[Q] Identity Sequence issue causes MAB to auth against AD ??

pmchandler · ‎01-16-2012

We have a strange issue whereby some users have suddenly failed to correctly authenticate against ACS 5.1 - we cant work out why, as nothing has changed and would greatly appreciate your help.

We have dot1x configured on our network with MAB fallback. We havent yet rolled out dot1x to the clients even though the network is set up for this. In the meantime, we are using Mac Authentication Bypass. We do use 802.1x for wireless though.

I have set up the folowing Identity Sequence:

AD1 (this is set up as our AD servers for 802.1X user and machine auth)

SecurID Server (we dont use this yet either)

Internal Users (this is just used to authenticate ciscoworks)

Internal Hosts (this contains the list of allowed MAC addresses)

Typically what we have seen today is a user initially authenticates successfully by matching the Internal Hosts identity store, but then an hour later, re-authentication fails as the MAC address matches the AD1 id store and subsequently fails due to the MAC address not being present within AD.

Here is the successful connection entry (all MAC addresses substituted form the originals)...

Steps

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

11027 Detected Host Lookup UseCase (Service-Type = Call Check (10))

Evaluating Service Selection Policy

15004 Matched rule

15012 Selected Access Service - Network Access

Evaluating Identity Policy

15006 Matched Default Rule

15013 Selected Identity Store - Internal Hosts

24432 Looking up user in Active Directory - 00-1B-78-00-33-00

24412 User not found in Active Directory

24559 Searching for user in the RSA identity store.

24556 User record was not found in the cache.

24210 Looking up User in Internal Users IDStore - 00-1B-78-00-33-00

24216 The user is not found in the internal users identity store.

24209 Looking up Host in Internal Hosts IDStore - 00-1B-78-00-33-00

24211 Found Host in Internal Hosts IDStore

22037 Authentication Passed

22023 Proceed to attribute retrieval

24432 Looking up user in Active Directory - 00-1B-78-00-33-00

24412 User not found in Active Directory

22016 Identity sequence completed iterating the IDStores

Evaluating Group Mapping Policy

24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory

Evaluating Exception Authorization Policy

15042 No rule was matched

Evaluating Authorization Policy

15004 Matched rule

15016 Selected Authorization Profile - MAB-PC

11022 Added the dACL specified in the Authorization Profile

11002 Returned RADIUS Access-Accept

Here is the failed connection entry....

Steps

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

11027 Detected Host Lookup UseCase (Service-Type = Call Check (10))

Evaluating Service Selection Policy

15004 Matched rule

15012 Selected Access Service - Network Access

Evaluating Identity Policy

15006 Matched Default Rule

15013 Selected Identity Store - AD1

24432 Looking up user in Active Directory - 00-1B-78-00-33-00

24416 User's Groups retrieval from Active Directory succeeded

22037 Authentication Passed

22023 Proceed to attribute retrieval

22038 Skipping the next IDStore for attribute retrieval because it is the one we authenticated against

22016 Identity sequence completed iterating the IDStores

Evaluating Group Mapping Policy

24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory

Evaluating Exception Authorization Policy

15042 No rule was matched

Evaluating Authorization Policy

15006 Matched Default Rule

15016 Selected Authorization Profile - DenyAccess

15039 Selected Authorization Profile is DenyAccess

11003 Returned RADIUS Access-Reject

Any help greatly appreciated!

camejia · ‎01-16-2012

Hello Paul,

Are you sure that the MAC Address 00-1B-78-00-33-00 had not been created as an AD Account? The succes logs show:

24432 Looking up user in Active Directory - 00-1B-78-00-33-00

24412 User not found in Active Directory

However, the failure shows:

24432 Looking up user in Active Directory - 00-1B-78-00-33-00

24416 User's Groups retrieval from Active Directory succeeded

It seems that the ACS was able to find the MAC Address 00-1B-78-00-33-00 on the AD Domain.

Also, the failed authentication is due to the Authorization Rule. Which conditions have you defined under the Authorization Rule "MAB-PC"?

Please check the following:

1) Was the MAC Address created on the AD Domain as a valid account?

2) Which conditions are defined under the authorization rule MAB-PC in order to match it?

Regards.

pmchandler · ‎01-16-2012

1) Are you sure that the MAC Address 00-1B-78-00-33-00 had not been created as an AD Account?

Yes, I checked with the guy that manages the AD servers and he assures us there is no record anywhere of any mac addresses in AD. I have done my own search and cant find anything in there either. Also, the timestamps of these two authentication attempts are 09:36 and 10:36 (or something like that) and we know we definitely didnt make any changes to AD in that time window.

2) Which conditions have you defined under the Authorization Rule "MAB-PC"?

===== AUTHORIZATION POLICY =====

General
Name: MAB-PC
Status: Enabled

Conditions
[TICKED] NDG:Location in All Locations:AP
[NOT TICKED] AD1:ExternalGroups -ANY-
[TICKED] Compound Condition:
Dictionary AD-AD1 Attribute [blank]

Current Condition Set:
Internal Hosts:HostIdentityGroup in AllGroups:NoDot1xClient

Results
Authorization Profiles
MAB-PC

===== IDENTITY GROUP =====
Name: NoDot1xClient
Info: This group is assigned to all MAC address Hosts which do not have dot1x enabled.

===== AUTHORIZATION PROFILE =====

Authorization Profile
Name: MAB-PC
Downloadable ACL Name - Static - Value [Permit-IP]
VLAN ID/Name - Static - User-trusted

===== Downloadable ACLs ======

Name - Permit-IP
Downloadable ACL Content: Permit IP Any Any

camejia · ‎01-16-2012

Paul,

From the logs, I suspect that for some reason the ACS is able to authenticate the MAC Address against the AD, therefore, failing the authorization condition match at "Current Condition Set:Internal Hosts:HostIdentityGroup in AllGroups:NoDot1xClient".

The ACS will end up hitting the Deny Access rule as it was not able to comply with the condition for the MAB-PC authorization rule.

We should dig further trying to determine why the MAC Address is getting authenticated by AD instead of Internal Hosts.

Regards.

pmchandler · ‎01-16-2012

Hi Carlos, thanks for your help. Do you have any suggestions for how we can determine why the MAC address is getting authenticated by AD?

To help me understand the nature of the issue a bit more, could you help me with the following queries about how 802.1X and ACS works?

If a switch is configured for dot1x with MAB fallback as ours is, does the switch still send the MAC address for a dot1x-enabled client as well as the user and host AD credentials even though the MAC address is not required for auth in this case?

For the same switch and a client with dot1x DISABLED, does the switch forward just the MAC address to ACS?

If the switch invokes MAB and passes just the MAC address to ACS, does ACS still run the MAC address through the full identity store sequence which starts with AD1, even though dot1x is not running (and therefore AD matching is not relevant)?

Ultimately, I am trying to decide if

a) ACS is passing non-dot1x credentials (namely the MAC address) to AD erroneously or

b) if AD is responding (correctly or incorrectly) with a match or

c) if AD is rejecting the MAC address but that the rejection message isnt triggering the next iteration in the identity store sequence.

camejia · ‎01-16-2012

Hello Paul,

If a switch is configured for dot1x with MAB fallback as ours is, does the switch still send the MAC address for a dot1x-enabled client as well as the user and host AD credentials even though the MAC address is not required for auth in this case?

A switchport configured for 802.1x with MAB fallback will first send an EAPOL Start message. An 802.1x enabled client would be able to provide the appropriate User and Host information and get authenticated via 802.1x. No MAC address will be send at this point.

For the same switch and a client with dot1x DISABLED, does the switch forward just the MAC address to ACS?

Yes, the switch will send the EAPOL Start messages to the 802.1x Disabled client. It will not be able to respond to the switchport request. After the retries the switchport will fallback to MAB and expect the client to send the MAC Address to get authenticated.

If the switch invokes MAB and passes just the MAC address to ACS, does ACS still run the MAC address through the full identity store sequence which starts with AD1, even though dot1x is not running (and therefore AD matching is not relevant)?

Yes, the ACS will still run the authentication against all the Database specified on the Identity Store Sequest from top to bottom

Ultimately, I am trying to decide if

a) ACS is passing non-dot1x credentials (namely the MAC address) to AD erroneously ---> Do not think this might be the case as it will always pass the credentials to the every database on the specified order

b) if AD is responding (correctly or incorrectly) with a match ---> We know this one is happening.

c) if AD is rejecting the MAC address but that the rejection message isnt triggering the next iteration in the identity store sequence. ----> Do not think AD is rejecting the MAC Address based on:

24432 Looking up user in Active Directory - 00-1B-78-00-33-00

24416 User's Groups retrieval from Active Directory succeeded

At this point I have no suggestions on how to determine if the MAC Address is being properly authenticated on the AD Side