01-16-2012 09:14 AM - edited 03-10-2019 06:43 PM
We have a strange issue whereby some users have suddenly failed to correctly authenticate against ACS 5.1 - we cant work out why, as nothing has changed and would greatly appreciate your help.
We have dot1x configured on our network with MAB fallback. We havent yet rolled out dot1x to the clients even though the network is set up for this. In the meantime, we are using Mac Authentication Bypass. We do use 802.1x for wireless though.
I have set up the folowing Identity Sequence:
AD1 (this is set up as our AD servers for 802.1X user and machine auth)
SecurID Server (we dont use this yet either)
Internal Users (this is just used to authenticate ciscoworks)
Internal Hosts (this contains the list of allowed MAC addresses)
Typically what we have seen today is a user initially authenticates successfully by matching the Internal Hosts identity store, but then an hour later, re-authentication fails as the MAC address matches the AD1 id store and subsequently fails due to the MAC address not being present within AD.
Here is the successful connection entry (all MAC addresses substituted form the originals)...
Steps |
---|
11001 Received RADIUS Access-Request |
11017 RADIUS created a new session |
11027 Detected Host Lookup UseCase (Service-Type = Call Check (10)) |
Evaluating Service Selection Policy |
15004 Matched rule |
15012 Selected Access Service - Network Access |
Evaluating Identity Policy |
15006 Matched Default Rule |
15013 Selected Identity Store - Internal Hosts |
24432 Looking up user in Active Directory - 00-1B-78-00-33-00 |
24412 User not found in Active Directory |
24559 Searching for user in the RSA identity store. |
24556 User record was not found in the cache. |
24210 Looking up User in Internal Users IDStore - 00-1B-78-00-33-00 |
24216 The user is not found in the internal users identity store. |
24209 Looking up Host in Internal Hosts IDStore - 00-1B-78-00-33-00 |
24211 Found Host in Internal Hosts IDStore |
22037 Authentication Passed |
22023 Proceed to attribute retrieval |
24432 Looking up user in Active Directory - 00-1B-78-00-33-00 |
24412 User not found in Active Directory |
22016 Identity sequence completed iterating the IDStores |
Evaluating Group Mapping Policy |
24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory |
Evaluating Exception Authorization Policy |
15042 No rule was matched |
Evaluating Authorization Policy |
15004 Matched rule |
15016 Selected Authorization Profile - MAB-PC |
11022 Added the dACL specified in the Authorization Profile |
11002 Returned RADIUS Access-Accept |
Here is the failed connection entry....
Steps |
---|
11001 Received RADIUS Access-Request |
11017 RADIUS created a new session |
11027 Detected Host Lookup UseCase (Service-Type = Call Check (10)) |
Evaluating Service Selection Policy |
15004 Matched rule |
15012 Selected Access Service - Network Access |
Evaluating Identity Policy |
15006 Matched Default Rule |
15013 Selected Identity Store - AD1 |
24432 Looking up user in Active Directory - 00-1B-78-00-33-00 |
24416 User's Groups retrieval from Active Directory succeeded |
22037 Authentication Passed |
22023 Proceed to attribute retrieval |
22038 Skipping the next IDStore for attribute retrieval because it is the one we authenticated against |
22016 Identity sequence completed iterating the IDStores |
Evaluating Group Mapping Policy |
24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory |
Evaluating Exception Authorization Policy |
15042 No rule was matched |
Evaluating Authorization Policy |
15006 Matched Default Rule |
15016 Selected Authorization Profile - DenyAccess |
15039 Selected Authorization Profile is DenyAccess |
11003 Returned RADIUS Access-Reject |
Any help greatly appreciated!
01-16-2012 09:27 AM
Hello Paul,
Are you sure that the MAC Address 00-1B-78-00-33-00 had not been created as an AD Account? The succes logs show:
24432 Looking up user in Active Directory - 00-1B-78-00-33-00
24412 User not found in Active Directory
However, the failure shows:
24432 Looking up user in Active Directory - 00-1B-78-00-33-00
24416 User's Groups retrieval from Active Directory succeeded
It seems that the ACS was able to find the MAC Address 00-1B-78-00-33-00 on the AD Domain.
Also, the failed authentication is due to the Authorization Rule. Which conditions have you defined under the Authorization Rule "MAB-PC"?
Please check the following:
1) Was the MAC Address created on the AD Domain as a valid account?
2) Which conditions are defined under the authorization rule MAB-PC in order to match it?
Regards.
01-16-2012 12:08 PM
1) Are you sure that the MAC Address 00-1B-78-00-33-00 had not been created as an AD Account?
Yes, I checked with the guy that manages the AD servers and he assures us there is no record anywhere of any mac addresses in AD. I have done my own search and cant find anything in there either. Also, the timestamps of these two authentication attempts are 09:36 and 10:36 (or something like that) and we know we definitely didnt make any changes to AD in that time window.
2) Which conditions have you defined under the Authorization Rule "MAB-PC"?
===== AUTHORIZATION POLICY =====
General
Name: MAB-PC
Status: Enabled
Conditions
[TICKED] NDG:Location in All Locations:AP
[NOT TICKED] AD1:ExternalGroups -ANY-
[TICKED] Compound Condition:
Dictionary AD-AD1 Attribute [blank]
Current Condition Set:
Internal Hosts:HostIdentityGroup in AllGroups:NoDot1xClient
Results
Authorization Profiles
MAB-PC
===== IDENTITY GROUP =====
Name: NoDot1xClient
Info: This group is assigned to all MAC address Hosts which do not have dot1x enabled.
===== AUTHORIZATION PROFILE =====
Authorization Profile
Name: MAB-PC
Downloadable ACL Name - Static - Value [Permit-IP]
VLAN ID/Name - Static - User-trusted
===== Downloadable ACLs ======
Name - Permit-IP
Downloadable ACL Content: Permit IP Any Any
01-16-2012 12:12 PM
Paul,
From the logs, I suspect that for some reason the ACS is able to authenticate the MAC Address against the AD, therefore, failing the authorization condition match at "Current Condition Set:Internal Hosts:HostIdentityGroup in AllGroups:NoDot1xClient".
The ACS will end up hitting the Deny Access rule as it was not able to comply with the condition for the MAB-PC authorization rule.
We should dig further trying to determine why the MAC Address is getting authenticated by AD instead of Internal Hosts.
Regards.
01-16-2012 12:36 PM
Hi Carlos, thanks for your help. Do you have any suggestions for how we can determine why the MAC address is getting authenticated by AD?
To help me understand the nature of the issue a bit more, could you help me with the following queries about how 802.1X and ACS works?
If a switch is configured for dot1x with MAB fallback as ours is, does the switch still send the MAC address for a dot1x-enabled client as well as the user and host AD credentials even though the MAC address is not required for auth in this case?
For the same switch and a client with dot1x DISABLED, does the switch forward just the MAC address to ACS?
If the switch invokes MAB and passes just the MAC address to ACS, does ACS still run the MAC address through the full identity store sequence which starts with AD1, even though dot1x is not running (and therefore AD matching is not relevant)?
Ultimately, I am trying to decide if
a) ACS is passing non-dot1x credentials (namely the MAC address) to AD erroneously or
b) if AD is responding (correctly or incorrectly) with a match or
c) if AD is rejecting the MAC address but that the rejection message isnt triggering the next iteration in the identity store sequence.
01-16-2012 01:01 PM
Hello Paul,
If a switch is configured for dot1x with MAB fallback as ours is, does the switch still send the MAC address for a dot1x-enabled client as well as the user and host AD credentials even though the MAC address is not required for auth in this case?
For the same switch and a client with dot1x DISABLED, does the switch forward just the MAC address to ACS?
If the switch invokes MAB and passes just the MAC address to ACS, does ACS still run the MAC address through the full identity store sequence which starts with AD1, even though dot1x is not running (and therefore AD matching is not relevant)?
Ultimately, I am trying to decide if
a) ACS is passing non-dot1x credentials (namely the MAC address) to AD erroneously ---> Do not think this might be the case as it will always pass the credentials to the every database on the specified order
b) if AD is responding (correctly or incorrectly) with a match ---> We know this one is happening.
c) if AD is rejecting the MAC address but that the rejection message isnt triggering the next iteration in the identity store sequence. ----> Do not think AD is rejecting the MAC Address based on:
24432 Looking up user in Active Directory - 00-1B-78-00-33-00
24416 User's Groups retrieval from Active Directory succeeded
At this point I have no suggestions on how to determine if the MAC Address is being properly authenticated on the AD Side
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: