Solved: user stuck on machine auth policy

Meuserid1979 · ‎10-16-2017

Hi experts,

im doing some wired 802.1x setup + posturing with ise 2.1. authentication should go something like:

1st - corporate laptops should undergo machine auth

2nd - after user logged in assuming the system is compliant will go compliant policy then will be assigned to specific vlan and will be permitted to network

during testing this is whats happening, i can see that the laptop can be authenticated successfully but upon user login i can see that the user is stuck at machine auth policy and doesnt proceed to compliant policy. anybody have idea what is happening?

i know upon user login the user should be authorized and will be assigned to the compliant policy but its not happening

thanks,

chris

paul · ‎10-17-2017

You need to submit a posture report before you can evaluate whether the user is compliant. The posture module doesn't run until the user is logged in. If you have your NAM and policies setup correctly along with the correct switch redirect ACL for posture discover you should see:

Computer Auth

User Unknown

Posture Module starts up after login does posture discovery

Finds the correct PSN to report posture to

Transition to User Compliant or User NonCompliant based on posture report

View solution in original post

ognyan.totev · ‎10-17-2017

What kind authentication you do on windows machine ,computer or user authentication or both . In my deployment i did both computer and user authentication witch dot1x with certificates.First machine authenticate and after user . But let us see what kind of policy you create.

Meuserid1979 · ‎10-17-2017

hi sabev,

thanks for the reply. i believe "machine and user connection" is the one selected on NAM. is there any config on the switch that can affect this behaviour?

thanks

ognyan.totev · ‎10-17-2017

If you have successful computer auth i think you switch is properly configured well in authorization policy it is important where u put computer auth and user auth ,by default ISE use first match rule apply if you not configured for multiple match rule apply.

Thats why ask where u put user auth ? It must be before machine auth. When machine start authenticate it will match with machine authentication and after user logged in it will match user auth if the rule is upper than machine. But if it is not always will apply machine auth because it apply by default first match rule.Thats why i ask you for picture of policy.

Meuserid1979 · ‎10-17-2017

on authorization policy sequence , the complaint user authorization policy is on top of the machine auth. its somthing like:

compliant user auth

non-compliant user auth

unknown user auth

machine auth

on live logs i can see success machine authentication and its matching the configured machine auth profile. but even if the user has logged in on the laptop already i dont see it hitting the compliant user auth which im expecting. the laptop we are using to test is already compliant so the 2 policies in between can be ignored as per troubleshooting.

no authentication error as well. it just stuck on machine auth profile

so far we tried rebooting laptop a few times and rebooting switch as well.

thanks,

chris

paul · ‎10-17-2017

You need to submit a posture report before you can evaluate whether the user is compliant. The posture module doesn't run until the user is logged in. If you have your NAM and policies setup correctly along with the correct switch redirect ACL for posture discover you should see:

Computer Auth

User Unknown

Posture Module starts up after login does posture discovery

Finds the correct PSN to report posture to

Transition to User Compliant or User NonCompliant based on posture report

paul · ‎10-17-2017

Also if you are saying you are doing Machine AND User in NAM that is EAP chaining. Are you sure you are setup correctly for EAP chaining?

Meuserid1979 · ‎10-17-2017

the user is already logged in and the test laptop we are using is already compliant. but it doesnt go to the next authorization rule which is the compliant.

Meuserid1979 · ‎10-17-2017

also its already working for wireless.

thanks

paul · ‎10-17-2017

How does ISE know it is compliant? The device successfully submitted a posture report from the wired MAC?

Meuserid1979 · ‎10-17-2017

hi paul,

ok im assuming thats the test laptop is compliant. if the endpoints mac address has no entry on the posture report does it mean its not compliant?

thanks

chris

paul · ‎10-17-2017

A MAC address is compliant is it submits a posture report that is compliant with what you are looking for. If you don’t see a MAC address in the posture report then it should be Unknown since it hasn’t reported posture yet.

Meuserid1979 · ‎10-17-2017

hi paul,

thanks for the help.

chris