cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1016
Views
2
Helpful
4
Replies

TEAP(EAP_TLS) Authentication works. But what' s about Authorization?

ifabrizio
Level 3
Level 3

Dear all,

I recently installed the operating system version for Cisco ISE 3.2 Patch3, on my deployment(Two Nodes)
And I tried to configure authentication for PCs and users, using the TEAP protocol.

With internal method of EAP-TLS type.

The authentication phase works correctly, the Windows 10 test PC accesses the network using TEAP(EAP-TLS). The user does the same thing, even if a username and password is used to access the domain, via Kerberos5 towards the Domain Controllers.

I configured a very simple authentication rule:

ifabrizio_1-1694507848178.png

The Authorization roules are:

ifabrizio_2-1694507948494.png

These policy sets are very simple, I'm using them to try to understand how the authorization process works on users.

With the above Authorization rules, if the user fails to authenticate to ISE using EAP-TLS, he can still access the PC with the domain user and password, and therefore access the network. If I want to avoid this situation how should I configure the authorization roules?

I tried putting Deny as result profile instead of permit, and in this case when the PC has started and has already authenticated to the network (EAP-TLS) and remains on the login screen waiting for user credentials, it is blocked by the ISE.

If you log in with a user with a valid certificate, the ISE unlocks access to the PC network. But this only works if the user already has a profile defined on the PC.

If it is a first access, and therefore there is no user profile on the PC,  the machine access to the network remains blocked, with a deadlock.

Can you help me pls?

Bye,

JF.

 

 

 

1 Accepted Solution

Accepted Solutions

So, we use an unauth ACL on the switch PC port that blocks until auth succeeds instead of a dACL we use the dACL to replace the unauth afterwards.

 

Here is out unauth template we use.

ip access-list extended unauth
10 permit tcp any any established
20 deny tcp any any eq 3389
30 permit ip any host 10.10.201.140
40 permit ip any host 10.10.201.141
50 permit ip any host 10.10.201.142
60 permit ip any host 10.10.201.143
70 permit ip any host 10.10.201.250
80 permit ip any host 10.10.201.251
90 deny tcp any any eq 445
100 permit ip any host 10.10.200.89
110 permit udp any any eq bootps tftp
120 permit udp any host 10.13.1.123 eq ntp
130 permit ip any 224.0.0.0 31.255.255.255
140 permit tcp any any eq 2598
150 <VARIABLE>
160 <VARIABLE>
170 <VARIABLE>
180 <VARIABLE>
190 permit ip any host 10.13.17.118
200 deny ip any 10.0.0.0 0.255.255.255
210 deny ip any 172.16.0.0 0.15.255.255
220 deny ip any 192.168.0.0 0.0.255.255
230 permit tcp any any eq www

 

This is the default PC port config we use.

#For PC/Phone Ports
int range <VARIABLE>
switchport mode access
switchport access vlan <VARIABLE>
switchport voice vlan <VARIABLE>
auto qos voip trust
authentication open
authentication host-mode multi-domain
authentication control-direction in
authentication violation protect
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication port-control auto
authentication timer reauthenticate server
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
dot1x pae authenticator
ip access unauth in
ip arp inspection limit rate 20 burst interval 4
no logging event link-status
storm-control multicast level 5
storm-control broadcast level 5
storm-control action shutdown
mab

 

 

This is a dACL for our APs. the first line permits any established connection or it will kill incomming.

permit tcp any any established
permit udp any any eq bootpc
permit udp any any eq bootps
permit icmp any any
permit ip any host 10.10.202.73
permit ip any host 10.10.202.74
permit ip any host 10.10.206.106
permit ip any host 10.17.4.222
permit ip any host 10.10.2.222
permit ip any host 10.10.2.224
permit ip any host 10.10.2.225
deny ip any any

View solution in original post

4 Replies 4

So, Windows does need access to the DCs to log in a user. So you can either permit the PC by itself with a dACL, or set an ACL on the ports themselves granting some access to log in if the user doesn't exits.

We have an unauth ACL applied to every PC port that allows minimal access for authentication. If it passes ISE, we send a dACL that overrides the ACL on the switch.

thomas
Cisco Employee
Cisco Employee

See examples in ISE Authentication and Authorization Policy Reference > TEAP-Chaining with Tunneled EAP (TEAP)

If these are not working for you, you must provide actual Live Log errors and explain to us what matched and why it was different from what you were expecting. 

How to Ask The Community for Help 

ifabrizio
Level 3
Level 3

Hi Dustin and Thomas,

Thank you for your reply.

@Dustin AndersonCould you please send me a  DACL example that should permit to the user to log on the PC?

I habe already tryed this way but mu DACL do not works properly, the major obstacle are the RPC ports.

@thomasI see the very helpful example that you post, but I need to see how are done the Authorization profiles:

MachineAuth and Employees and aslo the DACL associated to them, thank you again.

Bye,

JF

 

 

So, we use an unauth ACL on the switch PC port that blocks until auth succeeds instead of a dACL we use the dACL to replace the unauth afterwards.

 

Here is out unauth template we use.

ip access-list extended unauth
10 permit tcp any any established
20 deny tcp any any eq 3389
30 permit ip any host 10.10.201.140
40 permit ip any host 10.10.201.141
50 permit ip any host 10.10.201.142
60 permit ip any host 10.10.201.143
70 permit ip any host 10.10.201.250
80 permit ip any host 10.10.201.251
90 deny tcp any any eq 445
100 permit ip any host 10.10.200.89
110 permit udp any any eq bootps tftp
120 permit udp any host 10.13.1.123 eq ntp
130 permit ip any 224.0.0.0 31.255.255.255
140 permit tcp any any eq 2598
150 <VARIABLE>
160 <VARIABLE>
170 <VARIABLE>
180 <VARIABLE>
190 permit ip any host 10.13.17.118
200 deny ip any 10.0.0.0 0.255.255.255
210 deny ip any 172.16.0.0 0.15.255.255
220 deny ip any 192.168.0.0 0.0.255.255
230 permit tcp any any eq www

 

This is the default PC port config we use.

#For PC/Phone Ports
int range <VARIABLE>
switchport mode access
switchport access vlan <VARIABLE>
switchport voice vlan <VARIABLE>
auto qos voip trust
authentication open
authentication host-mode multi-domain
authentication control-direction in
authentication violation protect
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication port-control auto
authentication timer reauthenticate server
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
dot1x pae authenticator
ip access unauth in
ip arp inspection limit rate 20 burst interval 4
no logging event link-status
storm-control multicast level 5
storm-control broadcast level 5
storm-control action shutdown
mab

 

 

This is a dACL for our APs. the first line permits any established connection or it will kill incomming.

permit tcp any any established
permit udp any any eq bootpc
permit udp any any eq bootps
permit icmp any any
permit ip any host 10.10.202.73
permit ip any host 10.10.202.74
permit ip any host 10.10.206.106
permit ip any host 10.17.4.222
permit ip any host 10.10.2.222
permit ip any host 10.10.2.224
permit ip any host 10.10.2.225
deny ip any any