Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
448
Views
1
Helpful
8
Replies

C9800 Admin access through GUI with MFA

Go to solution
JPavonM
VIP
VIP

‎05-31-2024 03:53 AM

Hi wireless colleagues,

After multiple tries with the configurations I have managed to enable MFA on the C9800 for admin access through CLI by using TACACS+. The integration is done via ISE with NPS as Proxy RADIUS to Entra ID MFA Service in the cloud.

Now, I've created a RADIUS Policy cloned from the TACACS+ one on ISE, and similar in the C9800 configuration, but the problem is that when I enter my credentials on the GUI login page, the MS Authenticator App returns me the code (like it happen on CLI access), but before that the GUI timeouts the session and returns me "Wrong Credentials. Please Login again", but tehre aren't any pop-up asking for the code.

I doubt this is related to a timeout as it is set to 30 seconds.

Have any of you managed to have this integration working on C9800 GUI access with ISE+NPS+EntraID for MFA?

Below you can find the log record for the failure if it could be of any help.

JPavonM_0-1717152702011.png

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marce1000
VIP
VIP
In response to JPavonM

‎06-03-2024 04:46 AM

 

                    >...Unfortunately I have no access to Entra ID MFA service 
   - Following the arguments you mentioned later (too) , this should be considered essential (to be able to query it)  ; perhaps contact provider (support) for the service and ask for the info's that you need.

     - For the rest check controller logs when the GUI attempt fails ; 
     - What is the controller  software version ?
     - Found https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwj28151 ;  not sure if it that is indicative ,

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

0 Helpful
8 Replies 8

Go to solution
marce1000
VIP
VIP

‎05-31-2024 03:59 AM

 

   - Check NPS (radius server) logs for this failing authentication and also check the C9800's logs , 
           (just after trying to use the GUI)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
JPavonM
VIP
VIP

‎05-31-2024 04:54 AM

@marce1000 that does not return any clue about what is happening on the C9800:
C9800:

May 31 2024 11:49:33.719 UTC: %WEBSERVER-5-SESS_TIMEOUT: Chassis 1 Session timeout from host x.y.z.1 by user 'user1' using crypto cipher 'ECDHE-RSA-AES128-GCM-SHA256'
May 31 2024 11:49:38.319 UTC: %HA_EM-6-LOG: catchall: show banner loginMay 31 2024 11:49:38.297 UTC: %WEBSERVER-5-LOGIN_FAILED: Chassis 1 Login Un-Successful from host x.y.z.1

ISE:

11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11117 Generated a new session ID
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - Radius.NAS-Port-Type
15048 Queried PIP - Network Access.Protocol
15048 Queried PIP - DEVICE.Location
15048 Queried PIP - DEVICE.Device Type
15041 Evaluating Identity Policy
15048 Queried PIP - Network Access.UserName
15048 Queried PIP - Network Access.AuthenticationMethod
22072 Selected identity source sequence - ISE_NS_ENTRA_AD_Sequence
15013 Selected Identity Source - NPS_ENTRAID_MFA_Proxy
24638 Passcode cache is not enabled in the RADIUS token identity store configuration - NPS_ENTRAID_MFA_Proxy
24609 RADIUS token identity store is authenticating against the primary server - NPS_ENTRAID_MFA_Proxy
11100 RADIUS-Client about to send request - ( port = 1812 )
11101 RADIUS-Client received response (step latency=2565 ms Step latency=2565 ms)
24615 RADIUS token identity store received access challenge response
11006 Returned RADIUS Access-Challenge
11041 RADIUS PAP session timed out (step latency=120000 ms Step latency=120000 ms)
5416 RADIUS PAP session cleaned up

 

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to JPavonM

‎05-31-2024 06:41 AM

 

 - Ok , but I was also asking about the   - NPS_ENTRAID_MFA_Proxy  (radius server) logs   and if  the logs from
     Entra ID MFA Service  for the attempted authentications , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
JPavonM
VIP
VIP

‎06-03-2024 03:08 AM

 

I don't have any interpreter for NPS Logs working with MFA Extension, and the online interpreter I'm using for standard NPS Logs does not return useful information.

"NPSMFA","IAS",06/03/2024,11:58:48,1,"user1","domain.net/Administrators/User1",,,,,,"10.1.1.231",,0,"10.1.1.161","isepsn001",,,,,,,1,"Cisco WLC - Superuser - Proxy RADIUS Auth - AAD MFA",0,"311 1 10.1.1.159 06/01/2024 20:28:24 15",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
"NPSMFA","IAS",06/03/2024,11:58:48,11,,"domain.net/Administrators/User1",,,,,,,,0,"10.1.1.161","isepsn001",,,,,,,1,"Cisco WLC - Superuser - Proxy RADIUS Auth - AAD MFA",0,"311 1 10.1.1.159 06/01/2024 20:28:24 15",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,

 

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to JPavonM

‎06-03-2024 03:15 AM

 

  - It comes down to that you also need to be able to view the logs from the  Entra ID MFA Service in the cloud
    and check the status of the particular attempted authentication(s)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
JPavonM
VIP
VIP

‎06-03-2024 04:33 AM

Unfortunately I have no access to Entra ID MFA service so I can't check them, BUT this is working for CLI access.

THE problem is that C9800 GUI is not poping up a windoes asking to enter teh coed I'm receiving from the MS Authenticator App, so the authentication fail becuase I don't have any mean to enter the MFA code.

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to JPavonM

‎06-03-2024 04:46 AM

 

                    >...Unfortunately I have no access to Entra ID MFA service 
   - Following the arguments you mentioned later (too) , this should be considered essential (to be able to query it)  ; perhaps contact provider (support) for the service and ask for the info's that you need.

     - For the rest check controller logs when the GUI attempt fails ; 
     - What is the controller  software version ?
     - Found https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwj28151 ;  not sure if it that is indicative ,

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
JPavonM
VIP
VIP

‎06-10-2024 12:36 AM

The solution pointed out in the bug that @marce1000 shared is the workaround I'm using at this time, having first an ISE policy to match NAS-Port-Type virtual plus NAS-Port-Id containing the string "tty", and a second policy only with NAS-Port-Type, as that is the only difference between both requests from IOS-XE:

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card