11-12-2024 04:05 AM - edited 11-12-2024 04:06 AM
Hi all;
Consider the following scenario:
The client is configured as follows:
The target computer and the user both have installed required certificates installed as you can see below:
Now, the client machine is booted up and the following event is recorded on ISE:
Now, the user tries to login to this client and the login operation is succeeded as expected, but in ISE:
As you can see above, the login operation for the user does not match with any authorization policy configured. When I click on the "Detail" button:
Any ideas?
Thanks
Solved! Go to Solution.
11-15-2024 05:31 AM - edited 11-15-2024 05:32 AM
After conducting an in-depth investigation, I discovered that after the user logs in, the operating system enters the authentication phase by sending six consecutive EAPoL-Start messages without receiving any response from the switch. At this point, after approximately one minute, the endpoint repeats this process and then stops sending EAPoL-Start messages.
From this finding, I concluded that the issue lies with the switch, not the operating system. Consequently, I proceeded with my investigation by analyzing the switch's configuration. Initially, I removed all unnecessary 802.1X configurations from the endpoint-facing interface and tested again. This time, everything worked perfectly! I realized that one or more configurations on the interface were causing the issue. After thoroughly examining all the commands, I identified the one causing the problem: dot1x timeout ratelimit-period. This command, dot1x timeout ratelimit-period, defines the rate limit period, which throttles EAP-START packets from misbehaving supplicants. By using this command, the switch interprets the second round of EAPoL-Start messages from the endpoint (during user authentication) as coming from a malfunctioning endpoint and subsequently throttles the messages.
Conclusion: If you are using user-based authentication alongside computer authentication, avoid using the dot1x timeout ratelimit-period command.
Thanks
11-12-2024 04:13 AM
there are three conditions for each policy
remove two and keep only the EAP-chain
it can other condition failed not eap chain remember you use ""AND"" not ""OR""
and for wired-802.1x it already use in authc policy so no need it again under authz policy
MHM
11-13-2024 01:08 AM - edited 11-13-2024 01:08 AM
Thanks for your reply;
I do not think the problem relates to the two not-related to EAP Chaining rules, as when I removed them, the same problem occured...
11-12-2024 05:30 AM
Hi
Do you have "user or computer authentication" mode selected on the supplicant?
hth
Andy
11-12-2024 04:26 PM
Additionally, you must verify that you have the certificate issued for the machine as well.
11-13-2024 01:02 AM
Based on my first post, the machine has the required cert...
11-13-2024 01:00 AM
Thanks for your reply;
As you can see, I aready enabled the required option:
11-13-2024 05:59 AM
Hi, can you check if this parameter is active in your protocols?
On the other hand, to see the live logs, have you tried restarting services or the node?
11-13-2024 10:43 PM
Thanks for your reply. But I have already enabled this option:
11-13-2024 10:48 PM
in live log detail check
11627 Starting EAP chaining <<-
11-14-2024 01:14 AM - edited 11-15-2024 03:24 AM
This is the full log for the machine authentication:
11001 | Received RADIUS Access-Request - DomainInc. | |
11017 | RADIUS created a new session - domain.com | |
15049 | Evaluating Policy Group - DomainInc. | |
15008 | Evaluating Service Selection Policy - domain.com | |
15048 | Queried PIP - DomainInc. | |
11507 | Extracted EAP-Response/Identity - DomainInc. | |
12756 | Prepared EAP-Request proposing TEAP with challenge | |
12625 | Valid EAP-Key-Name attribute received | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12758 | Extracted EAP-Response containing TEAP challenge-response and accepting TEAP as negotiated | |
12800 | Extracted first TLS record; TLS handshake started | |
12805 | Extracted TLS ClientHello message | |
12806 | Prepared TLS ServerHello message | |
12807 | Prepared TLS Certificate message | |
12808 | Prepared TLS ServerKeyExchange message | |
12809 | Prepared TLS CertificateRequest message | |
12810 | Prepared TLS ServerDone message | |
11596 | Prepared EAP-Request with another TEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11595 | Extracted EAP-Response containing TEAP challenge-response | |
11596 | Prepared EAP-Request with another TEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11595 | Extracted EAP-Response containing TEAP challenge-response | |
11596 | Prepared EAP-Request with another TEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11595 | Extracted EAP-Response containing TEAP challenge-response | |
11596 | Prepared EAP-Request with another TEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11595 | Extracted EAP-Response containing TEAP challenge-response | |
12810 | Prepared TLS ServerDone message | |
12811 | Extracted TLS Certificate message containing client certificate | |
12812 | Extracted TLS ClientKeyExchange message | |
12803 | Extracted TLS ChangeCipherSpec message | |
12804 | Extracted TLS Finished message | |
12801 | Prepared TLS ChangeCipherSpec message | |
12802 | Prepared TLS Finished message | |
12816 | TLS handshake succeeded | |
