the user to AuthZ with success. However the DomainUsers rule never gets to be executed no matter the fact that I tried to disable all other default/nondefault rules. 

The test that is failing is as following: 

- I am Logging in as Domain User in a Domain Machine and only the Domain Machine rule gets executed, even after I log in with my credentials. What I  have seen so far is that, when user is not logged in, only the wired machine is connected, this is where the AuthZ rule for domain computers should execute. And when user enters their credentials, this is when the AuthZ rule for Domain User should kick in with its process including DACL. However, in my case, the AuthZ for the domain Computer get executed, and the rule for the Domain Users not. Even after I enter credentials and log in, no more process for the DACL of the AuthZ for the Domain User being executed!!

This is an issue since Domain machines do have limited access, meanwhile Domain users have more privilege's, but these privilege's are never being executed. This causing an issue of unablity to separated the case between Domain machine and Domain user! 

 

I have enabled COA in the Switch and also from ISE side I have ReAuth option enabled. 

ISE 3.0 version is being worked on, and 802.1x EAP-TLS being successfully executed while the Domain Computer rule gets executed with its DACL for Domain Computers. But not the Domain User one. 

 

Does anyone have any idea why this behavior is happening?! Saw lots of examples that this practice of separating machine and user authZ and authC if followed all the time, not sure why this behavior is happening with the AuthZ rules!?

 

Looking forward to hearing any of your thoughts. 

 

Thank you,

Laura 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to laurathaqi

‎05-23-2021 03:35 PM

This is a good primer for understanding how Windows Computer and User authentication works - Machine Machine Authentication and User Authentication 

A common issue for the symptom you are seeing is that there is not a valid User certificate in the user's personal store to present when the switch sends an EAPOL for the user session. Use the MMC on the client to verify that there is a valid user certificate that meets the Windows Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS.

If the user cert is present and looks compliant, you will likely need to take a packet capture on the client PC and switch to look at the EAP conversation and verify if the client is presenting a certificate.

View solution in original post

Go to solution
Peter Koltl
Level 7
Level 7

‎05-25-2021 07:25 AM

You should have a computer certificate in the computer cert store (check certlm.msc) and a user certificate in the user cert store (certmgr.msc). If the supplicant is set to "User or Computer", the computer certificate is used in 802.1X after booting the client as long as it shows the logon screen. As soon as you log on, it performs another authentication with the user certificate.

Windows version 2004 introduced TEAP where both certificates can be used after logon. (requires ISE 2.7)

View solution in original post

9 Replies 9

Go to solution
Karsten Iwen
VIP
VIP

‎05-22-2021 02:03 PM

I am not really sure if I understand your problem description right. But if there is no new AuthC/AuthZ action, have you controlled the Supplicant that there is really Machine and User authentication configured?

Go to solution
laurathaqi
Level 3
Level 3
In response to Karsten Iwen

‎05-23-2021 12:33 PM

Hi @Karsten Iwen 

 

The issue is quite straight forward. I have two rules, one for the Domain Computers and one for the Domain Users, and when I login into the Computer with my AD credentials, only the Domain Computer rule from the Access Policy set gets executed. 

Based on normal circumstanced it should have bee: Domain Computers and then Domain users rules order to be executed. But I get only the Domain Computers rule to execute, and then the flow stops there, leaving Domain Users rule out of the end to end flow of the AuthC and AuthZ process. 

 

Yes, the supplicant is configured to log in as "User of Computer". CA certs are ok and 802.1x is enabled. 

 

Looking forward to hearing from you back. any thoughts or ideas would be highly appreciated.

 

Thank you,

Laura  

 

 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to laurathaqi

‎05-23-2021 03:35 PM

This is a good primer for understanding how Windows Computer and User authentication works - Machine Machine Authentication and User Authentication 

A common issue for the symptom you are seeing is that there is not a valid User certificate in the user's personal store to present when the switch sends an EAPOL for the user session. Use the MMC on the client to verify that there is a valid user certificate that meets the Windows Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS.

If the user cert is present and looks compliant, you will likely need to take a packet capture on the client PC and switch to look at the EAP conversation and verify if the client is presenting a certificate.

Go to solution
laurathaqi
Level 3
Level 3
In response to Greg Gibbs

‎05-23-2021 11:42 PM

Hi @Greg Gibbs 

 

Thank you for the links shared. After reading this, based on my understanding I see that Machine Authentication is failing to Write User Authentication. Checked the validity of the Identity Cert and its present issued by the Root CA. Root Its also selected at the Supplicants side AuthZ properties. 

The unclear thing is that EAP-TLS is being successfully executed on the Machine level Authentication Rule. And with that, when user logs its credentials, ISE does not produce new logs nor new flow to be seen. It stays with the Machine Authentication rule. 

 

Will keep you updated in regards the packet capture of the Client PC information. 

 

Looking forward to hearing from you. Any thoughts of advices would be highly appreciated. 

 

Thank you,

Laura  

0 Helpful

Go to solution
lrojaslo
Cisco Employee
Cisco Employee
In response to laurathaqi

‎05-24-2021 02:35 PM

Based on native supplicant behavior and normal dot1x functionality, the endpoint should trigger the machine and user auth, no matter the certificates installed (if later there is a cert issue, it will happen during the auth process).

 

Switch or ISE won't ask for next authentication (user auth), this is not something that happens because of CoA or reauth, it should be supplicant who starts both machine and user auth. 

 

It is hard to guess the issue with current info, you will need to collect details with following:

 

-Client to Switch packet capture to validate identity-response is sent with User info. 

-dot1x / Radius debugs on switch, confirm user auth is being started by supplicant.

 

Try moving the PC to  "User auth" only, and confirm if it works.

 

Go to solution
laurathaqi
Level 3
Level 3
In response to lrojaslo

‎05-27-2021 12:56 AM

Hi @lrojaslo 

 

I checked the User cert in certmgr.msc and it says valid cert. However when I moved the Computer to User AUTH only, says Authentication failed, meanwhile in Computer AUTH only, it authenticates successfully. When I generated user and computer certs, I used the same root CA, so not sure what could have gone wrong on the User cert generation and installation. the User cert is in the right directory in the computer! 

 

Any idea how to further troubleshoot this? 

 

Thank you,

Laura 

0 Helpful

Go to solution
lrojaslo
Cisco Employee
Cisco Employee
In response to laurathaqi

‎05-27-2021 06:35 AM

Ok, so when you use User auth only, what is the error  observed on ISE ?

 

You can try to move authentication to PEAP instead (not cert based) to confirm if the issue is actually related with the certs on the endpoint.

 

Go to solution
laurathaqi
Level 3
Level 3
In response to lrojaslo

‎05-28-2021 11:34 AM

Hi @lrojaslo ,

 

Thank you for the much helpful information and suggestions you shared with me. 

I tried with PEAP and it worked. So the problem was narrowed to the certs itself, even thought ISE was giving general errors that were not much of a help. 

The issue was that in the Certificate, ISE was configured to look for the Common Name, meanwhile in the cert side, the template was configured to look for the Subject Alternative Name - DNS Attribute. 

 

All your support is highly appreciated. You make this community awesome. 

 

Thank you and best wishes,

Laura 

 

Go to solution
Peter Koltl
Level 7
Level 7

‎05-25-2021 07:25 AM

You should have a computer certificate in the computer cert store (check certlm.msc) and a user certificate in the user cert store (certmgr.msc). If the supplicant is set to "User or Computer", the computer certificate is used in 802.1X after booting the client as long as it shows the logon screen. As soon as you log on, it performs another authentication with the user certificate.

Windows version 2004 introduced TEAP where both certificates can be used after logon. (requires ISE 2.7)

Customers Also Viewed These Support Documents