Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3362
Views
4
Helpful
10
Replies

ISE Problem

Reyad Safi
Level 1
Level 1

‎07-13-2012 04:26 AM - edited ‎03-10-2019 07:17 PM

Hi Experts

we have new ISE servers at our network and it work good .

but lately i faced the below problem :

the ISE integrated to get the authentication from the microsoft active directory which depend on the windows login username / password , and the dot1x configurations and settings pushed to the users PCs via the active directory and the user can't change it .

if the user login to the windows sucessfully , the ISE put the user in the quarantine vlan , then check the policy and if pass assign the full access to the users .

Our System Admins force the users to change the password monthly bases , so when the password expired , the authentication failed so the ISE will not assign any vlan to the user , and the can't change the password on the Active Directory becouse he is disconnected from the network .

so i need a way to enable the switch to assign a restricted vlan to reach the Active Directory once the user plug the network cable , regardless he authenticate succesfully or not .

our switch configuration is :

-----------------------------

aaa new-model

!

!

aaa authentication login default local

aaa authentication login TEST group radius

aaa authentication enable default enable

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

!

!

aaa server radius dynamic-author

client 10.10.10.238 server-key C1sc0

!

aaa session-id common

system mtu routing 1500

authentication mac-move permit

!

!

ip device tracking

!

!

interface FastEthernet0/2

switchport access vlan 22

switchport mode access

switchport voice vlan 110

authentication port-control auto

mab

dot1x pae authenticator

spanning-tree portfast

!

!

ip access-list extended ACL-POSTURE-REDIRECT

deny   ip any host 10.10.10.238

deny   ip any host 10.10.10.239

deny   udp any any

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq 8443

ip access-list extended webauth

permit tcp any any eq www

permit tcp any any eq 443

deny   ip any host 10.10.10.238

deny   ip any host 10.10.10.239

!

ip radius source-interface Vlan10

ip sla enable reaction-alerts

!

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 20 tries 3

radius-server host 10.10.10.238 auth-port 1812 acct-port 1813

radius-server host 10.10.10.239 auth-port 1812 acct-port 1813

radius-server key C1sc0

radius-server vsa send accounting

radius-server vsa send authentication

!

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login TEST group radius

aaa authentication enable default enable

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

!

!

aaa server radius dynamic-author

client 10.10.10.238 server-key C1sc0

!

aaa session-id common

system mtu routing 1500

authentication mac-move permit

!

!

ip device tracking

!

!
interface FastEthernet0/2
switchport mode access
switchport voice vlan 110
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
!

!
ip access-list extended ACL-POSTURE-REDIRECT
deny   ip any host 10.10.10.238
deny   ip any host 10.10.10.239
deny   udp any any
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443
ip access-list extended webauth
permit tcp any any eq www
permit tcp any any eq 443
deny   ip any host 10.10.10.238
deny   ip any host 10.10.10.239
!
ip radius source-interface Vlan10
ip sla enable reaction-alerts
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 20 tries 3
radius-server host 10.10.10.238 auth-port 1812 acct-port 1813
radius-server host 10.10.10.239 auth-port 1812 acct-port 1813
radius-server key C1sc0
radius-server vsa send accounting
radius-server vsa send authentication
!

------------------------------------

any suggestion to solve this problem .....

regards

Reyad

Labels:
0 Helpful
10 Replies 10

Tarik Admani
VIP Alumni
VIP Alumni

‎07-13-2012 06:42 AM

Reyad,

Please check and see if you have the enable password change box enabled under your AD settings:

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1243634

Thanks,

Tarik admani

0 Helpful

Reyad Safi
Level 1
Level 1
In response to Tarik Admani

‎07-13-2012 07:18 AM

Dear Tarik

thank you for your reply , but it's already enabled there ...

i think i should add some configuration or ACL to the switch to assign native vlan to the port before checking the authentication from the AD .