11559 | Client certificate was requested but not received inside the tunnel. Will continue with inner method. | |
11620 | TEAP full handshake finished successfully | |
11596 | Prepared EAP-Request with another TEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11595 | Extracted EAP-Response containing TEAP challenge-response | |
11627 | Starting EAP chaining | |
11573 | Selected identity type 'User' | |
11564 | TEAP inner method started | |
11521 | Prepared EAP-Request/Identity for inner EAP method | |
11596 | Prepared EAP-Request with another TEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11595 | Extracted EAP-Response containing TEAP challenge-response | |
11567 | Identity type provided by client is equal to requested | |
11522 | Extracted EAP-Response/Identity for inner EAP method | |
12522 | Prepared EAP-Request for inner method proposing EAP-TLS with challenge | |
12625 | Valid EAP-Key-Name attribute received | |
11596 | Prepared EAP-Request with another TEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11595 | Extracted EAP-Response containing TEAP challenge-response | |
11515 | Supplicant declined inner EAP method selected by Authentication Policy but did not proposed another one; inner EAP negotiation failed | |
11520 | Prepared EAP-Failure for inner EAP method | |
11566 | TEAP inner method finished with failure | |
22028 | Authentication failed and the advanced options are ignored | |
33517 | Sent TEAP Intermediate Result TLV indicating failure | |
11596 | Prepared EAP-Request with another TEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11595 | Extracted EAP-Response containing TEAP challenge-response | |
11574 | Selected identity type 'Machine' | |
11564 | TEAP inner method started | |
11521 | Prepared EAP-Request/Identity for inner EAP method | |
11596 | Prepared EAP-Request with another TEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11595 | Extracted EAP-Response containing TEAP challenge-response | |
11567 | Identity type provided by client is equal to requested | |
11522 | Extracted EAP-Response/Identity for inner EAP method | |
12522 | Prepared EAP-Request for inner method proposing EAP-TLS with challenge | |
12625 | Valid EAP-Key-Name attribute received | |
11596 | Prepared EAP-Request with another TEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11595 | Extracted EAP-Response containing TEAP challenge-response | |
12524 | Extracted EAP-Response containing EAP-TLS challenge-response for inner method and accepting EAP-TLS as negotiated | |
12800 | Extracted first TLS record; TLS handshake started | |
12545 | Client requested EAP-TLS session ticket | |
12546 | The EAP-TLS session ticket received from supplicant. Inner EAP-TLS does not support stateless session resume. Performing full authentication | |
12805 | Extracted TLS ClientHello message | |
12806 | Prepared TLS ServerHello message | |
12807 | Prepared TLS Certificate message | |
12808 | Prepared TLS ServerKeyExchange message | |
12809 | Prepared TLS CertificateRequest message | |
12810 | Prepared TLS ServerDone message | |
12527 | Prepared EAP-Request for inner method with another EAP-TLS challenge | |
11596 | Prepared EAP-Request with another TEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11595 | Extracted EAP-Response containing TEAP challenge-response | |
12526 | Extracted EAP-Response for inner method containing TLS challenge-response | |
12527 | Prepared EAP-Request for inner method with another EAP-TLS challenge | |
11596 | Prepared EAP-Request with another TEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11595 | Extracted EAP-Response containing TEAP challenge-response | |
12526 | Extracted EAP-Response for inner method containing TLS challenge-response | |
12527 | Prepared EAP-Request for inner method with another EAP-TLS challenge | |
11596 | Prepared EAP-Request with another TEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11595 | Extracted EAP-Response containing TEAP challenge-response | |
12526 | Extracted EAP-Response for inner method containing TLS challenge-response | |
12527 | Prepared EAP-Request for inner method with another EAP-TLS challenge | |
11596 | Prepared EAP-Request with another TEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request (Step latency=15046 ms) | |
11018 | RADIUS is re-using an existing session | |
11595 | Extracted EAP-Response containing TEAP challenge-response | |
11596 | Prepared EAP-Request with another TEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11595 | Extracted EAP-Response containing TEAP challenge-response | |
12526 | Extracted EAP-Response for inner method containing TLS challenge-response | |
12527 | Prepared EAP-Request for inner method with another EAP-TLS challenge | |
11596 | Prepared EAP-Request with another TEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11595 | Extracted EAP-Response containing TEAP challenge-response | |
12526 | Extracted EAP-Response for inner method containing TLS challenge-response | |
12810 | Prepared TLS ServerDone message | |
12568 | Lookup user certificate status in OCSP cache - certificate for | |
12569 | User certificate status was not found in OCSP cache - certificate for | |
12988 | Take OCSP servers list from OCSP service configuration - certificate for | |
12550 | Sent an OCSP request to the primary OCSP server for the CA - External OCSP Server | |
