Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4763
Views
0
Helpful
4
Replies

ISE not sending Access-reject for IOS clients for putting wrong password.

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee

‎09-08-2017 11:59 AM

Hi Team,

ISE set to 0 retries for PEAP inner methods because of below reason from some internal documentation.

  • PEAP Password Retries: In a non-Microsoft environment such as a wireless environment with many Apple or Android devices set PEAP Password Retries to 0. Currenly devices that do not support PEAP Password Retries will stop responding once the retry message is received and instead start a new EAP session.  Since an Access-Reject is never received by the WLC client exclusions will never kick in for multiple failed password attempts meaning a device statically configured with a bad password can flood ISE.

I do not see any erroneous debugs from WLC log.

From the latest captures in ISE, it’s clear that ISE detects the wrong password, but I see different flow in case of iPhone vs android.

iPhone:

========

24212 Found User in Internal Users IDStore

22063 Wrong password

22057 The advanced option that is configured for a failed authentication used

22061 The 'Reject' advanced option is configured in case of a failed authentication

request

11823 EAP-MSCHAP authentication attempt failed

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

11810 Extracted EAP-Response for inner method containing MSCHAP 11815 Inner EAP-MSCHAP authentication failed – Why ISE is not sending Access-Reject from here???

11520 Prepared EAP-Failure for inner EAP method

22028 Authentication failed and the advanced options are ignored

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

5440

Endpoint abandoned EAP session and started new

Android:

========

        24212   Found User in Internal Users IDStore

22063   Wrong password

22057   The advanced option that is configured for a failed authentication request is used

22061   The 'Reject' advanced option is configured in case of a failed authentication request

11823   EAP-MSCHAP authentication attempt failed

12305   Prepared EAP-Request with another PEAP challenge

11006   Returned RADIUS Access-Challenge

11001   Received RADIUS Access-Request

11018   RADIUS is re-using an existing session

12304   Extracted EAP-Response containing PEAP challenge-response

11810   Extracted EAP-Response for inner method containing MSCHAP challenge-response

11815   Inner EAP-MSCHAP authentication failed

11520   Prepared EAP-Failure for inner EAP method

22028   Authentication failed and the advanced options are ignored

12305   Prepared EAP-Request with another PEAP challenge

11006   Returned RADIUS Access-Challenge

11001   Received RADIUS Access-Request

11018   RADIUS is re-using an existing session

       12304   Extracted EAP-Response containing PEAP challenge-response

12917   Expected TLS acknowledge for PEAPv1 protected termination but received another message

       11500 Invalid or unexpected EAP payload received

11504   Prepared EAP-Failure

11003   Returned RADIUS Access-Reject



The only difference found is that if “Authentication Method comes as  dot1x “, ISE will reject it.

If it comes as “MSCHAPv2”, ISE doesn’t reject it. Instead sending another Access-challenge packet.


Need to know the reason behind coming different authentication method.



I have tested in LAB with Iphone6 + with IOS 10.3.3 and got failed authentication with access-reject.

Identity Services Engine

Overview

Event    5400 Authentication failed

Username abcd

Endpoint Id 9C:4F:DA:1B:C5:35

Endpoint Profile

Authentication Policy     Default >> Dot1X

Authorization Policy Default

Authorization Result     

Authentication Details

Source Timestamp 2017-08-10 17:41:28.023

Received Timestamp 2017-08-10 17:41:28.024

Policy Server       ISE23

Event    5400 Authentication failed

Failure Reason   22063 Wrong password

Resolution Check the user credentials. Also check whether the password is wrong.

Root cause Wrong password

Username abcd

User Type User

Endpoint Id 9C:4F:DA:1B:C5:35

Calling Station Id 9c-4f-da-1b-c5-35

Authentication Identity Store Internal Users

Identity Group    User Identity Groups:ALL_ACCOUNTS (default)

Audit Session Id 0ac9e875000000c3598ce117

Authentication Method  dot1x

Authentication Protocol PEAP (EAP-MSCHAPv2)

.............

.....

WLC engineer filed an internal bug "WLC/ISE unable to exclude iOS 10.3.3 client with failed authentication" but they want this thing to be validated on ISE side.

 

Any help would be appreciated.


Regards

Gagan

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎09-11-2017 07:04 AM

Per the message "Endpoint abandoned EAP session and started new".  This is saying that before auth event came to a conclusion (pass/fail), endpoint started new EAP session. ISE can return access reject for these cases by using suppression with reject option.  This will allow client exclusion to kick in on WLC.

Craig

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Craig Hyps
Level 10
Level 10

‎09-11-2017 07:04 AM

Per the message "Endpoint abandoned EAP session and started new".  This is saying that before auth event came to a conclusion (pass/fail), endpoint started new EAP session. ISE can return access reject for these cases by using suppression with reject option.  This will allow client exclusion to kick in on WLC.

Craig

0 Helpful

Go to solution
Juan Jose Rodriguez Segovia
Level 1
Level 1
In response to Craig Hyps

‎03-23-2021 08:02 AM

I have this same problem and even configuring suppression with reject option, ISE does not send rejects, the request timeout so exclusion does not kick in, causing ultimately that AD password locks out...

 

0 Helpful

Go to solution
b1230912
Level 1
Level 1

‎06-23-2021 07:30 AM

I know this is an old threat but I seem to be experiencing a very similar issue with iOS devices. Can anyone provide clarification on what actually solved this issue? I see the note about suppression and rejection, but what was the actual fix?

0 Helpful

Go to solution
Juan Jose Rodriguez Segovia
Level 1
Level 1

‎06-23-2021 08:57 AM

I opened a case and no solution... They told me it is an IOS issue because they cannot control how the client behaves, so if the client stops responding and causes the timeout and the wrong password trigger, they cannot do anything about it...  I told them to get in contact with Apple to fix the issue, good luck with that...

0 Helpful
Customers Also Viewed These Support Documents