cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1493
Views
0
Helpful
8
Replies
Highlighted
Beginner

ISE WLAN Machine Authentication

Hello,

 

I've implemented a wired policy to make a machine authentication, It checks if machine exists inside domain and if it belongs to a specific AD group. It works fine but I've not be able to make it working over a WLAN network.

 

I've copied the wired policy changing only the condition from wired-802.1x to wireless-802.1x but I have some doubts about how I've to configure the SSID and windows connection to SSID:

 

- Have I to configure it without layer 2 security? or I have to configure WPA, 802.1x...?

- I suppose that I've to configure the ISE as Radius Servers

- I suppose that I've to configure "ISE" inside "NAC State inside advanced options.

- About Windows client, I understand that it is not enough to connect to wireless network, I suppose that I have to create a "manual" connection and specify that it will be through 802.1x and PEAP.

 

Thank you very much.

8 REPLIES 8
Highlighted
Cisco Employee

You can start configuring ISE and WLC based on this doc: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/201044-802-1x-authentication-with-PEAP-ISE-2-1.html#anc8 and yes, you need to configure the windows supplicant with 802.1x PEAP - have a look here : https://integratingit.wordpress.com/2019/07/13/configuring-windows-gpo-for-802-1x-authentication/
~Jatin
Highlighted

Thank you very much for the information but this instructions are focused about machine authentication through Certificate and I'm configuring a machine authentication through AD. About the WLC configuration, it does not show the Layer 2 authentication section. I think that this example is not close to my scenario.

Highlighted
VIP Collaborator

On your SSID, configure Layer-2 security to be WPA/WPA2 and then 802.1x for key management.  On your client, you would select WPA2-Enterprise, PEAP, and ensure that it is configured to do computer authentication only.  The Windows 10 wireless profile editor is not the best at giving you appropriate options.  Using GPO would be best to ensure you push down the correct settings.  If you are logged into the computer when trying to connect, it will send your user credentials and that obviously would not match the Domain Computers group.  So you need to ensure that the authentication is sending the computer credentials.

Highlighted

Thank you very much Colby, your information has been very useful. I've imported the wireless profile through a xml file to avoid the windows 10 profile editor. I've got that PC send the host identification inside "Radius-username" field but right now I've a problem, it does not match the policy, it seems there is some problem with the supplicant or its configuration, in the ISE Live Logs I can see that it receives the domain hostname but sometimes I get this error:

 

Event5440 Endpoint abandoned EAP session and started new
Failure Reason5440 Endpoint abandoned EAP session and started new
ResolutionVerify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root causeEndpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.

 

And other times:

 

Event5411 Supplicant stopped responding to ISE
Failure Reason12930 Supplicant stopped responding to ISE after sending it the first PEAP message
ResolutionVerify that supplicant is configured properly to conduct a full EAP conversation with ISE. Verify that NAS is configured properly to transfer EAP messages to/from supplicant. Verify that supplicant or NAS does not have a short timeout for EAP conversation. Check the network that connects the Network Access Server to ISE.
Root causeSupplicant stopped responding to ISE after sending it the first PEAP message

 

What do you think about that?

 

Thank you very much.

Highlighted

Event5440 Endpoint abandoned EAP session and started new
Failure Reason5440 Endpoint abandoned EAP session and started new
ResolutionVerify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root causeEndpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.
Highlighted

I suspect your Windows endpoint does not trust the ISE certificate and is rejecting the EAP tunnel creation.

Are you using a self-signed certificate on ISE? Never do this for this exact reason.

What are your wireless network properties set to?

Are you requiring validation of the server's certificate (ISE) yet do not have ISE listed as a trusted CA or the ISE certificate is not signed by one of your Trusted Root CAs?

image.png

Highlighted

Hi,

 

I've unchecked this option (Verify the server's identity....), I've tried again and initially the PC does not send the "hostname" inside "username" field, it is blank, then I make a new try and it send it but I can see this error:

 

Event5440 Endpoint abandoned EAP session and started new
Failure Reason5440 Endpoint abandoned EAP session and started new
ResolutionVerify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root causeEndpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.
Highlighted

You have not provided enough configuration details for us to help you. See How to Ask the Community for Help for future requests.

Please follow our recommended configurations - specifically for dot1x timers - under Configure the Switch for Monitor Mode in the ISE Secure Wired Access Prescriptive Deployment Guide since it could be that you are not allowing enough time for ISE to authenticate a request before sending a new one.

 dot1x timeout tx-period 7
 dot1x max-reauth-req 3

If doing wireless, see ISE & Catalyst 9800 Integration Guide or AireOS WLC configuration for ISE.

 

I recommend you call TAC for further troubleshooting.

 

Content for Community-Ad