12561 | Connection to OCSP server failed - certificate for | |
12552 | Conversation with OCSP server ended with failure - certificate for | |
12572 | OCSP response not cached - certificate for | |
12571 | ISE will continue to CRL verification if it is configured for specific CA - certificate for | |
12811 | Extracted TLS Certificate message containing client certificate | |
12812 | Extracted TLS ClientKeyExchange message | |
12813 | Extracted TLS CertificateVerify message | |
12803 | Extracted TLS ChangeCipherSpec message | |
12804 | Extracted TLS Finished message | |
12801 | Prepared TLS ChangeCipherSpec message | |
12802 | Prepared TLS Finished message | |
12816 | TLS handshake succeeded | |
12509 | EAP-TLS full handshake finished successfully | |
12527 | Prepared EAP-Request for inner method with another EAP-TLS challenge | |
11596 | Prepared EAP-Request with another TEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11595 | Extracted EAP-Response containing TEAP challenge-response | |
12526 | Extracted EAP-Response for inner method containing TLS challenge-response | |
61025 | Open secure connection with TLS peer | |
15041 | Evaluating Identity Policy | |
15048 | Queried PIP - Network Access.EapTunnel | |
22072 | Selected identity source sequence - All_User_ID_Stores | |
22071 | Identity name is taken from AD account Implicit UPN | |
15013 | Selected Identity Source - DomainInc. | |
24433 | Looking up machine in Active Directory - DomainInc. | |
24325 | Resolving identity - Win10-PC2.domain.com | |
24313 | Search for matching accounts at join point - domain.com | |
24362 | Client certificate matches AD account certificate - win10-pc2$@domain.com | |
24319 | Single matching account found in forest - domain.com | |
24323 | Identity resolution detected single matching account | |
24700 | Identity resolution by certificate succeeded - DomainInc. | |
22037 | Authentication Passed | |
12528 | Inner EAP-TLS authentication succeeded | |
11519 | Prepared EAP-Success for inner EAP method | |
11565 | TEAP inner method finished successfully | |
33516 | Sent TEAP Intermediate Result TLV indicating success | |
11596 | Prepared EAP-Request with another TEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11595 | Extracted EAP-Response containing TEAP challenge-response | |
11637 | Inner method supports EMSK but the client provided only MSK. Allow downgrade as per configuration | |
11576 | TEAP cryptobinding verification passed | |
15036 | Evaluating Authorization Policy | |
24209 | Looking up Endpoint in Internal Endpoints IDStore - WIN10-PC2$@domain.com | |
24211 | Found Endpoint in Internal Endpoints IDStore | |
24433 | Looking up machine in Active Directory - WIN10-PC2$@domain.com | |
24355 | LDAP fetch succeeded | |
24435 | Machine Groups retrieval from Active Directory succeeded | |
24355 | LDAP fetch succeeded | |
24458 | Not all Active Directory attributes are retrieved successfully | |
24100 | Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes | |
15048 | Queried PIP - DomainInc..ExternalGroups | |
15016 | Selected Authorization Profile - DC_DHCP_ISE_Access | |
11022 | Added the dACL specified in the Authorization Profile | |
22081 | Max sessions policy passed | |
22080 | New accounting session created in Session cache | |
33514 | Sent TEAP Result TLV indicating success | |
11596 | Prepared EAP-Request with another TEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11595 | Extracted EAP-Response containing TEAP challenge-response | |
11597 | TEAP authentication phase finished successfully | |
11503 | Prepared EAP-Success | |
11002 | Returned RADIUS Access-Accept |
11-14-2024 12:00 PM
Collect an endpoint debug for Client and TCP dump from NAD under Operations > Diagnostic tools. Any clues?
What happens if you add an 'and' to also check AD for computer under your 'user and computer' AuthZ? I only see user condition.
11-15-2024 05:31 AM - edited 11-15-2024 05:32 AM
After conducting an in-depth investigation, I discovered that after the user logs in, the operating system enters the authentication phase by sending six consecutive EAPoL-Start messages without receiving any response from the switch. At this point, after approximately one minute, the endpoint repeats this process and then stops sending EAPoL-Start messages.
From this finding, I concluded that the issue lies with the switch, not the operating system. Consequently, I proceeded with my investigation by analyzing the switch's configuration. Initially, I removed all unnecessary 802.1X configurations from the endpoint-facing interface and tested again. This time, everything worked perfectly! I realized that one or more configurations on the interface were causing the issue. After thoroughly examining all the commands, I identified the one causing the problem: dot1x timeout ratelimit-period. This command, dot1x timeout ratelimit-period, defines the rate limit period, which throttles EAP-START packets from misbehaving supplicants. By using this command, the switch interprets the second round of EAPoL-Start messages from the endpoint (during user authentication) as coming from a malfunctioning endpoint and subsequently throttles the messages.
Conclusion: If you are using user-based authentication alongside computer authentication, avoid using the dot1x timeout ratelimit-period command.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide