Sorry, i have no list of

Jim Blake · ‎07-17-2015

I have a two-node Cisco ISE 1.3 running as a Virtual Machine. It is managing IEEE802.1x EAP-TLS security for wired devices on Cisco 3560s. The devices (Win7 PCs) obtain certificates for both them and their users during initial wired connection to a physically secure non-IEEE802.1x port, via GOP, using a Microsoft CA running in the same platform as the AD server (Its all virtualized, in ESXi5.5 hosts)

I have created a controlling "WIRED" policy specifying that the policy applies to switch connections with NAS-port-type=Ethernet

Authentication looks for the presence of certificates and authenticates when they are there.

Authorization, however, is behaving weirdly. The first statement, selecting machine authentication looks for: "ExternalGroups EQUALS <domain name>/Users/Domain Computers. This seems to work fine and when the machine hits this authorization, it enables a DACL "WIRED_AD_ONLY" that does what it says in its name, and then allows the machine's user to go off to the AD server and log on....no problems so far.

However, the second Authorization statement "ExternalGroups EQUALS <domain name>/Users/Domain Users AND Network Access: WasMachineAuthenticated EQUALS True" fails to catch the user logon, so the second DACL "WIRED_PERMIT_ALL" is not invoked, the port stays shut and the authorization fails (goes to "if no matches, then DenyAccess" the default last statement)

If I change the second Authorization statement to remove the "AND Network Access: WasMachineAuthenticated EQUALS True", the authorization works as expected, so it looks like the machine was not authenticated (though it was or we would not have got to this step?).

I Googled about some, and found a suggestion that, enabling: "Certificate In Identity Store" "Always perform Binary Comparison" would fix this, but it hasn't....and I'm finding the same sort of problem in my wireless deployment as well....I can run without "WasMachineAuthenticated" but I don't think its as secure....

Any suggestions as to why WasMachineAuthenticated seems not to work?

Thanks

Jim

jan.nielsen · ‎07-17-2015

Not sure why in this specific case, WasMachineAuthenticated is not working as expected, i will say though that the Machine Access Restriction feature (which is what you are using) has many caveats, which will make it not work, specifically sessions on wlc/switch that time out, during sleep/hibernate, and roaming between wireless/wired. The proper way in my book to have noth machine and user authentication, to ensure AD login from an already authenticated machine, is to use Cisco AnyConnect NAM, and then use the EAP-Chaining feature.

Jim Blake · ‎07-19-2015

Thanks for your comments. ..the issue evidences itself on both wired and wireless connections, and occurs immediately on logon from power-off/restart, so I don't belive it's a timing issue (though I'd welcome other views). I have no argument with the suggestion that AnyConnect may be a better solution, but the installation I have does not use it, and while I may be able to use it in future, I would like to understand why this does not work. You mention "many caveats" that may make it fail....can you refer me to a list that I could work through to debug this?

Once again, thanks for any advice you can give.

Jim

jan.nielsen · ‎07-19-2015

Sorry, i have no list of issues, all just from memory, but try searching machine access restriction or mar to get more hits on the forums.

ISE Authorisation strangeness