Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
650
Views
0
Helpful
6
Replies

ISE1.4 - User authentication issue on WLAN

Sarayuth.s01
Level 1
Level 1

‎10-01-2015 12:29 AM - edited ‎03-10-2019 11:06 PM

Hi Experts,

Now, I do implement ISE 1.4 for machine and user authentication on wired and wirless network.

For wired network no issue.

For wireless network when I connect to ssid that integrate with ISE, The authorization has deny.

this the rule in authoraization.

first rule; Machine Authen

Radius:Called-Station-ID == Containt == Office

3D-AD:ExternalGroups == domain computer

 

Second rule; User Authen

Radius:Called-Station-ID == Containt == Office

3D-AD:ExternalGroups == domain user

Network Access:WasMachineAuthenticated ==True

 

If I delete condition on Second rule in past of Network Access:WasMachineAuthenticated ==True. It can authentication pass.

 

Could you please advise to me that root cause is?

 

Thank you
 

Labels:
0 Helpful
6 Replies 6

Jason van den Berg
Level 1
Level 1

‎10-01-2015 03:28 AM

Hi,

 

By the sounds of it you want to setup EAP chaining. I would suggest you read trough this document that has a good example on how to achieve this. The only missing part would be the AD groups which you can add however it also seems you using the default groups anyways.

 

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-82_Deploy_EAP_Chaining.pdf

 

Regards,

Jason

0 Helpful

Sarayuth.s01
Level 1
Level 1
In response to Jason van den Berg

‎10-01-2015 03:41 AM

Hi Jason,

I'm not to set up EAP chaining, I using PEAP and EAP-TLS authentication method. I'm authen pass but stuck in authorization if apply condition "Network Access:WasMachineAuthenticated ==True"  so It go to default authoraization(Deny access).

 

0 Helpful

Jason van den Berg
Level 1
Level 1
In response to Sarayuth.s01

‎10-01-2015 03:50 AM

Hi,

 

If you not using eap chaining then you cant combine machine and user success criteria as you have it in your authz. What are you attempting to achieve?

 

Regards,

Jason

0 Helpful

Sarayuth.s01
Level 1
Level 1
In response to Jason van den Berg

‎10-01-2015 04:24 AM

Hi

my purpose like this topic please see the correct answer. https://supportforums.cisco.com/discussion/11583721/machine-user-auth-windows-endpoint-autheticating-through-ise

It's work on my wired network. 

And wlan network used to work fine on ISE 1.2

0 Helpful

Jason van den Berg
Level 1
Level 1
In response to Sarayuth.s01

‎10-01-2015 04:48 AM

Hi,

 

I read the thread and it seems there is several limitations on how this works and in the same article not recommended.

However lets see if we can reproduce how it worked in your earlier version, when your wireless device connects to the SSID, do you see a successful machine authz?

 

Regards,

Jason

0 Helpful

Tim Steele
Level 1
Level 1

‎10-01-2015 06:14 AM

How many PSNs do you have?  Keep in mind that the MAR cache (where previous machine authentications are stored) does not replicate across PSNs.  So, if you machine authenticated against one PSN and then the user authentication hit a different PSN, that PSN wouldn't have a record of the previous machine authentication.  This is one of the limitations of MAR (machine access restrictions). 

One of the things you'll want to do if you plan to use MAR is to extend the MAR cache aging timer at Administration > Identity Management > External Identity Sources > Active Directory.  Once you click on your AD Join Point Name, click the Advanced Settings tab across the top.  The default is 6hrs, you may consider expanding that to something you feel would better serve your environment.  I've used 168hrs (7 days) a number of times.  This doesn't solve the machine auth replication between PSNs issue, but at least it holds the record of the machine auth for a decent amount of time.

That is one restriction of MAR.  Another is the idea of a user coming to work, putting her laptop on a docking station and powering it up.  That machine auth attempt will be wired.  An hour later, she needs to undock and go to a meeting - now she is authenticating with just user auth over wireless with potentially no matching machine auth. 

Review this doc for more details: 

http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html

EAP Chaining with AnyConnect solves these issues, but it comes at the cost of the help desk having to support a new client which some companies want to avoid.  There is also the licensing cost to consider.  However, even with those costs, it is a good option to consider - especially if you are already using AnyConnect VPN on your endpoints.  There is now an RFC for a new EAP type called TEAP where "EAP Chaining" will be standardized.  Key word there is "will" as there are no supplicants supporting TEAP yet.  You can see more on that here:

http://www.networkworld.com/article/2466000/security0/industry-standards-for-secure-network-access.html

Tim

0 Helpful
Customers Also Viewed These Support Documents