cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1077
Views
0
Helpful
7
Replies
michael_bartho
Beginner

Endpoint authentication faliure but works?

Hi All

 

I have two endpoints for testing 802.1x with certificate, that both gets the correct profile. Both endpoints gets authenticated onto the network if I look at the RADIUS live logs but if I browse for the endpoints via Context Visibility > Endpoint, both endpoint have 15039 Rejected per authz profile?

Here are the steps for the log >> 

 

11001 Received RADIUS Access-Request
  11017 RADIUS created a new session
  15049 Evaluating Policy Group
  15008 Evaluating Service Selection Policy
  15048 Queried PIP
  15048 Queried PIP
  11507 Extracted EAP-Response/Identity
  12500 Prepared EAP-Request proposing EAP-TLS with challenge
  12625 Valid EAP-Key-Name attribute received
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12301 Extracted EAP-Response/NAK requesting to use PEAP instead
  12300 Prepared EAP-Request proposing PEAP with challenge
  12625 Valid EAP-Key-Name attribute received
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
  12318 Successfully negotiated PEAP version 0
  12800 Extracted first TLS record; TLS handshake started
  12805 Extracted TLS ClientHello message
  12806 Prepared TLS ServerHello message
  12807 Prepared TLS Certificate message
  12808 Prepared TLS ServerKeyExchange message
  12810 Prepared TLS ServerDone message
  12811 Extracted TLS Certificate message containing client certificate
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12318 Successfully negotiated PEAP version 0
  12812 Extracted TLS ClientKeyExchange message
  12813 Extracted TLS CertificateVerify message
  12804 Extracted TLS Finished message
  12801 Prepared TLS ChangeCipherSpec message
  12802 Prepared TLS Finished message
  12816 TLS handshake succeeded
  12310 PEAP full handshake finished successfully
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12313 PEAP inner method started
  11521 Prepared EAP-Request/Identity for inner EAP method
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  11522 Extracted EAP-Response/Identity for inner EAP method
  11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12523 Extracted EAP-Response/NAK for inner method requesting to use EAP-TLS instead
  12522 Prepared EAP-Request for inner method proposing EAP-TLS with challenge
  12625 Valid EAP-Key-Name attribute received
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12524 Extracted EAP-Response containing EAP-TLS challenge-response for inner method and accepting EAP-TLS as negotiated
  12800 Extracted first TLS record; TLS handshake started
  12545 Client requested EAP-TLS session ticket
  12546 The EAP-TLS session ticket received from supplicant. Inner EAP-TLS does not support stateless session resume. Performing full authentication
  12805 Extracted TLS ClientHello message
  12806 Prepared TLS ServerHello message
  12807 Prepared TLS Certificate message
  12808 Prepared TLS ServerKeyExchange message
  12809 Prepared TLS CertificateRequest message
  12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12526 Extracted EAP-Response for inner method containing TLS challenge-response
  12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12526 Extracted EAP-Response for inner method containing TLS challenge-response
  12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12526 Extracted EAP-Response for inner method containing TLS challenge-response
  12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12526 Extracted EAP-Response for inner method containing TLS challenge-response
  12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12526 Extracted EAP-Response for inner method containing TLS challenge-response
  12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12526 Extracted EAP-Response for inner method containing TLS challenge-response
  12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12526 Extracted EAP-Response for inner method containing TLS challenge-response
  12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12526 Extracted EAP-Response for inner method containing TLS challenge-response
  12571 ISE will continue to CRL verification if it is configured for specific CA
  12571 ISE will continue to CRL verification if it is configured for specific CA
  12811 Extracted TLS Certificate message containing client certificate
  12812 Extracted TLS ClientKeyExchange message
  12813 Extracted TLS CertificateVerify message
  12804 Extracted TLS Finished message
  12801 Prepared TLS ChangeCipherSpec message
  12802 Prepared TLS Finished message
  12816 TLS handshake succeeded
  12509 EAP-TLS full handshake finished successfully
  12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12526 Extracted EAP-Response for inner method containing TLS challenge-response
  61025 Open secure connection with TLS peer
  15041 Evaluating Identity Policy
  15048 Queried PIP
  22071 Identity name is taken from AD account Implicit UPN
  15013 Selected Identity Source - NEAS-AD
  24433 Looking up machine in Active Directory - host/AALW14135.neas.local
  24325 Resolving identity
  24313 Search for matching accounts at join point
  24362 Client certificate matches AD account certificate
  24319 Single matching account found in forest
  24323 Identity resolution detected single matching account
  24700 Identity resolution by certificate succeeded
  22037 Authentication Passed
  12528 Inner EAP-TLS authentication succeeded
  11519 Prepared EAP-Success for inner EAP method
  12314 PEAP inner method finished successfully
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12324 PEAP cryptobinding verification passed
  15036 Evaluating Authorization Policy
  15048 Queried PIP
  15016 Selected Authorization Profile - PermitAccess
  22081 Max sessions policy passed
  22080 New accounting session created in Session cache
  12306 PEAP authentication succeeded
  11503 Prepared EAP-Success
  11002 Returned RADIUS Access-Accept
  5238 Endpoint authentication problem was fixed