Any Suggestion

Reyad

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Reyad Safi

‎07-13-2012 07:21 AM

Reyad,

The password change is done through the supplicant and over to ISE via peap-mschapv2, there is no need for the client to be connected to the domain in order to do the password change. What version of ISE are you currently running?

Thanks,

tarik Admani

0 Helpful

Reyad Safi
Level 1
Level 1
In response to Tarik Admani

‎07-13-2012 07:48 AM

Dear tarik

Version Identifier (VID)  V01

ADE-OS Version  2.0.2.103 Version Identifier (VID)  V01
ADE-OS Version  2.0.2.103

the above reply not clear for me , please clarify it more , how could i change the AD Password while im not connected to the network ? please advise .

the PC IP address when it not authenticated succesfully is nubian ip address ( 169.x.x.x)

Reyad

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Reyad Safi

‎07-13-2012 09:09 AM

That is normal, dot1x works as a L2 authentication mechanism in which radius from the NAD to the radius server is encapsulated in a radius packet. If authentication fails then the client doesnt receive and ip address since dhcp isnt forwarded from the NAD.

I need you to issue a show ver from the cli.

Also can you post the screenshot of the authentication to see why the client is failing, is it because the password is expired or is the account locked out? That will make a difference too.

Thanks,

Tarik Admani

0 Helpful

Reyad Safi
Level 1
Level 1
In response to Tarik Admani

‎07-13-2012 11:59 AM

the Sho Ver from cli is :

ME-ISE-1/reyad# sh version

Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.2.103
ADE-OS System Architecture: i386

Copyright (c) 2005-2011 by Cisco Systems, Inc.
All rights reserved.
Hostname: ME-ISE-1


Version information of installed applications
---------------------------------------------

Cisco Identity Services Engine
---------------------------------------------
Version      : 1.1.0.665
Build Date   : Thu Mar  8 00:51:03 2012
Install Date : Tue May 22 10:39:15 2012    

Cisco Identity Services Engine Patch
---------------------------------------------
Version      : 1
Install Date : Thu Jun 21 10:47:35 2012

and i will provide you the GUI screenshot when available .

thank you for support

Reyad

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Reyad Safi

‎07-25-2012 12:55 AM

Reyad,

My apologies for the delay were you able to get this resolved?

Thanks,

Tarik Admani
*Please rate helpful posts*

Reyad Safi
Level 1
Level 1
In response to Tarik Admani

‎07-25-2012 05:57 AM

Dear TArik

thank you for your interesting ...

i solved the problem , and every thing working now

Reyad

0 Helpful

edondurguti
Level 4
Level 4
In response to Reyad Safi

‎07-26-2012 07:25 AM

Could you please share how you solved your problem?

Thank you.

0 Helpful

Reyad Safi
Level 1
Level 1
In response to edondurguti

‎07-27-2012 11:15 AM

Hi Edondurquti

yes you are right .....

i changed the authentication method from user authentication to computer authentication , so when you plug the network cable to the PC , it start authentication and the ISE assign the quarantine vlan to the port , so the changing password problem solved .

the computer authentication solved many problems i faced when implementation .

-     when you try to connect remotly to your PC at the office ( when i applied user authentication ) , it was

connected for seconds , then the PC re-authentiate and assigned to the quarantine vlan , so i lost the connection to my PC .

-     the password expire problem happened on the user authentication especially when you put the option to use the windows login .... its big problem .

-     many PCs can connect to the network using the same username/password ,,, and this is also big problem .

-     no way to enforce the users to join to the domain if you use the user authentication , you can login locally at your pc , then at the popup screen you can enter the AD user .

by using the computer authentication , all the above problems solved , and the connection become more stable , and all PCs enforced to join to the domain to get the authentication.

another helpful command on the switch , is to assign a restricted configured VLAN to the switches as native VLAN , and you can apply the below command on the interface to assign a VLAN when the authentication fail .

Switch(config-if)#authentication event fail action authorize vlan

i hope this can help you in case you faced the above problems ....

Reyad

0 Helpful
Customers Also Viewed These Support Documents