Solved: question about ISE error log reporting and about 802.1x with digital certs

Rey- · ‎09-18-2018

Hello Everyone,

I have some general questions about using ISE for 802.1x port authentication and wondering if someone can help clarify a few things for me.

1)

In one test scenario, I have a device that uses digital certs to authenticate for device/network access for 802.1x where I intentionally use invalid certs so that it fails authentication and I use mismatched shared keys between ISE and the device. Upon doing my tests, when going to Operations > Radius > Live Logs, I see some error counters.

I also go to Work Centers > Network Access > Policy Sets, and here I can see some counters too.

Question 1:

Are there other locations in ISE where I can see radius error counters for failed authentication issues between ISE and a device? Or is the only place to look is where I took screenshots above?

Question 2:

I noticed that in the policy set section, the counters increment when the 802.1x authentication is successful, but I also see it increments when the authentication fails. Sometimes, I see the counters don’t increment even with successful or unsuccessful authentication.

Is this expected behavior?

I would have thought the counters here increment only when they match the policy sets and are successful but not when they fail.

2)

Is there a way on ISE where we could use a feature/option or some method to make ISE take an action where when an 802.1x device fails authentication, then ISE would make an API call, generate a syslog event or run a script so that an Automation tool can go into the authenticator device and shutdown the port where the supplicant failed to authenticate?

3)

I'm also trying to test end devices that use digital certificates to authenticate with ISE for 802.1x authentication. As another test scenario, I'm trying to test a "perfect clone" where a rogue device obtains the exact/correct digital certs of another validated user but tries to authenticate from a different part of the network with 802.1x.

Question 1:

what is ISE's behavior for dealing with perfect clones related to 802.1x using digital certificates?

Question 2:

Does ISE have a list or some type of DB reporting or error reporting to verify that certain clients, in the event of a perfect clone event, ISE can detect or permit only from legitimate devices?

thanks in advance,

Rey

paul · ‎09-18-2018

I can't answer all your questions, but your question about failed authentication shutting down a port. Why would you want to do that? That is the whole reason you have MAB as well. If something fails Dot1x it will fail over to MAB and you have control of what happens. If you don't want to allow them onto the network at all put a Deny All DACL, reject the connection (only works in closed mode) or throw a limited access DACL with a portal redirect. You could also kick off an autosmart port macro to reconfigure the port.

Describe how you are doing this perfect clone? Getting the certificate from a device means nothing. You have to get the certificate and the private key to use it. If the private key is marked as non-exportable, what is your scenario to get the cert/private key off the device. There are ways, but most of them require admin access to the device.

View solution in original post

paul · ‎09-18-2018

I can't answer all your questions, but your question about failed authentication shutting down a port. Why would you want to do that? That is the whole reason you have MAB as well. If something fails Dot1x it will fail over to MAB and you have control of what happens. If you don't want to allow them onto the network at all put a Deny All DACL, reject the connection (only works in closed mode) or throw a limited access DACL with a portal redirect. You could also kick off an autosmart port macro to reconfigure the port.

Describe how you are doing this perfect clone? Getting the certificate from a device means nothing. You have to get the certificate and the private key to use it. If the private key is marked as non-exportable, what is your scenario to get the cert/private key off the device. There are ways, but most of them require admin access to the device.

Rey- · ‎09-19-2018

Hi Paul,

Thanks for your reply. I apologize but I'm not very familiar with ISE, just started working with it a few weeks ago. In regards to your comments, I'm positive we are using MAB on ISE. We set up a custom MAB allowed protocols to only use EAP-TLS. Not sure if you are referring to this part or if using MAB on the local switch running 802.1x. Can you clarify where you meant to use MAB?

For the Deny All DACL, is this something we do on ISE via Policy Set > Authentication policy?

Or on the local switch running 802.1x?

What do you mean it works only in closed mode?

Where can we explore using an autosmart port macro to reconfigure the port?

For the perfect clone, yes we are assuming that a rogue user is able to obtain the public and private key of a legitimate end device that uses digital certs for 802.1x port authentication. I don't remember if the private key was marked as non-exportable, but will check. But as one theory, let's assume they are able to obtain/use the private key.

What/how does ISE handle this type of situation where two or more clients end up using the same digital certs?

Or where a rogue device tries to impersonate a legitimate device with a spoofed mac address from different locations?

thanks!