Solved: Macbook Mojave OSX 802.1x authentication ISE 2.3

aspry · ‎08-27-2019

Hi,

Our current WIFI setup incorporates a Cisco ACS 4.1 and 5508 WLC and all corporate users connect to one SSID.

We have a mix of corporate devices (Windows 7, 10 and MacBook Mojave OSX).

Currently all corporate WIFI user access the corporate WIFI using 802.1x and PEAP mschapv2 with MAC address as the username and password.

We are looking to migrate from the ACS to ISE 2.3

On our test WIFI we would like all corporate users (Win & Mac) connect to one SSID, as is the case on our current set up.

The windows 10 devices will authenticate using certificates and Active Directory.

The Mac devices will continue to use mac address username and password until we can incorporate them into our AD.

The Windows 10 devices are authenticating via certificate and AD - which is working ok

The problem I have is with the MacBook devices which I am unable to authenticate with the mac username and password.

I am unsure if this the Mojave OSX setup or the ISE setup.

I would be grateful if somebody has come across similar issue and how it was resolved.

Hope the above makes sense, please do not hesitate to ask for further information if needed.

Thanks

Andy

Colby LeMaire · ‎08-29-2019

Andy,

In your authentication policy, you currently have a rule for 802.1x and it points to a Certificate Authentication Profile (CAP) and maybe even AD. You could use an Identity Source Sequence that checks the CAP, AD, and Internal Users. It will try AD first and then fallback to the internal identity store in ISE.

Or you can have one rule in the authentication policy that looks for 802.1x with EAP-TLS specifically and point that to the CAP/AD. Then another rule below that looking for 802.1x with PEAP and point that to the Internal Users identity store in ISE.

In the authorization policy, I would have a rule that looks to make sure the calling-station-id (MAC Address) is in a specific Endpoint Identity Group in ISE AND that it authenticated with PEAP. That adds another level of protection so someone couldn't just use the credentials on any other device.

View solution in original post

Arne Bier · ‎08-27-2019

Is the MAC failing on the TLS establishment? We have seen issues in the past with iOS especially that gets quite fussy about the Authenticating Server's certificate (ISE EAP cert). If it doesn't have the chain of trust (for the ISE EAP cert) installed, then it tends to complain. Can you perform a tcpdump on ISE and analyse in wireshark to see how the TLS is going?

The username/password passed via MS-CHAPv2 should look no different to ISE, than it did to ACS. Wireshark is your friend :-)

aspry · ‎08-28-2019

Thanks for your reply.

There are still a lot of areas with regards to ISE with which I am not confident, plus the configuration of the MacBook has been (is) a nightmare.

I am trying to understand why the MacBook passes authentication on the Default MAB Rule and is then authorized by the Default Basic_Authenticated_Access and assigned the Employees profile, straight after that the logs show a fail with "12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain". I was assuming that when the authentication was using the MAB rule that when it passes that the user would gain access.

How would you go about doing a tcpdump on the ISE.

Thanks for your help.

Andy

aspry · ‎08-28-2019

Found the Tcpdump

Colby LeMaire · ‎08-28-2019

Just to clarify, are you attempting to authenticate the MacBook using MAB/Mac Filtering? Or is it truly using 802.1x with a username/password that you have created within ISE? A single SSID cannot do 802.1x or Mac Filtering at the same time. You can do BOTH at the same time but not either/or. For example, if an SSID is configured for 802.1x, then 802.1x must happen. If you also check the box for Mac Filtering, then the MAC address of the client device is also sent to ISE for validation. It does not operate like wired access where if one fails, fallback to the other.

Once the device authenticates, matches an authorization rule, and an authorization profile is pushed back down to the WLC, then the client device should have access. Verify in Live Logs whether it is actually the same Endpoint ID (MAC address).

Regards,

Colby

aspry · ‎08-29-2019

Thanks again for your reply.

This is where my lack of knowledge of ISE and 802.1x implementation comes shinning through.

We want to use 802.1x with a username/password (mac address of the MacBook) that has been created within ISE.

So am I correct in thinking that I would need another authentication rule below/above our current default 802.1x rule authenticating users from the AppleMac device database created within ISE.

Regards

Andy

Colby LeMaire · ‎08-29-2019

Andy,

In your authentication policy, you currently have a rule for 802.1x and it points to a Certificate Authentication Profile (CAP) and maybe even AD. You could use an Identity Source Sequence that checks the CAP, AD, and Internal Users. It will try AD first and then fallback to the internal identity store in ISE.

Or you can have one rule in the authentication policy that looks for 802.1x with EAP-TLS specifically and point that to the CAP/AD. Then another rule below that looking for 802.1x with PEAP and point that to the Internal Users identity store in ISE.

In the authorization policy, I would have a rule that looks to make sure the calling-station-id (MAC Address) is in a specific Endpoint Identity Group in ISE AND that it authenticated with PEAP. That adds another level of protection so someone couldn't just use the credentials on any other device.

aspry · ‎08-30-2019

That's brilliant.

Problem resolved.

Thanks for your help, was going around in circles, now the whole aspect of creating the profiles and the 802.1x is understood much better.