Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
595
Views
4
Helpful
12
Replies

TEAP Problem with Windows 10, ISE 3.2 with Patch 7 and EAP Chaining...

Go to solution
rezaalikhani
Spotlight
Spotlight

‎11-12-2024 04:05 AM - edited ‎11-12-2024 04:06 AM

Hi all;

Consider the following scenario:

rezaalikhani_0-1731412235931.png

The client is configured as follows:

rezaalikhani_1-1731412411000.png

The target computer and the user both have installed required certificates installed as you can see below:

rezaalikhani_2-1731412669844.png

Now, the client machine is booted up and the following event is recorded on ISE:

rezaalikhani_3-1731412865517.png

Now, the user tries to login to this client and the login operation is succeeded as expected, but in ISE:

rezaalikhani_4-1731412975081.png

As you can see above, the login operation for the user does not match with any authorization policy configured. When I click on the "Detail" button:

rezaalikhani_5-1731413068336.png

Any ideas?

Thanks

 

1 Accepted Solution

Accepted Solutions

Go to solution
rezaalikhani
Spotlight
Spotlight
In response to Eric Iannone

‎11-15-2024 05:31 AM - edited ‎11-15-2024 05:32 AM

After conducting an in-depth investigation, I discovered that after the user logs in, the operating system enters the authentication phase by sending six consecutive EAPoL-Start messages without receiving any response from the switch. At this point, after approximately one minute, the endpoint repeats this process and then stops sending EAPoL-Start messages.

rezaalikhani_1-1731676460396.png

From this finding, I concluded that the issue lies with the switch, not the operating system. Consequently, I proceeded with my investigation by analyzing the switch's configuration. Initially, I removed all unnecessary 802.1X configurations from the endpoint-facing interface and tested again. This time, everything worked perfectly! I realized that one or more configurations on the interface were causing the issue. After thoroughly examining all the commands, I identified the one causing the problem: dot1x timeout ratelimit-period. This command, dot1x timeout ratelimit-period, defines the rate limit period, which throttles EAP-START packets from misbehaving supplicants. By using this command, the switch interprets the second round of EAPoL-Start messages from the endpoint (during user authentication) as coming from a malfunctioning endpoint and subsequently throttles the messages.

Conclusion: If you are using user-based authentication alongside computer authentication, avoid using the dot1x timeout ratelimit-period command.

Thanks

View solution in original post

12 Replies 12

Go to solution
MHM Cisco World
VIP
VIP

‎11-12-2024 04:13 AM

there are three conditions for each policy 
remove two and keep only the EAP-chain 
it can other condition failed not eap chain remember you use ""AND"" not ""OR""
and for wired-802.1x it already use in authc policy so no need it again under authz policy

MHM

0 Helpful

Go to solution
rezaalikhani
Spotlight
Spotlight
In response to MHM Cisco World

‎11-13-2024 01:08 AM - edited ‎11-13-2024 01:08 AM

Thanks for your reply;

I do not think the problem relates to the two not-related to EAP Chaining rules, as when I removed them, the same problem occured...

0 Helpful

Go to solution
andrewswanson
Level 7
Level 7

‎11-12-2024 05:30 AM

Hi

Do you have "user or computer authentication" mode selected on the supplicant?

andrewswanson_0-1731418205864.png

 

hth
Andy

Go to solution
bryan-cruz
Level 1
Level 1
In response to andrewswanson

‎11-12-2024 04:26 PM

Additionally, you must verify that you have the certificate issued for the machine as well.

0 Helpful

Go to solution
rezaalikhani
Spotlight
Spotlight
In response to bryan-cruz

‎11-13-2024 01:02 AM

Based on my first post, the machine has the required cert...

0 Helpful

Go to solution
rezaalikhani
Spotlight
Spotlight
In response to andrewswanson

‎11-13-2024 01:00 AM

Thanks for your reply;

As you can see, I aready enabled the required option:

rezaalikhani_0-1731488439971.png

 

0 Helpful

Go to solution
bryan-cruz
Level 1
Level 1
In response to rezaalikhani

‎11-13-2024 05:59 AM

Hi, can you check if this parameter is active in your protocols?

On the other hand, to see the live logs, have you tried restarting services or the node?

bryancruz_0-1731506183004.png

 

0 Helpful

Go to solution
rezaalikhani
Spotlight
Spotlight
In response to bryan-cruz

‎11-13-2024 10:43 PM

Thanks for your reply. But I have already enabled this option:

rezaalikhani_1-1731566607672.png

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to rezaalikhani

‎11-13-2024 10:48 PM

in live log detail check 

11627 Starting EAP chaining <<-
0 Helpful

Go to solution
rezaalikhani
Spotlight
Spotlight
In response to MHM Cisco World

‎11-14-2024 01:14 AM - edited ‎11-15-2024 03:24 AM

This is the full log for the machine authentication:

Steps

 11001Received RADIUS Access-Request - DomainInc.
 11017RADIUS created a new session - domain.com
 15049Evaluating Policy Group - DomainInc.
 15008Evaluating Service Selection Policy - domain.com
 15048Queried PIP - DomainInc.
 11507Extracted EAP-Response/Identity - DomainInc.
 12756Prepared EAP-Request proposing TEAP with challenge
 12625Valid EAP-Key-Name attribute received
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12758Extracted EAP-Response containing TEAP challenge-response and accepting TEAP as negotiated
 12800Extracted first TLS record; TLS handshake started
 12805Extracted TLS ClientHello message
 12806Prepared TLS ServerHello message
 12807Prepared TLS Certificate message
 12808Prepared TLS ServerKeyExchange message
 12809Prepared TLS CertificateRequest message
 12810Prepared TLS ServerDone message
 11596Prepared EAP-Request with another TEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 11595Extracted EAP-Response containing TEAP challenge-response
 11596Prepared EAP-Request with another TEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 11595Extracted EAP-Response containing TEAP challenge-response
 11596Prepared EAP-Request with another TEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 11595Extracted EAP-Response containing TEAP challenge-response
 11596Prepared EAP-Request with another TEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 11595Extracted EAP-Response containing TEAP challenge-response
 12810Prepared TLS ServerDone message
 12811Extracted TLS Certificate message containing client certificate
 12812Extracted TLS ClientKeyExchange message
 12803Extracted TLS ChangeCipherSpec message
 12804Extracted TLS Finished message
 12801Prepared TLS ChangeCipherSpec message
 12802Prepared TLS Finished message
 12816TLS handshake succeeded
 11559Client certificate was requested but not received inside the tunnel. Will continue with inner method.
 11620TEAP full handshake finished successfully
 11596Prepared EAP-Request with another TEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 11595Extracted EAP-Response containing TEAP challenge-response
 11627Starting EAP chaining
 11573Selected identity type 'User'
 11564TEAP inner method started
 11521Prepared EAP-Request/Identity for inner EAP method
 11596Prepared EAP-Request with another TEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 11595Extracted EAP-Response containing TEAP challenge-response
 11567Identity type provided by client is equal to requested
 11522Extracted EAP-Response/Identity for inner EAP method
 12522Prepared EAP-Request for inner method proposing EAP-TLS with challenge
 12625Valid EAP-Key-Name attribute received
 11596Prepared EAP-Request with another TEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 11595Extracted EAP-Response containing TEAP challenge-response
 11515Supplicant declined inner EAP method selected by Authentication Policy but did not proposed another one; inner EAP negotiation failed
 11520Prepared EAP-Failure for inner EAP method
 11566TEAP inner method finished with failure
 22028Authentication failed and the advanced options are ignored
 33517Sent TEAP Intermediate Result TLV indicating failure
 11596Prepared EAP-Request with another TEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 11595Extracted EAP-Response containing TEAP challenge-response
 11574Selected identity type 'Machine'
 11564TEAP inner method started
 11521Prepared EAP-Request/Identity for inner EAP method
 11596Prepared EAP-Request with another TEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 11595Extracted EAP-Response containing TEAP challenge-response
 11567Identity type provided by client is equal to requested
 11522Extracted EAP-Response/Identity for inner EAP method
 12522Prepared EAP-Request for inner method proposing EAP-TLS with challenge
 12625Valid EAP-Key-Name attribute received
 11596Prepared EAP-Request with another TEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 11595Extracted EAP-Response containing TEAP challenge-response
 12524Extracted EAP-Response containing EAP-TLS challenge-response for inner method and accepting EAP-TLS as negotiated
 12800Extracted first TLS record; TLS handshake started
 12545Client requested EAP-TLS session ticket
 12546The EAP-TLS session ticket received from supplicant. Inner EAP-TLS does not support stateless session resume. Performing full authentication
 12805Extracted TLS ClientHello message
 12806Prepared TLS ServerHello message
 12807Prepared TLS Certificate message
 12808Prepared TLS ServerKeyExchange message
 12809Prepared TLS CertificateRequest message
 12810Prepared TLS ServerDone message
 12527Prepared EAP-Request for inner method with another EAP-TLS challenge
 11596Prepared EAP-Request with another TEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 11595Extracted EAP-Response containing TEAP challenge-response
 12526Extracted EAP-Response for inner method containing TLS challenge-response
 12527Prepared EAP-Request for inner method with another EAP-TLS challenge
 11596Prepared EAP-Request with another TEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 11595Extracted EAP-Response containing TEAP challenge-response
 12526Extracted EAP-Response for inner method containing TLS challenge-response
 12527Prepared EAP-Request for inner method with another EAP-TLS challenge
 11596Prepared EAP-Request with another TEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 11595Extracted EAP-Response containing TEAP challenge-response
 12526Extracted EAP-Response for inner method containing TLS challenge-response
 12527Prepared EAP-Request for inner method with another EAP-TLS challenge
 11596Prepared EAP-Request with another TEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request (Step latency=15046 ms)
 11018RADIUS is re-using an existing session
 11595Extracted EAP-Response containing TEAP challenge-response
 11596Prepared EAP-Request with another TEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 11595Extracted EAP-Response containing TEAP challenge-response
 12526Extracted EAP-Response for inner method containing TLS challenge-response
 12527Prepared EAP-Request for inner method with another EAP-TLS challenge
 11596Prepared EAP-Request with another TEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 11595Extracted EAP-Response containing TEAP challenge-response
 12526Extracted EAP-Response for inner method containing TLS challenge-response
 12810Prepared TLS ServerDone message
 12568Lookup user certificate status in OCSP cache - certificate for
 12569User certificate status was not found in OCSP cache - certificate for
 12988Take OCSP servers list from OCSP service configuration - certificate for
 12550Sent an OCSP request to the primary OCSP server for the CA - External OCSP Server
 12561Connection to OCSP server failed - certificate for
 12552Conversation with OCSP server ended with failure - certificate for
 12572OCSP response not cached - certificate for
 12571ISE will continue to CRL verification if it is configured for specific CA - certificate for
 12811Extracted TLS Certificate message containing client certificate
 12812Extracted TLS ClientKeyExchange message
 12813Extracted TLS CertificateVerify message
 12803Extracted TLS ChangeCipherSpec message
 12804Extracted TLS Finished message
 12801Prepared TLS ChangeCipherSpec message
 12802Prepared TLS Finished message
 12816TLS handshake succeeded
 12509EAP-TLS full handshake finished successfully
 12527Prepared EAP-Request for inner method with another EAP-TLS challenge
 11596Prepared EAP-Request with another TEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 11595Extracted EAP-Response containing TEAP challenge-response
 12526Extracted EAP-Response for inner method containing TLS challenge-response
 61025Open secure connection with TLS peer
 15041Evaluating Identity Policy
 15048Queried PIP - Network Access.EapTunnel
 22072Selected identity source sequence - All_User_ID_Stores
 22071Identity name is taken from AD account Implicit UPN
 15013Selected Identity Source - DomainInc.
 24433Looking up machine in Active Directory - DomainInc.
 24325Resolving identity - Win10-PC2.domain.com
 24313Search for matching accounts at join point - domain.com
 24362Client certificate matches AD account certificate - win10-pc2$@domain.com
 24319Single matching account found in forest - domain.com
 24323Identity resolution detected single matching account
 24700Identity resolution by certificate succeeded - DomainInc.
 22037Authentication Passed
 12528Inner EAP-TLS authentication succeeded
 11519Prepared EAP-Success for inner EAP method
 11565TEAP inner method finished successfully
 33516Sent TEAP Intermediate Result TLV indicating success
 11596Prepared EAP-Request with another TEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 11595Extracted EAP-Response containing TEAP challenge-response
 11637Inner method supports EMSK but the client provided only MSK. Allow downgrade as per configuration
 11576TEAP cryptobinding verification passed
 15036Evaluating Authorization Policy
 24209Looking up Endpoint in Internal Endpoints IDStore - WIN10-PC2$@domain.com
 24211Found Endpoint in Internal Endpoints IDStore
 24433Looking up machine in Active Directory - WIN10-PC2$@domain.com
 24355LDAP fetch succeeded
 24435Machine Groups retrieval from Active Directory succeeded
 24355LDAP fetch succeeded
 24458Not all Active Directory attributes are retrieved successfully
 24100Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes
 15048Queried PIP - DomainInc..ExternalGroups
 15016Selected Authorization Profile - DC_DHCP_ISE_Access
 11022Added the dACL specified in the Authorization Profile
 22081Max sessions policy passed
 22080New accounting session created in Session cache
 33514Sent TEAP Result TLV indicating success
 11596Prepared EAP-Request with another TEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 11595Extracted EAP-Response containing TEAP challenge-response
 11597TEAP authentication phase finished successfully
 11503Prepared EAP-Success
 11002Returned RADIUS Access-Accept

 

 

0 Helpful

Go to solution
Eric Iannone
Cisco Employee
Cisco Employee
In response to rezaalikhani

‎11-14-2024 12:00 PM

Collect an endpoint debug for Client and TCP dump from NAD under Operations > Diagnostic tools. Any clues?

What happens if you add an 'and' to also check AD for computer under your 'user and computer' AuthZ? I only see user condition. 

0 Helpful

Go to solution
rezaalikhani
Spotlight
Spotlight
In response to Eric Iannone

‎11-15-2024 05:31 AM - edited ‎11-15-2024 05:32 AM

After conducting an in-depth investigation, I discovered that after the user logs in, the operating system enters the authentication phase by sending six consecutive EAPoL-Start messages without receiving any response from the switch. At this point, after approximately one minute, the endpoint repeats this process and then stops sending EAPoL-Start messages.

rezaalikhani_1-1731676460396.png

From this finding, I concluded that the issue lies with the switch, not the operating system. Consequently, I proceeded with my investigation by analyzing the switch's configuration. Initially, I removed all unnecessary 802.1X configurations from the endpoint-facing interface and tested again. This time, everything worked perfectly! I realized that one or more configurations on the interface were causing the issue. After thoroughly examining all the commands, I identified the one causing the problem: dot1x timeout ratelimit-period. This command, dot1x timeout ratelimit-period, defines the rate limit period, which throttles EAP-START packets from misbehaving supplicants. By using this command, the switch interprets the second round of EAPoL-Start messages from the endpoint (during user authentication) as coming from a malfunctioning endpoint and subsequently throttles the messages.

Conclusion: If you are using user-based authentication alongside computer authentication, avoid using the dot1x timeout ratelimit-period command.

Thanks

Customers Also Viewed These Support Documents