06-07-2017 01:26 AM
Hello there,
I have a Cisco ISE 1.3 server running dot1x on wired and wireless.
Windows 10 is now being deployed and I have run into some issues regarding authenticating.
Windows 10 clients seems to take a while to get authenticated, and when it does, the client speed is very limited.
The authentication process looks the following
11001 : Received RADIUS Access-Request
11017 : RADIUS created a new session
15049 : Evaluating Policy Group
15008 : Evaluating Service Selection Policy
15048 : Queried PIP - Radius.Service-Type
15048 : Queried PIP - Radius.NAS-Port-Type
15004 : Matched rule - Dot1X
11507 : Extracted EAP-Response/Identity
12500 : Prepared EAP-Request proposing EAP-TLS with challenge
11006 : Returned RADIUS Access-Challenge
11001 : Received RADIUS Access-Request
11018 : RADIUS is re-using an existing session
12502 : Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 : Extracted first TLS record; TLS handshake started
12805 : Extracted TLS ClientHello message
12806 : Prepared TLS ServerHello message
12807 : Prepared TLS Certificate message
12809 : Prepared TLS CertificateRequest message
12505 : Prepared EAP-Request with another EAP-TLS challenge
11006 : Returned RADIUS Access-Challenge
11001 : Received RADIUS Access-Request
11018 : RADIUS is re-using an existing session
12504 : Extracted EAP-Response containing EAP-TLS challenge-response
12505 : Prepared EAP-Request with another EAP-TLS challenge
11006 : Returned RADIUS Access-Challenge
11001 : Received RADIUS Access-Request
11018 : RADIUS is re-using an existing session
12504 : Extracted EAP-Response containing EAP-TLS challenge-response
12505 : Prepared EAP-Request with another EAP-TLS challenge
11006 : Returned RADIUS Access-Challenge
11001 : Received RADIUS Access-Request
11018 : RADIUS is re-using an existing session
12504 : Extracted EAP-Response containing EAP-TLS challenge-response
12505 : Prepared EAP-Request with another EAP-TLS challenge
11006 : Returned RADIUS Access-Challenge
11001 : Received RADIUS Access-Request
11018 : RADIUS is re-using an existing session
12504 : Extracted EAP-Response containing EAP-TLS challenge-response
12505 : Prepared EAP-Request with another EAP-TLS challenge
11006 : Returned RADIUS Access-Challenge
11001 : Received RADIUS Access-Request
11018 : RADIUS is re-using an existing session
12504 : Extracted EAP-Response containing EAP-TLS challenge-response
12505 : Prepared EAP-Request with another EAP-TLS challenge
11006 : Returned RADIUS Access-Challenge
11001 : Received RADIUS Access-Request
11018 : RADIUS is re-using an existing session
12504 : Extracted EAP-Response containing EAP-TLS challenge-response
12505 : Prepared EAP-Request with another EAP-TLS challenge
11006 : Returned RADIUS Access-Challenge
11001 : Received RADIUS Access-Request
11018 : RADIUS is re-using an existing session
12504 : Extracted EAP-Response containing EAP-TLS challenge-response
12571 : ISE will continue to CRL verification if it is configured for specific CA - xxx
12571 : ISE will continue to CRL verification if it is configured for specific CA - xxx
12571 : ISE will continue to CRL verification if it is configured for specific CA - certificate for xxx
12811 : Extracted TLS Certificate message containing client certificate
12812 : Extracted TLS ClientKeyExchange message
12813 : Extracted TLS CertificateVerify message
12804 : Extracted TLS Finished message
12801 : Prepared TLS ChangeCipherSpec message
12802 : Prepared TLS Finished message
12816 : TLS handshake succeeded
12509 : EAP-TLS full handshake finished successfully
12505 : Prepared EAP-Request with another EAP-TLS challenge
11006 : Returned RADIUS Access-Challenge
11001 : Received RADIUS Access-Request
11018 : RADIUS is re-using an existing session
12504 : Extracted EAP-Response containing EAP-TLS challenge-response
15041 : Evaluating Identity Policy
15006 : Matched Default Rule
22072 : Selected identity source sequence - _cert_seq
22070 : Identity name is taken from certificate attribute
22037 : Authentication Passed
12506 : EAP-TLS authentication succeeded
15036 : Evaluating Authorization Policy
15048 : Queried PIP - EndPoints.LogicalProfile
15048 : Queried PIP - Radius.Service-Type
15048 : Queried PIP - Radius.NAS-Port-Type
15048 : Queried PIP - Radius.Called-Station-ID
15004 : Matched rule - Wireless 802.1x
15016 : Selected Authorization Profile - VLAN_xxx
11503 : Prepared EAP-Success
11002 : Returned RADIUS Access-Accept
I know windows 10 is not officially supported until Cisco ISE 1.4 but maybe someone have seen this before.
Thanks in advance
/M
Solved! Go to Solution.
06-07-2017 08:01 AM
Speeds have nothing to do with ISE. ISE just authenticates. Its not an encrypted tunnel unless using MACSEC (which requests anyconnect supplicant).
06-07-2017 07:45 AM
Would recommend working through the TAC, it looks like something is causing the device to negotiate over and over.
Make sure 1.3 is on latest patch and windows 10 has all relevant supplicant fixes installed (windows update critical important)
ISE 1.3 BTW is EOL
http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-737392.html
You also mentioned client speed is slow. I assume that means network transfers? Would look into network as ISE simply authenticates the device and has nothing to do with network speed
06-07-2017 07:52 AM
Thanks for the reply.
I will check patch levels.
Yea, I realise it is quite an old release. Hopefully the customer agrees to upgrading it.
Yea the transfer speeds are slow, but when using Windows 7, everything is smooth and fast.
I have attempted forcing windows 10 to use EAP-TLS 1.0, but to no avail.
06-07-2017 08:01 AM
Speeds have nothing to do with ISE. ISE just authenticates. Its not an encrypted tunnel unless using MACSEC (which requests anyconnect supplicant).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide