Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4059
Views
3
Helpful
11
Replies

C9800 Admin access through GUI with MFA

Go to solution
JPavonM
VIP Alumni
VIP Alumni

‎05-31-2024 03:53 AM

Hi wireless colleagues,

After multiple tries with the configurations I have managed to enable MFA on the C9800 for admin access through CLI by using TACACS+. The integration is done via ISE with NPS as Proxy RADIUS to Entra ID MFA Service in the cloud.

Now, I've created a RADIUS Policy cloned from the TACACS+ one on ISE, and similar in the C9800 configuration, but the problem is that when I enter my credentials on the GUI login page, the MS Authenticator App returns me the code (like it happen on CLI access), but before that the GUI timeouts the session and returns me "Wrong Credentials. Please Login again", but tehre aren't any pop-up asking for the code.

I doubt this is related to a timeout as it is set to 30 seconds.

Have any of you managed to have this integration working on C9800 GUI access with ISE+NPS+EntraID for MFA?

Below you can find the log record for the failure if it could be of any help.

JPavonM_0-1717152702011.png

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Elsen
Hall of Fame
Hall of Fame
In response to JPavonM

‎06-03-2024 04:46 AM

 

                    >...Unfortunately I have no access to Entra ID MFA service 
   - Following the arguments you mentioned later (too) , this should be considered essential (to be able to query it)  ; perhaps contact provider (support) for the service and ask for the info's that you need.

     - For the rest check controller logs when the GUI attempt fails ; 
     - What is the controller  software version ?
     - Found https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwj28151 ;  not sure if it that is indicative ,

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Mark Elsen
Hall of Fame
Hall of Fame

‎05-31-2024 03:59 AM

 

   - Check NPS (radius server) logs for this failing authentication and also check the C9800's logs , 
           (just after trying to use the GUI)

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

Go to solution
JPavonM
VIP Alumni
VIP Alumni

‎05-31-2024 04:54 AM

@Mark Elsen that does not return any clue about what is happening on the C9800:
C9800:

May 31 2024 11:49:33.719 UTC: %WEBSERVER-5-SESS_TIMEOUT: Chassis 1 Session timeout from host x.y.z.1 by user 'user1' using crypto cipher 'ECDHE-RSA-AES128-GCM-SHA256'
May 31 2024 11:49:38.319 UTC: %HA_EM-6-LOG: catchall: show banner loginMay 31 2024 11:49:38.297 UTC: %WEBSERVER-5-LOGIN_FAILED: Chassis 1 Login Un-Successful from host x.y.z.1

ISE:

11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11117 Generated a new session ID
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - Radius.NAS-Port-Type
15048 Queried PIP - Network Access.Protocol
15048 Queried PIP - DEVICE.Location
15048 Queried PIP - DEVICE.Device Type
15041 Evaluating Identity Policy
15048 Queried PIP - Network Access.UserName
15048 Queried PIP - Network Access.AuthenticationMethod
22072 Selected identity source sequence - ISE_NS_ENTRA_AD_Sequence
15013 Selected Identity Source - NPS_ENTRAID_MFA_Proxy
24638 Passcode cache is not enabled in the RADIUS token identity store configuration - NPS_ENTRAID_MFA_Proxy
24609 RADIUS token identity store is authenticating against the primary server - NPS_ENTRAID_MFA_Proxy
11100 RADIUS-Client about to send request - ( port = 1812 )
11101 RADIUS-Client received response (step latency=2565 ms Step latency=2565 ms)
24615 RADIUS token identity store received access challenge response
11006 Returned RADIUS Access-Challenge
11041 RADIUS PAP session timed out (step latency=120000 ms Step latency=120000 ms)
5416 RADIUS PAP session cleaned up

 

0 Helpful

Go to solution
Mark Elsen
Hall of Fame
Hall of Fame
In response to JPavonM

‎05-31-2024 06:41 AM

 

 - Ok , but I was also asking about the   - NPS_ENTRAID_MFA_Proxy  (radius server) logs   and if  the logs from
     Entra ID MFA Service  for the attempted authentications , 

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

Go to solution
JPavonM
VIP Alumni
VIP Alumni

‎06-03-2024 03:08 AM

 

I don't have any interpreter for NPS Logs working with MFA Extension, and the online interpreter I'm using for standard NPS Logs does not return useful information.

"NPSMFA","IAS",06/03/2024,11:58:48,1,"user1","domain.net/Administrators/User1",,,,,,"10.1.1.231",,0,"10.1.1.161","isepsn001",,,,,,,1,"Cisco WLC - Superuser - Proxy RADIUS Auth - AAD MFA",0,"311 1 10.1.1.159 06/01/2024 20:28:24 15",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
"NPSMFA","IAS",06/03/2024,11:58:48,11,,"domain.net/Administrators/User1",,,,,,,,0,"10.1.1.161","isepsn001",,,,,,,1,"Cisco WLC - Superuser - Proxy RADIUS Auth - AAD MFA",0,"311 1 10.1.1.159 06/01/2024 20:28:24 15",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,

 

0 Helpful

Go to solution
Mark Elsen
Hall of Fame
Hall of Fame
In response to JPavonM

‎06-03-2024 03:15 AM

 

  - It comes down to that you also need to be able to view the logs from the  Entra ID MFA Service in the cloud
    and check the status of the particular attempted authentication(s)

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

Go to solution
JPavonM
VIP Alumni
VIP Alumni

‎06-03-2024 04:33 AM

Unfortunately I have no access to Entra ID MFA service so I can't check them, BUT this is working for CLI access.

THE problem is that C9800 GUI is not poping up a windoes asking to enter teh coed I'm receiving from the MS Authenticator App, so the authentication fail becuase I don't have any mean to enter the MFA code.

0 Helpful

Go to solution
Mark Elsen
Hall of Fame
Hall of Fame
In response to JPavonM

‎06-03-2024 04:46 AM

 

                    >...Unfortunately I have no access to Entra ID MFA service 
   - Following the arguments you mentioned later (too) , this should be considered essential (to be able to query it)  ; perhaps contact provider (support) for the service and ask for the info's that you need.

     - For the rest check controller logs when the GUI attempt fails ; 
     - What is the controller  software version ?
     - Found https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwj28151 ;  not sure if it that is indicative ,

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

Go to solution
JPavonM
VIP Alumni
VIP Alumni

‎06-10-2024 12:36 AM

The solution pointed out in the bug that @Mark Elsen shared is the workaround I'm using at this time, having first an ISE policy to match NAS-Port-Type virtual plus NAS-Port-Id containing the string "tty", and a second policy only with NAS-Port-Type, as that is the only difference between both requests from IOS-XE:

 

Go to solution
Rich R
VIP
VIP
In response to JPavonM

‎08-04-2024 04:24 PM

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/R6BGArNQ/TECSEC-3416.pdf says "Web UI uses CLI commands in the background" so I think it's a limitation in the GUI coding - probably needs an enhancement request via your account team.  Frankly it's shocking that this could have been overlooked!  I expect that the new UK Telecoms Security Act will make this mandatory so Cisco might be forced to review it...

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Go to solution
Farooq Mohammed
Frequent Visitor
Frequent Visitor
In response to JPavonM

‎08-28-2025 09:30 PM

@JPavonM Does the above workaround prompt for inline MFA on C9800 GUI ?

0 Helpful

Go to solution
JPavonM
VIP Alumni
VIP Alumni

‎08-29-2025 02:41 AM

We are using Notifications in the Auth App, but when I was also testing TOTP codes inline, yes it was working.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card