I am trying to get a MacBook up on our internal Wifi.
For that, I create an XML file using IPhone Configuration Utility. Pretty straightforward. You tell it what SSID, PEAP, certs to use, then I import that file into the MacBook.
Bottom line is it never matches my ISE rules, so I get the default Deny.
This is the first attempt to get a Mac on this network. Windows machines are set up and working fine on the internal Wifi.
I confirmed with the AD administrator that this machine name is in their system. As you can see, it authenticates to AD.
So it appears that it 802.1x is failing. How do I find out *exactly* why? I cannot tell if it is a cert issue, or something else.
Any suggestions on finding the root cause?
Thanks!
From ISE, for my Mac's MAC address:
[snip]
11001 : Received RADIUS Access-Request
11018 : RADIUS is re-using an existing session
12302 : Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12319 : Successfully negotiated PEAP version 1
12800 : Extracted first TLS record; TLS handshake started
12805 : Extracted TLS ClientHello message
12806 : Prepared TLS ServerHello message
12807 : Prepared TLS Certificate message
12810 : Prepared TLS ServerDone message
12305 : Prepared EAP-Request with another PEAP challenge
11006 : Returned RADIUS Access-Challenge
11001 : Received RADIUS Access-Request
11018 : RADIUS is re-using an existing session
12304 : Extracted EAP-Response containing PEAP challenge-response
12305 : Prepared EAP-Request with another PEAP challenge
11006 : Returned RADIUS Access-Challenge
11001 : Received RADIUS Access-Request
11018 : RADIUS is re-using an existing session
12304 : Extracted EAP-Response containing PEAP challenge-response
12305 : Prepared EAP-Request with another PEAP challenge
11006 : Returned RADIUS Access-Challenge
11001 : Received RADIUS Access-Request
11018 : RADIUS is re-using an existing session
12304 : Extracted EAP-Response containing PEAP challenge-response
12305 : Prepared EAP-Request with another PEAP challenge
11006 : Returned RADIUS Access-Challenge
11001 : Received RADIUS Access-Request
11018 : RADIUS is re-using an existing session
12304 : Extracted EAP-Response containing PEAP challenge-response
12305 : Prepared EAP-Request with another PEAP challenge
11006 : Returned RADIUS Access-Challenge
11001 : Received RADIUS Access-Request
11018 : RADIUS is re-using an existing session
12304 : Extracted EAP-Response containing PEAP challenge-response
12305 : Prepared EAP-Request with another PEAP challenge
11006 : Returned RADIUS Access-Challenge
11001 : Received RADIUS Access-Request
11018 : RADIUS is re-using an existing session
12304 : Extracted EAP-Response containing PEAP challenge-response
12319 : Successfully negotiated PEAP version 1
12812 : Extracted TLS ClientKeyExchange message
12804 : Extracted TLS Finished message
12801 : Prepared TLS ChangeCipherSpec message
12802 : Prepared TLS Finished message
12816 : TLS handshake succeeded
12310 : PEAP full handshake finished successfully
12305 : Prepared EAP-Request with another PEAP challenge
11006 : Returned RADIUS Access-Challenge
11001 : Received RADIUS Access-Request
11018 : RADIUS is re-using an existing session
12304 : Extracted EAP-Response containing PEAP challenge-response
12313 : PEAP inner method started
11521 : Prepared EAP-Request/Identity for inner EAP method
12305 : Prepared EAP-Request with another PEAP challenge
11006 : Returned RADIUS Access-Challenge
11001 : Received RADIUS Access-Request
11018 : RADIUS is re-using an existing session
12304 : Extracted EAP-Response containing PEAP challenge-response
11522 : Extracted EAP-Response/Identity for inner EAP method
11806 : Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 : Prepared EAP-Request with another PEAP challenge
11006 : Returned RADIUS Access-Challenge
11001 : Received RADIUS Access-Request
11018 : RADIUS is re-using an existing session
12304 : Extracted EAP-Response containing PEAP challenge-response
11808 : Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
15041 : Evaluating Identity Policy
15006 : Matched Default Rule
15013 : Selected Identity Source - AD-myconame
24430 : Authenticating user against Active Directory
24402 : User authentication against Active Directory succeeded
22037 : Authentication Passed
11824 : EAP-MSCHAP authentication attempt passed
12305 : Prepared EAP-Request with another PEAP challenge
11006 : Returned RADIUS Access-Challenge
11001 : Received RADIUS Access-Request
11018 : RADIUS is re-using an existing session
12304 : Extracted EAP-Response containing PEAP challenge-response
11810 : Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814 : Inner EAP-MSCHAP authentication succeeded
11519 : Prepared EAP-Success for inner EAP method
12314 : PEAP inner method finished successfully
12305 : Prepared EAP-Request with another PEAP challenge
11006 : Returned RADIUS Access-Challenge
11001 : Received RADIUS Access-Request
11018 : RADIUS is re-using an existing session
12304 : Extracted EAP-Response containing PEAP challenge-response
24423 : ISE has not been able to confirm previous successful machine authentication for user in Active Directory
15036 : Evaluating Authorization Policy
24432 : Looking up user in Active Directory - myfirstname.mylastname
24416 : User's Groups retrieval from Active Directory succeeded
15048 : Queried PIP
15048 : Queried PIP
15048 : Queried PIP
15048 : Queried PIP
15048 : Queried PIP
15004 : Matched rule - Default
15016 : Selected Authorization Profile - DenyAccess
15039 : Rejected per authorization profile
12306 : PEAP authentication succeeded
11503 : Prepared EAP-Success
11003 : Returned RADIUS Access-Reject
