Solved: Machine authentication using certificates - Page 2

hardiklodhia · ‎08-10-2012

Hi,

I am facing this error while machine authenticates agaist AD for wireless users. My requirement is users with corporate laptop get privileged vlan and BYOD should get normal vlan.I am using Cisco ISE 1.1.1 and configured authentication policies to diffrenciate clients based on corp asset and BYOD. Authentication policy result is identity sequnce which uses certificate profile and AD. All corp laptops should be authenticated using certificates and then followed by AD user and pass. when I configure XP users to validate server certificate this error comes in ISE log "Authentication failed : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client" and if I disable validate sewrver certificate then this error "Authentication failed : 22049 Binary comparison of certificates failed".

Any help??

Thanks in advance.

hardiklodhia · ‎08-14-2012

Hi Tarik, Certificate check is working now. But as I suspected earlier, machine AND user authentication is not working. If i set XP supplicant authmode to use machine only authentication then machine gets authenticated agianst certificate profile and ISE assigns authorisation profile without checking username and password.which is not desirable. If I set XP authmode to " Always perform user authentication when user logs on" then I can see machine authenticates in ISE but after login with AD username and password , connection doesnt come up and XP pops up with" windows cant find user cert" error. How to make user and machine authentication work at the same time? one more thiing I noticed that after machine authentication, EAP is not challenging for username and password. I have enabled MAR in ISE. Am I missing something. Thanks in advance and I will surely rate your posts.

Tarik Admani · ‎08-14-2012

Hi,

This is a limitation on the native supplicant, when you enable smart card or certificate authentication for the network connection, then it tries to use this for both machine and user authentication. It does not allow you to use certificate authentication for machine auth, and password authenticaiton for user authentication.

You can use anyconnect network access manager (which is free if you have a cisco wireless network) and not only does it allow you to set which type of authentication you want (certificate for machine and password for user) but it has a new feature out which is called eap chaining. Eap chaining is a powerful option because you can choose the order (machine first then user) when the client connects to the network. No longer do you have to stress about the machine authentication timers and wondering what is the best fit when it comes to users logging in and out of their machines in order to update the machine authentication cache in ISE. However eap chaining uses eap-fast, which is a pac-based authentication framework.

Here is the latest release note about this feature (currently in beta):

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp998871

Tarik Admani
*Please rate helpful posts*

hardiklodhia · ‎08-15-2012

Hi Tarik, thanks for your support. I will try Anyconnect and hope We can achive machine and user authentication same time before ISE applies authorisation profile/rules.

Thank you.

Sent from Cisco Technical Support Android App

hardiklodhia · ‎08-28-2012

Hi Tarik,

I have tried using Cisco Anyconnect NAM on Wondows XP for machine and user authentication but EAP-chaining feature is not working as expected. I am facing few challenges. I have configured NAM to use eap-fast for machine and user authentication and ISE is configured with required authorisation rule and profiles/results. when machine boots up it sends machine certificate and gets authenticated against AD and ISE matches the authorisation rule and assigns authZ profile without waiting for user credentials. Now when a user logs on using AD user/pass, authentication fails as the VLAN assigned in AuthZ profile does not have access to AD. ISE should actually check with their external database but Its not. Interestingly, if I login with an AD user which is local to the machine its gets authenticated and gets correct AuthZ profile/access level. If I logoff and login with different user, Windows adapter gets IP address and ISE shows successful authentication /authz profile but NAM agent prompts limited connectivity. Any help??

Tarik Admani · ‎08-28-2012

Hi [answers are inline]

I have tried using Cisco Anyconnect NAM on Wondows XP for machine and user authentication but EAP-chaining feature is not working as expected. I am facing few challenges. I have configured NAM to use eap-fast for machine and user authentication and ISE is configured with required authorisation rule and profiles/results. when machine boots up it sends machine certificate and gets authenticated against AD and ISE matches the authorisation rule and assigns authZ profile without waiting for user credentials.

This is expected for machine authentication, since the client hasnt logged in machine authentication will succeed so the computer has connectivity to the domain.

Now when a user logs on using AD user/pass, authentication fails as the VLAN assigned in AuthZ profile does not have access to AD. ISE should actually check with their external database but Its not.

Do you see the authentication report in ISE? Keep in mind that you are authenticating with a client that has never logged into the workstation before. I am sure you are looking for the feature which starts the NAM process before the user logs in. Try checking this option here:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac04namconfig.html#wp1074333

Note the section below:

–Before User Logon—Connect to the network before the user logs on. The user logon types that are supported include user account (Kerberos) authentication, loading of user GPOs, and GPO-based logon script execution.

If you choose Before User Logon, you also get to set Time to Wait Before Allowing a User to Logon:

Time to Wait Before Allowing User to Logon—Specifies the maximum (worst case) number of seconds to wait for the Network Access Manager to make a complete network connection. If a network connection cannot be established within this time, the Windows logon process continues with user log on. The default is 5 seconds.

Note If the Network Access Manager is configured to manage wireless connections, set Time to wait before allowing user to logon to 30 seconds or more because of the additional time it may take to establish a wireless connection. You must also account for the time required to obtain an IP address via DHCP. If two or more network profiles are configured, you may want to increase the value to cover two or more connection attempts.

You will have to enable this setting to allow the supplicant to connect to the network using the credentials you provide, the reason for this is you are trying to authenticate a user that has never logged into this workstation before. Please make changes to the configuration.xml file, and then select the repair option on the anyconnect client and test again.

Interestingly, if I login with an AD user which is local to the machine its gets authenticated and gets correct AuthZ profile/access level. If I logoff and login with different user, Windows adapter gets IP address and ISE shows successful authentication /authz profile but NAM agent prompts limited connectivity. Any help??

Please make the changes above and see if the error message goes away.

Thanks,

Tarik Admani
*Please rate helpful posts*

hardiklodhia · ‎08-28-2012

Thanks for your help Tarik,

I have changed the NAM profile as you suggested but still only one user can login successfully. When I login with diffrent user it still not working. However, ISE authentication logs shows successfull with correct Authz profile. NAM still throws same error "limited connectivity".

Thanks in advance.

Tarik Admani · ‎08-28-2012

Is user connected to the network and can it access the domain controllers after machine authentication succeeds? Also do you have the nac agent installed on this device as well? Are you changing vlans after user authentication?

Thanks,

Tarik Admani
*Please rate helpful posts*

hardiklodhia · ‎08-29-2012

Hi Tarik,

Is user connected to the network and can it access the domain controllers after machine authentication succeeds? YES, The assigned VLAN can reach DCs.

Also do you have the nac agent installed on this device as well?(Anyconnect with NAM)

Are you changing vlans after user authentication? I wanted to but its not working.

Thanks,

ASPasha · ‎09-14-2012

Hi guys,

I have pretty simple use cases here.

1. Company owned laptop/desktop with CA assigned certificate and valid user-id/password - ISE should allow the connection to the network.

2. Any personal device with no company issued CA certificate - ISE should allow the connection to guest network.

I have spent a couple of months trying to make this work. We do not and cannot use Microsoft device authentication. We just want to authenticate the machine based on the certificate and a user with valid ID / password should be tied together. Pretty simple. I have not found any ISE document which shows this simple use case. I have tested AC 3.1 for EAP Chaining but it does not work.

Any help will be appreciated very much.

Tarik Admani · ‎09-14-2012

Adil,

There is a bug on the eap chaining which is not working at the moment, but instead of using eap chaining go ahead and use the anyconnect to set the credential for machine using certs and user using peap credentials and see if this resolves your issue.

You are correct and your use case is very simple can you post a screenshot of your authorization policies so I can take a look?

Thanks,

Tarik Admani
*Please rate helpful posts*