ISE ver 1.1.2.145 advanced license consumption

fashour · ‎12-10-2012

Hello,

I am puzzled with this scenario when it comes to advanced licensing, any insight is greatly appreciated:

I have an XP machine that I am using to access network though ISE authentication and authorization. My authentication is EAP-TLS with machine authentication to simulate company asset. Everytime the XP station connects, ISE consumes a Base license and an Advanced license. Why?? I am note using the profiled group, posture assessment, nor even onboarding in my Authz policy.

Here is the authorization rule:

Here is the licensing page:

base advanced

1/20

1/20

Here is the only active session from active session report:

xp-test.ashour.local

00:22:FB:1A:59:C2

10.30.30.117

dot1x

EAP-TLS

NotApplicable

N/A

WindowsXP-Workstation

Running

ise

And here is the live authentication:

Authentication Summary

Logged At:	December 10,2012 5:27:36.331 PM
RADIUS Status:	Authentication succeeded
NAS Failure:
Username:	xp-test.ashour.local
MAC/IP Address:	00:22:FB:1A:59:C2
Network Device:	5508-WLC : 10.255.255.20 :
Allowed Protocol:	Default Network Access
Identity Store:
Authorization Profiles:	PermitAccess
SGA Security Group:
Authentication Protocol :	EAP-TLS

Authentication Result

User-Name=xp-test.ashour.local
State=ReauthSession:0affff140000005550c6598d
Class=CACS:0affff140000005550c6598d:ise/144192099/4026
Termination-Action=RADIUS-Request
MS-MPPE-Send-Key=99:b0:49:f5:e1:eb:20:a6:2b:2a:97:fe:f1:68:a0:02:a7:98:3c:03:12:2a:90:70:3a:6c:fd:ed:1c:3b:bc:4b
MS-MPPE-Recv-Key=8e:c8:88:f8:fb:75:02:3d:32:48:8a:b0:9e:7d:74:5d:04:f7:de:48:3c:b9:c3:e7:36:e5:05:f3:c7:6c:21:7d

Related Events

Dec 10,12 5:27:36.072 PM	Radius authentication passed for USER: CALLING STATION ID: 00:22:FB:1A:59:C2 AUTHTYPE:	Radius authentication passed
Dec 10,12 5:23:56.647 PM	Radius authentication passed for USER: CALLING STATION ID: 00:22:FB:1A:59:C2 AUTHTYPE:	Radius authentication passed
Dec 10,12 5:06:07.317 PM	Radius accounting start	Radius accounting start

Authentication Details

Logged At:	December 10,2012 5:27:36.331 PM
Occurred At:	December 10,2012 5:27:36.331 PM
Server:	ise
Authentication Method:	dot1x
EAP Authentication Method :	EAP-TLS
EAP Tunnel Method :
Username:	xp-test.ashour.local
RADIUS Username :	host/xp-test.ashour.local
Calling Station ID:	00:22:FB:1A:59:C2
Framed IP Address:
Use Case:
Network Device:	5508-WLC
Network Device Groups:	Device Type#All Device Types#WIRELESS,Location#All Locations#ASHOUR RESIDENCE
NAS IP Address:	10.255.255.20
NAS Identifier:	ASHOUR-WLC1
NAS Port:	1
NAS Port ID:
NAS Port Type:	Wireless - IEEE 802.11
Allowed Protocol:	Default Network Access
Service Type:	Framed
Identity Store:
Authorization Profiles:	PermitAccess
Active Directory Domain:
Identity Group:	Profiled:Workstation
Allowed Protocol Selection Matched Rule:	Dot1X
Identity Policy Matched Rule:	Default
Selected Identity Stores:
Authorization Policy Matched Rule:	Company asset
SGA Security Group:
AAA Session ID:	ise/144192099/4026
Audit Session ID:	0affff140000005550c6598d
Tunnel Details:	Tunnel-Type=(tag=0) VLAN,Tunnel-Medium-Type=(tag=0) 802,Tunnel-Private-Group-ID=(tag=0) 30
Cisco-AVPairs:	audit-session-id=0affff140000005550c6598d
Other Attributes:	ConfigVersionId=5,DestinationPort=1812,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=0affff140000005550c6598d;28SessionID=ise/144192099/4026;,Airespace-Wlan-Id=1,ExternalGroups=ashour.local/users/domain computers,CPMSessionID=0affff140000005550c6598d,EndPointMACAddress=00-22-FB-1A-59-C2,EndPointMatchedProfile=WindowsXP-Workstation,HostIdentityGroup=Endpoint Identity Groups:Profiled:Workstation,Device Type=Device Type#All Device Types#WIRELESS,Location=Location#All Locations#ASHOUR RESIDENCE,Model Name=5508,Software Version=7.2,Device IP Address=10.255.255.20,Called-Station-ID=f0:25:72:3d:3c:d0:ISE BYOD
Posture Status:	NotApplicable
EPS Status:

Steps

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

Evaluating Service Selection Policy

15048 Queried PIP

15004 Matched rule

11507 Extracted EAP-Response/Identity

12500 Prepared EAP-Request proposing EAP-TLS with challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated

12800 Extracted first TLS record; TLS handshake started

12805 Extracted TLS ClientHello message

12806 Prepared TLS ServerHello message

12807 Prepared TLS Certificate message

12809 Prepared TLS CertificateRequest message

12505 Prepared EAP-Request with another EAP-TLS challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12504 Extracted EAP-Response containing EAP-TLS challenge-response

12505 Prepared EAP-Request with another EAP-TLS challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12504 Extracted EAP-Response containing EAP-TLS challenge-response

12505 Prepared EAP-Request with another EAP-TLS challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12504 Extracted EAP-Response containing EAP-TLS challenge-response

12505 Prepared EAP-Request with another EAP-TLS challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12504 Extracted EAP-Response containing EAP-TLS challenge-response

12568 Lookup user certificate status in OCSP cache

12570 Lookup user certificate status in OCSP cache succeeded

12554 OCSP status of user certificate is good

12568 Lookup user certificate status in OCSP cache

12570 Lookup user certificate status in OCSP cache succeeded

12554 OCSP status of user certificate is good

12811 Extracted TLS Certificate message containing client certificate

12812 Extracted TLS ClientKeyExchange message

12813 Extracted TLS CertificateVerify message

12804 Extracted TLS Finished message

12801 Prepared TLS ChangeCipherSpec message

12802 Prepared TLS Finished message

12816 TLS handshake succeeded

12509 EAP-TLS full handshake finished successfully

12505 Prepared EAP-Request with another EAP-TLS challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12504 Extracted EAP-Response containing EAP-TLS challenge-response

Evaluating Identity Policy

15006 Matched Default Rule

22037 Authentication Passed

12506 EAP-TLS authentication succeeded

11503 Prepared EAP-Success

Evaluating Authorization Policy

15048 Queried PIP

15004 Matched rule

15016 Selected Authorization Profile - PermitAccess

11002 Returned RADIUS Access-Accept

Tarik Admani · ‎12-10-2012

Please provide a screenshot of your authorization policies.

Sent from Cisco Technical Support Android App

fashour · ‎12-11-2012

Tarik,

Thank you for responding. Here is screenshot of the authz rules, My device is hitting the third one from top per my previous note:

Tarik Admani · ‎12-11-2012

Please send me a screenshot of your endpoint. Is ot statically assigned to the endpoint group IOS devices?

Sent from Cisco Technical Support Android App

fashour · ‎12-11-2012

No, it is not part of the iOS devices which is a static group. It it part of the profiled workstation group. The rule I am hitting is the one above the iOS devices rule. The name of the rule is company assets.

Here are some screenshots of the endpoint attributes:

Tarik Admani · ‎12-11-2012

Hi,

Please make sure that the profiling is disabled for this node, it seems as if the radius probe and the user agent is learned via the http probe.

It also seems as if you are hitting this bug I understand the description doesn't line up but you may want to have TAC clarifiy if this isnt experience on authenticating networks:

CSCub56607

Cisco ISE applies a wireless access session against the Advanced license allowable user count when it should not

The wireless session in question should be applied against the Base license count. This issue has been observed in Cisco ISE, Release 1.1.1 where the following functions are set:

•MAC Filtering is enabled on the SSID and the Central Web Authentication authorization policy is applied

•Profiling is disabled

•Posture is disabled

•The device in question has not been registered via the My Devices Portal

Note There is no known workaround for this issue.

Tarik Admani
*Please rate helpful posts*

Naveen Kumar · ‎06-12-2013

Please disable the profile and posturing features in ISE and see the result.

fashour · ‎02-27-2014

What if you need to use profiling for a subset of the endpoints and the rest use the base license only? Say I have 100 advanced and 500 base licenses? Even when I statically put devices in a static group, it still takes advanced licenses...

Saurav Lodh · ‎02-28-2014

Just profiling the devices would not consume the license, it would consumed when you assigne authorization policies using the profiling data.

fashour · ‎02-28-2014

That is what I understand. I am trying to understand why static rule attached here consumes an advanced license as the endpoints are statically added to iOS asset identity group. no profile info is used to authorize. I am still seeing this behavior with 1.2 deployment too. can you help me understand why is this the case? Not if I statically assign it to unknown profile it does not consume advanced license which i do not consider a feasible solution.
Thank you,
Fadi

jan.nielsen · ‎03-01-2014

Your rule for company assets checks for posture compliance (nac) "Session:Posture Compliance EQUALS Compliant", this is an advanced feature, and requires a license for each device that matches your "Company Assets" rule.

Jan