Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1436
Views
0
Helpful
3
Replies

Wireless Authentication using ISE and SAML authentication with AzureAD

russell.sage
Level 1
Level 1

‎03-16-2023 11:50 AM

We want wireless users to be authenticated using our Microsoft Azure AD and MS Intune using SAML

We have set the attached PoC network. User connects to Meraki AP on unique SSID using the Meraki walled garden feature. ISE using CWA redirects the clients to a guest portal which in turn directs the clients to login.microsoftonline.com. User enters their corporate email address and is redirected to the company instance of Microsoft. User re-enters theirs corporate email and AD password. If the machine is not in Intune then Azure AD triggers MFA. If its a corporate machine in Intune MFA is not triggered.

At this point the client is redirected back to the portal and it throws a 400 error "The request is invalid due to malformed syntax or invalid data"

In the ISE radius logs the Authentication using SAML is passed. The mac address is replaced by my payroll number. However the ISE doesn't send the RADIUS access-accept message back to the AP to release me from the walled garden.

I have collected guest debug logs and looking at these I don't see the cause of the error. Everything in the log looks good. Though I am no expert in ISE debug logs.

Anyone else tried this?

 

 

and testing has got us to the point where the ISE radius logs states the user is authenticated. I can see my company payroll as 

Preview file
383 KB
Preview file
101 KB
Preview file
39 KB
0 Helpful
3 Replies 3

Tariq Mahmoud
Level 1
Level 1

‎03-16-2023 01:11 PM

I didn't test this but I know that the error message you are getting is usually related to DNS. 

Prepare a PC with wireshark, collect captures using PC and trigger the flow. Check both http redirect and DNS flows. This should give you more details about this behaviour. 

0 Helpful

russell.sage
Level 1
Level 1
In response to Tariq Mahmoud

‎03-17-2023 12:35 AM

I don't think its DNS. DNS has resolved the portal address and login.microsoftlogin.com and the company instance. Looking at the debug logs its either a bug or software can't do what we want.

2023-03-16 11:21:37,494 DEBUG [https-jsse-nio-10.49.134.250-8443-exec-4][] cpm.guestaccess.flowmanager.processor.PortalFlowProcessor -::- After executeStepAction(SSO_LOGIN), returned Enum: LOGIN_PASS
2023-03-16 11:21:37,494 DEBUG [https-jsse-nio-10.49.134.250-8443-exec-4][] cpm.guestaccess.flowmanager.step.StepExecutor -::- Getting next flow step for SSO_LOGIN with TranEnum=LOGIN_PASS
2023-03-16 11:21:37,494 DEBUG [https-jsse-nio-10.49.134.250-8443-exec-4][] cpm.guestaccess.flowmanager.step.StepExecutor -::- StepTran for Step=SSO_LOGIN=> tranEnum=LOGIN_PASS, toStep=AUP
2023-03-16 11:21:37,494 DEBUG [https-jsse-nio-10.49.134.250-8443-exec-4][] cpm.guestaccess.flowmanager.step.StepExecutor -::- Find Next Step=AUP
2023-03-16 11:21:37,494 DEBUG [https-jsse-nio-10.49.134.250-8443-exec-4][] cpm.guestaccess.flowmanager.step.StepExecutor -::- Getting next flow step for AUP with TranEnum=AUP_ACCEPTED
2023-03-16 11:21:37,494 DEBUG [https-jsse-nio-10.49.134.250-8443-exec-4][] cpm.guestaccess.flowmanager.step.StepExecutor -::- StepTran for Step=AUP=> tranEnum=AUP_ACCEPTED, toStep=CHANGE_PASSWORD
2023-03-16 11:21:37,494 DEBUG [https-jsse-nio-10.49.134.250-8443-exec-4][] cpm.guestaccess.flowmanager.step.StepExecutor -::- Find Next Step=CHANGE_PASSWORD
2023-03-16 11:21:37,494 DEBUG [https-jsse-nio-10.49.134.250-8443-exec-4][] guestaccess.flowmanager.step.guest.ChangePwdStepExecutor -::- isInternalUser=false, firstPwdChange=false
2023-03-16 11:21:37,494 DEBUG [https-jsse-nio-10.49.134.250-8443-exec-4][] guestaccess.flowmanager.step.guest.ChangePwdStepExecutor -::- isInternalUser=false, firstPwdChange=false
2023-03-16 11:21:37,494 DEBUG [https-jsse-nio-10.49.134.250-8443-exec-4][] cpm.guestaccess.flowmanager.step.StepExecutor -::- Getting next flow step for CHANGE_PASSWORD with TranEnum=CHANGE_PWD_OK
2023-03-16 11:21:37,494 DEBUG [https-jsse-nio-10.49.134.250-8443-exec-4][] cpm.guestaccess.flowmanager.step.StepExecutor -::- StepTran for Step=CHANGE_PASSWORD=> tranEnum=CHANGE_PWD_OK, toStep=MAX_DEVICES
2023-03-16 11:21:37,494 DEBUG [https-jsse-nio-10.49.134.250-8443-exec-4][] cpm.guestaccess.flowmanager.step.StepExecutor -::- Find Next Step=MAX_DEVICES
2023-03-16 11:21:37,494 DEBUG [https-jsse-nio-10.49.134.250-8443-exec-4][] com.cisco.ise.portalSessionManager.PortalSession -::- Putting data in PortalSession with key and value: GuestFlow.isByodEnabledForAutoDevReg false
2023-03-16 11:21:37,494 DEBUG [https-jsse-nio-10.49.134.250-8443-exec-4][] com.cisco.ise.portalSessionManager.PortalSession -::- Putting data in PortalSession with key : GuestFlow.isByodEnabledForAutoDevReg
2023-03-16 11:21:37,494 DEBUG [https-jsse-nio-10.49.134.250-8443-exec-4][] guestaccess.flowmanager.step.guest.AutoDevRegStepExecutor -::- macAddr= 00:24:D7:DE:0F:C4
2023-03-16 11:21:37,494 ERROR [https-jsse-nio-10.49.134.250-8443-exec-4][] cpm.guestaccess.flowmanager.processor.PortalFlowProcessor -::- getNextTransition: null
java.lang.NullPointerException

ISE get the user id from Azure ID and SSO Login Passes. It then attempts to follow the guest flow but crashes when it comes back from adding the client devices MAC address to the relevant store.

0 Helpful

smeltzergloria75
Level 1
Level 1

‎10-08-2023 06:41 AM

Although I didn't test it, I am aware that the DNS is typically the cause of the error message you are receiving.

Wireshark should be installed on a PC before collecting captures and starting the flow. Examine the DNS and HTTP redirection flows. This ought to provide you with further information regarding this behavior.

0 Helpful
Customers Also Viewed These Support Documents