08-13-2018 02:18 AM
Hi All
I have two endpoints for testing 802.1x with certificate, that both gets the correct profile. Both endpoints gets authenticated onto the network if I look at the RADIUS live logs but if I browse for the endpoints via Context Visibility > Endpoint, both endpoint have 15039 Rejected per authz profile?
Here are the steps for the log >>
11001 | Received RADIUS Access-Request | |
11017 | RADIUS created a new session | |
15049 | Evaluating Policy Group | |
15008 | Evaluating Service Selection Policy | |
15048 | Queried PIP | |
15048 | Queried PIP | |
11507 | Extracted EAP-Response/Identity | |
12500 | Prepared EAP-Request proposing EAP-TLS with challenge | |
12625 | Valid EAP-Key-Name attribute received | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12301 | Extracted EAP-Response/NAK requesting to use PEAP instead | |
12300 | Prepared EAP-Request proposing PEAP with challenge | |
12625 | Valid EAP-Key-Name attribute received | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12302 | Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated | |
12318 | Successfully negotiated PEAP version 0 | |
12800 | Extracted first TLS record; TLS handshake started | |
12805 | Extracted TLS ClientHello message | |
12806 | Prepared TLS ServerHello message | |
12807 | Prepared TLS Certificate message | |
12808 | Prepared TLS ServerKeyExchange message | |
12810 | Prepared TLS ServerDone message | |
12811 | Extracted TLS Certificate message containing client certificate | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12318 | Successfully negotiated PEAP version 0 | |
12812 | Extracted TLS ClientKeyExchange message | |
12813 | Extracted TLS CertificateVerify message | |
12804 | Extracted TLS Finished message | |
12801 | Prepared TLS ChangeCipherSpec message | |
12802 | Prepared TLS Finished message | |
12816 | TLS handshake succeeded | |
12310 | PEAP full handshake finished successfully | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12313 | PEAP inner method started | |
11521 | Prepared EAP-Request/Identity for inner EAP method | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
11522 | Extracted EAP-Response/Identity for inner EAP method | |
11806 | Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12523 | Extracted EAP-Response/NAK for inner method requesting to use EAP-TLS instead | |
12522 | Prepared EAP-Request for inner method proposing EAP-TLS with challenge | |
12625 | Valid EAP-Key-Name attribute received | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12524 | Extracted EAP-Response containing EAP-TLS challenge-response for inner method and accepting EAP-TLS as negotiated | |
12800 | Extracted first TLS record; TLS handshake started | |
12545 | Client requested EAP-TLS session ticket | |
12546 | The EAP-TLS session ticket received from supplicant. Inner EAP-TLS does not support stateless session resume. Performing full authentication | |
12805 | Extracted TLS ClientHello message | |
12806 | Prepared TLS ServerHello message | |
12807 | Prepared TLS Certificate message | |
12808 | Prepared TLS ServerKeyExchange message | |
12809 | Prepared TLS CertificateRequest message | |
12527 | Prepared EAP-Request for inner method with another EAP-TLS challenge | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12526 | Extracted EAP-Response for inner method containing TLS challenge-response | |
12527 | Prepared EAP-Request for inner method with another EAP-TLS challenge | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12526 | Extracted EAP-Response for inner method containing TLS challenge-response | |
12527 | Prepared EAP-Request for inner method with another EAP-TLS challenge | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12526 | Extracted EAP-Response for inner method containing TLS challenge-response | |
12527 | Prepared EAP-Request for inner method with another EAP-TLS challenge | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12526 | Extracted EAP-Response for inner method containing TLS challenge-response | |
12527 | Prepared EAP-Request for inner method with another EAP-TLS challenge | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12526 | Extracted EAP-Response for inner method containing TLS challenge-response | |
12527 | Prepared EAP-Request for inner method with another EAP-TLS challenge | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12526 | Extracted EAP-Response for inner method containing TLS challenge-response | |
12527 | Prepared EAP-Request for inner method with another EAP-TLS challenge | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12526 | Extracted EAP-Response for inner method containing TLS challenge-response | |
12527 | Prepared EAP-Request for inner method with another EAP-TLS challenge | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12526 | Extracted EAP-Response for inner method containing TLS challenge-response | |
12571 | ISE will continue to CRL verification if it is configured for specific CA | |
12571 | ISE will continue to CRL verification if it is configured for specific CA | |
12811 | Extracted TLS Certificate message containing client certificate | |
12812 | Extracted TLS ClientKeyExchange message | |
12813 | Extracted TLS CertificateVerify message | |
12804 | Extracted TLS Finished message | |
12801 | Prepared TLS ChangeCipherSpec message | |
12802 | Prepared TLS Finished message | |
12816 | TLS handshake succeeded | |
12509 | EAP-TLS full handshake finished successfully | |
12527 | Prepared EAP-Request for inner method with another EAP-TLS challenge | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12526 | Extracted EAP-Response for inner method containing TLS challenge-response | |
61025 | Open secure connection with TLS peer | |
15041 | Evaluating Identity Policy | |
15048 | Queried PIP | |
22071 | Identity name is taken from AD account Implicit UPN | |
15013 | Selected Identity Source - NEAS-AD | |
24433 | Looking up machine in Active Directory - host/AALW14135.neas.local | |
24325 | Resolving identity | |
24313 | Search for matching accounts at join point | |
24362 | Client certificate matches AD account certificate | |
24319 | Single matching account found in forest | |
24323 | Identity resolution detected single matching account | |
24700 | Identity resolution by certificate succeeded | |
22037 | Authentication Passed | |
12528 | Inner EAP-TLS authentication succeeded | |
11519 | Prepared EAP-Success for inner EAP method | |
12314 | PEAP inner method finished successfully | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12324 | PEAP cryptobinding verification passed | |
15036 | Evaluating Authorization Policy | |
15048 | Queried PIP | |
15016 | Selected Authorization Profile - PermitAccess | |
22081 | Max sessions policy passed | |
22080 | New accounting session created in Session cache | |
12306 | PEAP authentication succeeded | |
11503 | Prepared EAP-Success | |
11002 | Returned RADIUS Access-Accept | |
5238 | Endpoint authentication problem was fixed |
And from the switch
Gi0/1 d89e.f3fa.306f dot1x DATA Auth C0A80219000006921794A04A
Gi0/4 ecf4.bb3a.5096 dot1x DATA Auth C0A802190000069417B25AAB
It looks OK, but did I miss something?
Br,
Michael
08-13-2018 07:48 AM
Authc != Authz
Remember that you can 'authenticate' perfectly, but still be denied access if there isn't an authorisation rule for you to hit.
That said, the logs you posted look fine, aside from the obvious error you noted. It would be more useful if you could show the detailed version of that Switch output along with a copy of the Authorisation rules in ISE.
08-13-2018 08:04 AM
If you are running CPL and your default MAB policy is to reject (it should never be this). Then this is normal. Remember in CPL MAB and Dot1x happen together. MAB will happen right away and a reject would get sent. Dot1x would finish successfully and take priority. The Context Visibility has a bug that it won't update the fields correctly so it is showing the MAB result not the Dot1x result. That is my guess.
08-13-2018 08:05 AM
Also if you are doing legacy template but have order set to "mab dot1x" (which I would never do) then you could see the same effect as CPL.
08-13-2018 11:54 PM
On the switch I've build the config off Cisco's universal switch guide for ISE, therefore no CPL. How does CPL improve ISE operation towards the endpoint, and are there any other benefit of using CPL?
I've think your right about the Context Visibility bug, because yesterday I've tuned the profiling for MS workstations, and then the context visibility updated. Remember reading something about endpoints that already has a profile, doesn't get CoA, then I assume that the change refreshed the GUI?
08-13-2018 08:18 AM
08-13-2018 11:58 PM
Here is the output from the switch
AALX-TEST#sh authe sessions interface gig0/6 details
Interface: GigabitEthernet0/6
MAC Address: 1065.3095.42d7
IPv6 Address: Unknown
IPv4 Address: 192.168.100.4
User-Name: host/AAL-LT18064.xxxxx
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: in
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 86400s (local), Remaining: 82364s
Common Session ID: C0A80219000006AF1C1D25E3
Acct Session ID: 0x00000817
Handle: 0xDB0000F3
Current Policy: POLICY_Gi0/6
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies:
Method status list:
Method State
dot1x Authc Success
And the port level config ->
interface GigabitEthernet0/1
description MONITOR MODE -> ADD ACL_DEFAULT FOR LOW
switchport access vlan 100
switchport mode access
switchport voice vlan 40
authentication control-direction in
authentication event fail action authorize vlan 100
authentication event server dead action reinitialize vlan 2
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer restart 5
authentication timer inactivity server dynamic
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
spanning-tree portfast edge
spanning-tree bpduguard enable
end
The Authz policy in ISE is PermitAccess, so it works as i should.
08-14-2018 08:24 AM
... I have two endpoints for testing 802.1x with certificate, that both gets the correct profile. Both endpoints gets authenticated onto the network if I look at the RADIUS live logs but if I browse for the endpoints via Context Visibility > Endpoint, both endpoint have 15039 Rejected per authz profile? ...
AFAIK this is expected. FailReason is an endpoint attribute and does not get clear or replaced until the endpoint deleted or a new value detected.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide