Solved: Re: Yes, please check and let me

pietrulewiczmarek · ‎04-06-2015

Hi,

We have deployed ISE in a company and set workstations for computer authentication. When workstations pass authentication they are placed in Data VLAN (5), if they fail then they should be placed in Guest VLAN (50). WiredAutoConfig service as well as supplicant is set with gpo so all workstations have the same settings.

ISE's certificate is signed by our internal CA and workstations also have imported CA in their Trusted CA list.

The problem is that few workstations are placed in Guest VLAN. Previously on those workstations we got a pop-up window as below. When clicked 'connect' the workstations were placed correctly in Data VLAN (5). We do not get this security alert anymore on those machines and they just join Guest VLAN which is not want we want.

Most of the workstations however, are authenticated successfully.

switchports configuration:

switchport access vlan 5
switchport mode access
switchport voice vlan 6
authentication event fail action next-method
authentication event server dead action authorize vlan 5
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 50
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation replace
mab
mls qos trust dscp
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

Authentication log from ISE;

Has anyone experienced similar situation?

nspasov · ‎04-06-2015

I am assuming the domain machines have the root ca certificate checked under the "Protected EAP Properties" window?

View solution in original post

nspasov · ‎04-06-2015

Can you post screen shots of the supplicant's configurations?

pietrulewiczmarek · ‎04-06-2015

I don't have access to either DC nor domain joined computers at the moment, but the configuration is default for computer authentication as below

nspasov · ‎04-06-2015

I am assuming the domain machines have the root ca certificate checked under the "Protected EAP Properties" window?

pietrulewiczmarek · ‎04-06-2015

I will double check tomorrow if it is. But let's assume that is not checked; why would some machines be authenticated normally and others not?

nspasov · ‎04-06-2015

Yes, please check and let me us know. Also, if you get the warning message please click on the "Details" button and post a screen shot from that output as well.

A couple of things to note:

- A machine would get that warning message if: The supplicant is not configured to trust the specific CA Certificate that was used to sign the ISE certificate AND if the option "Do not prompt user to authorize new servers or trusted certification authorities" is NOT checked. So let's start here and verify those settings.

- Your ISE logs indicate that the session stops/fails during the establishment of the EAP tunnel. This would further indicate that the client is not trusting the ISE certificate or more specifically the CA that signed the ISE cert.

Thank you for rating helpful posts!

pietrulewiczmarek · ‎04-15-2015

Sorry for late reply and thank you for your quick answers,

I have no direct access to workstations, so all have to be confirmed by other IT staff. So far it looks like the change of selecting CA in the supplicant configuration fixed the problems. I will mark your answer as Correct Answer once we are 100% certain about it.

Marek.

nspasov · ‎04-23-2015

Hi Marek. Was your issue resolved?

pietrulewiczmarek · ‎04-24-2015

Yes, thank you!

nspasov · ‎04-24-2015

You are welcome! Glad I could help! :)

pietrulewiczmarek · ‎04-24-2015

If you could also help regarding the issue described in my new post that would be awesome too! :)

nspasov · ‎04-24-2015

I can try...what is the link to the thread?

Svetlin Simeonov · ‎01-30-2019

Hi,

I have same issue.

But i don't understand supplicant configuration:

I look in properties and snip the configuration is correct or not ?

The check of Validate server certificate is check

Connect to these servers is check:

ise-lab.cnsys.bg

Trusted Root Certificate looks good

jaguar

But i have not check for :

Do not prompt user to authorize new servers or trusted certification authorities

This is my configuration from LAB

I will check Configuration with my customer where the issuers is happening.

Thank you.

some computers are not authenticated successfully with ISE and join Guest vlan