 

And from the switch

 

Gi0/1 d89e.f3fa.306f dot1x DATA Auth C0A80219000006921794A04A
Gi0/4 ecf4.bb3a.5096 dot1x DATA Auth C0A802190000069417B25AAB

 

It looks OK, but did I miss something?

 

Br,

Michael

7 REPLIES 7
RichardAtkin
Participant

Authc != Authz

Remember that you can 'authenticate' perfectly, but still be denied access if there isn't an authorisation rule for you to hit.

 

That said, the logs you posted look fine, aside from the obvious error you noted.  It would be more useful if you could show the detailed version of that Switch output along with a copy of the Authorisation rules in ISE.

If you are running CPL and your default MAB policy is to reject (it should never be this). Then this is normal.  Remember in CPL MAB and Dot1x happen together.  MAB will happen right away and a reject would get sent.  Dot1x would finish successfully and take priority.  The Context Visibility has a bug that it won't update the fields correctly so it is showing the MAB result not the Dot1x result.  That is my guess.

Also if you are doing legacy template but have order set to "mab dot1x" (which I would never do) then you could see the same effect as CPL.  

On the switch I've build the config off Cisco's universal switch guide for ISE, therefore no CPL. How does CPL improve ISE operation towards the endpoint, and are there any other benefit of using CPL?

 

I've think your right about the Context Visibility bug, because yesterday I've tuned the profiling for MS workstations, and then the context visibility updated. Remember reading something about endpoints that already has a profile, doesn't get CoA, then I assume that the change refreshed the GUI?

 

jalemanp
Cisco Employee

"15016 Selected Authorization Profile - PermitAccess" shows that authorization was successful as well.
In the radius live log for your endpoint, do you see if it matched an authorization rule that you defined or is it matching the "Default" authorization rule that contains "PermitAccess" authorization profile?
Also, what is the output for your the following "show access-session interface <InterfaceID> details?

Here is the output from the switch

 

AALX-TEST#sh authe sessions interface gig0/6 details
Interface: GigabitEthernet0/6
MAC Address: 1065.3095.42d7
IPv6 Address: Unknown
IPv4 Address: 192.168.100.4
User-Name: host/AAL-LT18064.xxxxx
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: in
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 86400s (local), Remaining: 82364s
Common Session ID: C0A80219000006AF1C1D25E3
Acct Session ID: 0x00000817
Handle: 0xDB0000F3
Current Policy: POLICY_Gi0/6

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:

Method status list:

Method State

dot1x Authc Success

 

And the port level config ->

 

interface GigabitEthernet0/1
description MONITOR MODE -> ADD ACL_DEFAULT FOR LOW
switchport access vlan 100
switchport mode access
switchport voice vlan 40
authentication control-direction in
authentication event fail action authorize vlan 100
authentication event server dead action reinitialize vlan 2
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer restart 5
authentication timer inactivity server dynamic
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
spanning-tree portfast edge
spanning-tree bpduguard enable
end

 

The Authz policy in ISE is PermitAccess, so it works as i should. 

hslai
Cisco Employee


 


... I have two endpoints for testing 802.1x with certificate, that both gets the correct profile. Both endpoints gets authenticated onto the network if I look at the RADIUS live logs but if I browse for the endpoints via Context Visibility > Endpoint, both endpoint have 15039 Rejected per authz profile? ...

AFAIK this is expected. FailReason is an endpoint attribute and does not get clear or replaced until the endpoint deleted or a new value detected.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube