This is more of a design and solution question rather than configuration.
Company A has its own WLC, ISE and Cisco APs that manages Company A's client for their printers on site. Now, the client decides to change to Company B who would authenticate their wireless printers moving forward. However, Company B wants to leverage Company A's existing wireless infrastructure. Company B has their own ISE in their network. Also, the client wants to install new WLC and AP and manage these devices.
Here is my idea and want to know what's your thoughts.
The proposed solution is Company A will provision layer 2 (new Vlan). The new SSID will be configured on new WLC. Company A will configure new VLAN on its Switches and hand-off to Company B's router. Company B's router will look after DHCP scope for wireless printer and routing.
Now, the tricky part. Not sure where Company A's ISE comes into the picture and how proxy RADIUS flow works. Let's understand the concept and again, please correct me if I am wrong.
Wireless printers join new SSID, say PRINTERS using WPA+WPA2
AP will redirect the printer request to WLC. WLC will forward the authentication request to Company A's ISE server.
Company A's ISE server will be configured with proxy RADIUS of Company B's ISE server.
WLC receives a response from Company A's ISE server (with a RADIUS proxy)
WLC attempts to forward authentication request to Company B's ISE server. WLC sends flow to Company A's switch, from there to Company B's router and from there to Company B's ISE server.
Do I have a correct understanding?
Also, what if WLC points directly to Company B's ISE server? This may not be possible as WLC would not aware of Company B's IP?
I will post a diagram tomorrow and hope that my explanation is not confusing.
... View more
I have integrated AirWatch as an MDM server with ISE 2.3.
The authentication is successful using EAP-TLS but authorization policy is not working.
There is no requirement for BYOD. All the IOS devices are preregistered on Airwatch. If device register status is registered, the access is allowed if it is unregistered, it will be denied.
The below is my policy
1. IOS REGISTERED DEVICE if MDM:deviceregisteredstatus equals registered, allow Access
2. IOS PREAUTH if SSID=IOS then trigger PreAuthIOS authorization profile (this profile will return preauthIOS acl to Wireless controller to allow traffic to DNS, DHCP and to MDM server to check the status)
3. IOS UNREGISTERED DEVICE if MDM:deviceregisteredstatus equals unregistered, DenyAccess
Just connected my iPhone. It gets an IP Address and I can see WiFi symbol but cannot browse the Internet.
The FLOW - let me know your thoughts
- Any new registered iPhone on Airwatch triggers the Preauth (2nd policy) and goes out to Internet to talk to only Airwatch to confirm the device register status
- ISE gets device register status and issues change of authorization (CoA) for endpoint and then it would trigger 1st policy if the status from MDM is registered but triggers 3rd policy if the status from MDM is unregistered
I do not think CoA is happening with my test iPhone.
Below are the RADIUS logs
Cisco Identity Services Engine
EAP-TLS authentication succeeded
ISE has not confirmed locally previous successful machine authentication for user in Active Directory
Evaluating Authorization Policy
Queried PIP - Network Access.UseCase (2 times)
Queried PIP - Network Access.ISE Host Name
Queried PIP - MDM.DeviceRegisterStatus
Selected Authorization Profile - iOS-PreAuth
Max sessions policy passed
New accounting session created in Session cache
Looking up user in Active Directory - TESTAD
LDAP fetch succeeded - company.com
User's Groups retrieval from Active Directory succeeded - TESTAD
Returned RADIUS Access-Accept
Although the test connection to MDM is successful. I think ISE is not making an API call to Airwatch at all.
The error from PSN is Identity Services Engine
External MDM Server Connection Failure. : Reason is Connection Failed to the MDM server host -
I have d isabled proxy on ISE PAN and added firewall rule so ISE can directly talk to Airwatch. We don't see any drops on Firewall.
The TAC case is already logged. As per Cisco, depending on the polling interval (default is 240 minutes) ISE fetch status of all devices from Airwatch stores under Identity database. Not sure about this.
When ISE makes an API call, who is the source? PAN or PSN?
It seems I have provided too much information? But let me know if you guys have worked with MDM or know any of the theory or concepts abut the flow.
... View more
sorry, I was a bad reader :-)
Can I suggest you to update the title of thread to "Cisco ISE 2.3 High Memory Utilization"
Just had a look at my ISE 2.3 (patch 2) RAM and it's 80%
I found some articles where same issue was experienced on 2.2 which was resolved after upgrading to 2.3
But it looks like the issue is back to 2.3 again. please read below
I would suggest to lodge a TAC case with cisco. I will take the same action.
Please keep posted
... View more
The below is from link I pasted, it seems high CPU was resolved in 2.3 patch 1
PAN runs high CPU due to 100K limit in the Redis server.
High CPU usage caused by infinite loop threads on PSN.
I have just upgraded to patch 2 and as far I remember, I didn't see any CPU related issue in patch 1. I think it won't harm to upgrade to patch 2 and monitor. You can always rollback.
Looking at your endpoint, it could be your hardware limitation. you also want to check whether your hardware requirement is met with your traffic before patch upgrade.
hope this helps.
... View more
Final update: there is no issue at ISE end. OCSP is not working as there is some issue on OCSP server
As an alternate workaround, I tried CRL but ISE was not downloading CRL with cisco ISE 2.3 patch 1. After troubleshooting, I found that it is due to a bug (see below link). Cisco has release 2.3 patch 2 on 25th Jan 2018. After installing the patch, CRL is working.
Thanks all for your time. Appreciate it.
... View more
I can now see OCSP in logs but issue is not resolved.
Jan was right. The supplicant on windows machine used PEAP (MSCHAPv2) as default. I changed it to use certificate and also updated authentication policy for EAP-TLS (see below)
ISE successfully authenticates machine using PEAP (EAP-TLS) now and got below logs.
Lookup user certificate status in OCSP cache - certificate for <machinename>
User certificate status was not found in OCSP cache - certificate for <machinename>
Take OCSP servers list from OCSP service configuration - certificate for <machinename>
Sent an OCSP request to the primary OCSP server for the CA - External OCSP Server
Connection to OCSP server failed - certificate for <machinename>
Conversation with OCSP server ended with failure - certificate for <machinename>
OCSP response not cached - certificate for <machinename>
As shown above, not sure why connection to OCSP fails. I have verified again and again that there is no firewall issue.
The next thing
1. I am checking with CA is to make sure that OCSP services are running or not.
2. Any idea why logs indicates "user" certificate. I think it should be "machine?
If you have any idea from the logs, plz let me know.
Investigation continues :-)
I will keep posting you all. Appreciate your time guys.
... View more
It looks like we have spotted the issue. We are not using EAP-Chaining so no supplicant is configured on client machine such as Cisco AnyConnect. I guess machine uses default in-built supplicant.
Also, this now explains why a machine with expired client certificate is passing the authentication. It uses PEAP-MSCHAPv2 and finds domain user in the Active Directory.
Now, to fix this, I have unchecked "Allow EAP-MS-CHAPv2" (see below) and checked EAP-TLS
It seems the inbuilt windows supplicant demands for MSCHAP protocol. From below, can we deduce that client supplicant need to change to EAP-TLS or something wrong at ISE end?
For certificate authentication profile it uses SUBJECT ALTERNATIVE NAME as certificate atrribute to match from Active Directory
As per your suggestion, I have put below authentication condition for EAP-TLS but it fails as client is asking for MSCHAP, not EAP-TLS.
I would like your and other's thoughts on this.
Update - I can see OCSP in logs now. Please check my lastest update on this thread below.
... View more
I thought the expired or revoke cert would be an individual machine cert. I have just revoked a machine certificate (Not Intermediate) and still not seeing anything related to OCSP. It is still passing the authentcation phase.
I will test Intermediate cert with expired and revoke but just some questions
1). If an individual machine is comprised from security perspective, doesn't it make more sense to disable machine (individual) cert?
2). Intermediate cert is part of root chain who is published by Root CA and usually managed by External CA. Just to test OCSP, if they revoke or expire intermediate Cert, won't it break the root chain for all the machines? or if I install a root chain with expired/ revoked intermediate on a machine to test OCSP.
Thanks you and all who are assisting me to get deep understanding on this. In next post, I will post my result with expired and revoked Intermediate cert and see if I can see any OCSP related logs in ISE RADIUS
... View more