Re: One PC working but can't get others authorised in ISE

alliasneo1 · ‎04-30-2024

Hi all,

I've managed to get one PC up and running using dot1x and it's all authenticating correctly. However when I try another PC it just fails.

What can I do to troubleshoot this? I've confirmed that the PC's have the same certificates and are in the same AD groups. The port configs are the same on both ports.

on the switch I'm seeing Authentication failed for client Username: host/XXXXXXX.domain

When I check the logs in ISE I can see the following for the authenticated machine:

1001	Received RADIUS Access-Request - XXXX-DC-002
	11017	RADIUS created a new session - XXX.domain.uk
	15049	Evaluating Policy Group - XXXX -DC-002
	15008	Evaluating Service Selection Policy
	15048	Queried PIP - Normalised Radius.RadiusFlowType
	11507	Extracted EAP-Response/Identity
	12500	Prepared EAP-Request proposing EAP-TLS with challenge
	12625	Valid EAP-Key-Name attribute received
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12502	Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated

and for the machine that fails it's not sending through the domain information:

11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP - Normalised Radius.RadiusFlowType
	11507	Extracted EAP-Response/Identity
	12500	Prepared EAP-Request proposing EAP-TLS with challenge
	12625	Valid EAP-Key-Name attribute received
	11006	Returned RADIUS Access-Challenge
	5440	Endpoint abandoned EAP session and started new ( Step latency=1018 ms)

ahollifield · ‎04-30-2024

Looks like a supplicant configuration issue to me. The expected EAP type is EAP-TLS? Are the certificates correct on the second machine? What is the endpoint? What is the NAD? Machine certificate or user certificate?

https://community.cisco.com/t5/security-documents/how-to-ask-the-community-for-help/ta-p/3704356

alliasneo1 · ‎04-30-2024

It is EAP-TLS yes.

The certificate is exactly the same on the second machine.

The endpoint is a HP PC - both the same make and model.

The NAD - Cisco 9200

Machine Certificate

ahollifield · ‎04-30-2024

“Exactly the same” each device should have its own unique certificate. Why are two machines sharing the same certificate? What type of certificate is on ISE? Public? Private? Is that certificate trusted by the second machine?

What version of IOS-XE?

alliasneo1 · ‎04-30-2024

This is a certificate pushed to the machine via Group Policy.

It is a private certificate. Under 'Issued-By' it has our company name.

How do I check if the certificate is trusted by the second machine?

ahollifield · ‎04-30-2024

Check in MMC under the trusted certificates.

alliasneo1 · ‎04-30-2024

When I open MMC and go to Local Computer>Personal>Certificates

I can see the ISE cert in there.

ahollifield · ‎04-30-2024

"The ISE cert"? Why isn't it the root and issuing CAs? From the internal PKI? There should be no need to trust the ISE EAP Certificate itself as long as you are trusting the roots.

That's also not the trusted CA store. That's the certificates issues to that local computer.

alliasneo1 · ‎05-02-2024

We have created an intermediate certificate which we will push to devices. This is trusted by the Root CA. The Root C certificate is uploaded to ISE. Sorry, I don't know much about certificates but that is how it has been setup to my knowledge.

In ISE, if I look under Certificates>Trusted Certificates this is where I see our organisations Root Cert and this is trusted for client authentication.

I then have the ISE cert being pushed from Group Policy which is created from the PKI and under 'External Identity Store' the preloaded certificate profile is pointed to Active Directory and the certificate attribute is looking at 'Subject alternative name'.