Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4329
Views
0
Helpful
8
Replies

ISE WLAN Machine Authentication

techguy_cisco
Level 1
Level 1

‎08-05-2020 10:56 AM

Hello,

 

I've implemented a wired policy to make a machine authentication, It checks if machine exists inside domain and if it belongs to a specific AD group. It works fine but I've not be able to make it working over a WLAN network.

 

I've copied the wired policy changing only the condition from wired-802.1x to wireless-802.1x but I have some doubts about how I've to configure the SSID and windows connection to SSID:

 

- Have I to configure it without layer 2 security? or I have to configure WPA, 802.1x...?

- I suppose that I've to configure the ISE as Radius Servers

- I suppose that I've to configure "ISE" inside "NAC State inside advanced options.

- About Windows client, I understand that it is not enough to connect to wireless network, I suppose that I have to create a "manual" connection and specify that it will be through 802.1x and PEAP.

 

Thank you very much.

Labels:
0 Helpful
8 Replies 8

Jatin Katyal
Cisco Employee
Cisco Employee

‎08-05-2020 11:18 AM

You can start configuring ISE and WLC based on this doc: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/201044-802-1x-authentication-with-PEAP-ISE-2-1.html#anc8 and yes, you need to configure the windows supplicant with 802.1x PEAP - have a look here : https://integratingit.wordpress.com/2019/07/13/configuring-windows-gpo-for-802-1x-authentication/
~Jatin
0 Helpful

techguy_cisco
Level 1
Level 1
In response to Jatin Katyal

‎08-05-2020 01:04 PM

Thank you very much for the information but this instructions are focused about machine authentication through Certificate and I'm configuring a machine authentication through AD. About the WLC configuration, it does not show the Layer 2 authentication section. I think that this example is not close to my scenario.

0 Helpful

Colby LeMaire
VIP Alumni
VIP Alumni

‎08-05-2020 01:56 PM

On your SSID, configure Layer-2 security to be WPA/WPA2 and then 802.1x for key management.  On your client, you would select WPA2-Enterprise, PEAP, and ensure that it is configured to do computer authentication only.  The Windows 10 wireless profile editor is not the best at giving you appropriate options.  Using GPO would be best to ensure you push down the correct settings.  If you are logged into the computer when trying to connect, it will send your user credentials and that obviously would not match the Domain Computers group.  So you need to ensure that the authentication is sending the computer credentials.

0 Helpful

techguy_cisco
Level 1
Level 1
In response to Colby LeMaire

‎08-06-2020 08:48 AM

Thank you very much Colby, your information has been very useful. I've imported the wireless profile through a xml file to avoid the windows 10 profile editor. I've got that PC send the host identification inside "Radius-username" field but right now I've a problem, it does not match the policy, it seems there is some problem with the supplicant or its configuration, in the ISE Live Logs I can see that it receives the domain hostname but sometimes I get this error:

 

Event5440 Endpoint abandoned EAP session and started new
Failure Reason5440 Endpoint abandoned EAP session and started new
ResolutionVerify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root causeEndpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.

 

And other times:

 

Event5411 Supplicant stopped responding to ISE
Failure Reason12930 Supplicant stopped responding to ISE after sending it the first PEAP message
ResolutionVerify that supplicant is configured properly to conduct a full EAP conversation with ISE. Verify that NAS is configured properly to transfer EAP messages to/from supplicant. Verify that supplicant or NAS does not have a short timeout for EAP conversation. Check the network that connects the Network Access Server to ISE.
Root causeSupplicant stopped responding to ISE after sending it the first PEAP message

 

What do you think about that?

 

Thank you very much.

0 Helpful

techguy_cisco
Level 1
Level 1
In response to techguy_cisco

‎08-06-2020 09:02 AM

Event5440 Endpoint abandoned EAP session and started new
Failure Reason5440 Endpoint abandoned EAP session and started new
ResolutionVerify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root causeEndpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.
0 Helpful

thomas
Cisco Employee
Cisco Employee
In response to techguy_cisco

‎08-10-2020 10:49 AM

I suspect your Windows endpoint does not trust the ISE certificate and is rejecting the EAP tunnel creation.

Are you using a self-signed certificate on ISE? Never do this for this exact reason.

What are your wireless network properties set to?

Are you requiring validation of the server's certificate (ISE) yet do not have ISE listed as a trusted CA or the ISE certificate is not signed by one of your Trusted Root CAs?

image.png

0 Helpful

techguy_cisco
Level 1
Level 1
In response to thomas

‎08-11-2020 08:36 AM - edited ‎08-11-2020 08:42 AM

Hi,

 

I've unchecked this option (Verify the server's identity....), I've tried again and initially the PC does not send the "hostname" inside "username" field, it is blank, then I make a new try and it send it but I can see this error:

 

Event5440 Endpoint abandoned EAP session and started new
Failure Reason5440 Endpoint abandoned EAP session and started new
ResolutionVerify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root causeEndpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.
0 Helpful

thomas
Cisco Employee
Cisco Employee
In response to techguy_cisco

‎08-11-2020 02:39 PM - edited ‎08-11-2020 03:33 PM

You have not provided enough configuration details for us to help you. See How to Ask the Community for Help for future requests.

Please follow our recommended configurations - specifically for dot1x timers - under Configure the Switch for Monitor Mode in the ISE Secure Wired Access Prescriptive Deployment Guide since it could be that you are not allowing enough time for ISE to authenticate a request before sending a new one.

 dot1x timeout tx-period 7
 dot1x max-reauth-req 3

If doing wireless, see ISE & Catalyst 9800 Integration Guide or AireOS WLC configuration for ISE.

 

I recommend you call TAC for further troubleshooting.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents