ISE Machine authentication

Hi
i enabled machine authentication for windows machine but i have some MAC OSX laptop that authenticate with MS AD that i need to exclude form MAR , i tried to apply specific auhz policy but every time it fails because of MAR  , any idea ?  

One way you could do this is to utilize profiling. You can then create a policy that authorizes MACs without forcing them to go against the MAR check.
On the other hand, if your MACs are joined to your domain then you can eliminate MAR and simply perform PEAP (machine) based authentication for both your MACs and Windows machines. 
You could also create a special rule for MACs that authenticate via PEAP (User) based authentication
Hope this helps!
Thank you for rating helpful posts! 

Similar Messages

  • ISE machine authentication timeout

    Hi all,
    We have a ISE infrastructure and we have enabled user and machine authentication through EAP-TLS.
    Everything is working fine except that every 1 hour user must log off and login again because machine authentication has, I think, expired!
    As you can imagine this is unacceptable. I saw that the machine restriction age is only 1 hour and changed it to 8 hours.
    My question is if machine restarts at 7 hours past first successful authentication will the timer reset or after an hour will be kicked and have to log off and in again?
    How have you bypassed the timeout of mar cache?
    My ISE version is 1.2 with 2 patches installed
    Thank you
    Sent from Cisco Technical Support iPad App

    Hi
    Cisco ISE contains a Machine Access Restriction (MAR) component that provides an additional means of controlling authorization for Microsoft Active Directory-authentication users. This form of authorization is based on the machine authentication of the computer used to access the Cisco ISE network. For every successful machine authentication, Cisco ISE caches the value that was received in the RADIUS Calling-Station-ID attribute (attribute 31) as evidence of a successful machine authentication.
    Cisco ISE retains each Calling-Station-ID attribute value in cache until the number of hours that was configured in the "Time to Live" parameter in the Active Directory Settings page expires. Once the parameter has expired, Cisco ISE deletes it from its cache.
    When a user authenticates from an end-user client, Cisco ISE searches the cache for a Calling-Station-ID value from successful machine authentications for the Calling-Station-ID value that was received in the user authentication request. If Cisco ISE finds a matching user-authentication Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user that requests authentication in the following ways:
    • If the Calling-Station-ID value matches one found in the Cisco ISE cache, then the authorization profile for a successful authorization is assigned.
    • If the Calling-Station-ID value is not found to match one in the Cisco ISE cache, then the authorization profile for a successful user authentication without machine authentication is assigned.

  • ISE machine authentication - only plug in to the network after booting

    Hi experts.
    I have recently deployed ISE with machine authentication. 
    However, when the machine is already plugged in to the switch before booting, the machine does not authenticate automatically. It isn't until I log on, using a local computer account, that 802.1X authentication occurs. Using wireshark, I have verified again that this authentication is MACHINE authentication, not user-authentication.
    Is there a way to solve this problem, other than having my users unplug their computer and only plug in to the network after booting?
    Eric

    Hi Vattulu,
      The method of machine access restriction will be used, because there is no a plan to use anyconnect NAM on the client environment, since the prerequisite for EAP-chaining is to use anyconnect.
    Regards,
    Eric

  • ISE 1.2 - 24492 Machine authentication against AD has failed

    Currently experiencing a machine authentication problem between ISE 1.2 patch 2 and a customer AD installation.
    AuthZ policy is set to match agains /Users/Domain Computers and /Users Domain Users.  User authentication works, machine auth doesnt.
    Machine authentication box is ticked.
    If you try to disable an AD machine, or try a machine not in the domain you get the appropriate different response in the ISE logs which sugests it has the right access into AD to check this info.
    This happens on all computers, both WinXP and Win7 corporate builds.
    I know its not an ISE policy configuration as I have resorted to testing the same ISE against a vanilla lab AD environment with the same AD domain name (just by changing the DNS servers ISE uses) and the computer lookup works!
    Anybody got any ideas?
    thanks.

    24492
    External-Active-Directory
    Machine   authentication against Active Directory has failed
    Machine   authentication against Active Directory has failed.
    Error
    Please check NTP is in sync or not  ISE

  • ISE 1.1 - 24492 Machine authentication against AD has failed

    We implement Cisco ISE 802.1X and Machine Authentication With EAP-TLS.
    Authentication Summary
    Logged At:
    March 11,2015 7:00:13.374 AM
    RADIUS Status:
    RADIUS Request dropped : 24492 Machine authentication against Active Directory has failed
    NAS Failure:
    Username:
    [email protected]
    MAC/IP Address:
    00:26:82:F1:E6:32
    Network Device:
    WLC : 192.168.1.225 :  
    Allowed Protocol:
    TDS-PEAP-TLS
    Identity Store:
    AD1
    Authorization Profiles:
    SGA Security Group:
    Authentication Protocol :
    EAP-TLS
     Authentication Result
    RadiusPacketType=Drop
     AuthenticationResult=Error
     Related Events
     Authentication Details
    Logged At:
    March 11,2015 7:00:13.374 AM
    Occurred At:
    March 11,2015 7:00:13.374 AM
    Server:
    ISE-TDS
    Authentication Method:
    dot1x
    EAP Authentication Method :
    EAP-TLS
    EAP Tunnel Method :
    Username:
    [email protected]
    RADIUS Username :
    host/LENOVO-PC.tdsouth.com
    Calling Station ID:
    00:26:82:F1:E6:32
    Framed IP Address:
    Use Case:
    Network Device:
    WLC
    Network Device Groups:
    Device Type#All Device Types,Location#All Locations
    NAS IP Address:
    192.168.1.225
    NAS Identifier:
    WLC-TDS
    NAS Port:
    4
    NAS Port ID:
    NAS Port Type:
    Wireless - IEEE 802.11
    Allowed Protocol:
    TDS-PEAP-TLS
    Service Type:
    Framed
    Identity Store:
    AD1
    Authorization Profiles:
    Active Directory Domain:
    tdsouth.com
    Identity Group:
    Allowed Protocol Selection Matched Rule:
    TDS-WLAN-DOT1X-EAP-TLS
    Identity Policy Matched Rule:
    Default
    Selected Identity Stores:
    Authorization Policy Matched Rule:
    SGA Security Group:
    AAA Session ID:
    ISE-TDS/215430381/40
    Audit Session ID:
    c0a801e10000007f54ffe828
    Tunnel Details:
    Cisco-AVPairs:
    audit-session-id=c0a801e10000007f54ffe828
    Other Attributes:
    ConfigVersionId=7,Device Port=32768,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=c0a801e10000007f54ffe828;30SessionID=ISE-TDS/215430381/40;,Airespace-Wlan-Id=1,CPMSessionID=c0a801e10000007f54ffe828,EndPointMACAddress=00-26-82-F1-E6-32,GroupsOrAttributesProcessFailure=true,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.1.225,Called-Station-ID=e0-d1-73-28-a7-70:TDS-Corp
    Posture Status:
    EPS Status:
     Steps
    11001  Received RADIUS Access-Request
    11017  RADIUS created a new session
    Evaluating Service Selection Policy
    15048  Queried PIP
    15048  Queried PIP
    15048  Queried PIP
    15048  Queried PIP
    15004  Matched rule
    11507  Extracted EAP-Response/Identity
    12500  Prepared EAP-Request proposing EAP-TLS with challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12502  Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
    12800  Extracted first TLS record; TLS handshake started
    12805  Extracted TLS ClientHello message
    12806  Prepared TLS ServerHello message
    12807  Prepared TLS Certificate message
    12809  Prepared TLS CertificateRequest message
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12571  ISE will continue to CRL verification if it is configured for specific CA
    12571  ISE will continue to CRL verification if it is configured for specific CA
    12811  Extracted TLS Certificate message containing client certificate
    12812  Extracted TLS ClientKeyExchange message
    12813  Extracted TLS CertificateVerify message
    12804  Extracted TLS Finished message
    12801  Prepared TLS ChangeCipherSpec message
    12802  Prepared TLS Finished message
    12816  TLS handshake succeeded
    12509  EAP-TLS full handshake finished successfully
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    Evaluating Identity Policy
    15006  Matched Default Rule
    24433  Looking up machine/host in Active Directory - [email protected]
    24492  Machine authentication against Active Directory has failed
    22059  The advanced option that is configured for process failure is used
    22062  The 'Drop' advanced option is configured in case of a failed authentication request
    But the user can authenticated by EAP-TLS
    AAA Protocol > RADIUS Authentication Detail
    RADIUS Audit Session ID : 
    c0a801e10000007f54ffe828
    AAA session ID : 
    ISE-TDS/215430381/59
    Date : 
    March     11,2015
    Generated on March 11, 2015 2:48:43 PM ICT
    Actions
    Troubleshoot Authentication 
    View Diagnostic MessagesAudit Network Device Configuration 
    View Network Device Configuration 
    View Server Configuration Changes
    Authentication Summary
    Logged At:
    March 11,2015 7:27:32.475 AM
    RADIUS Status:
    Authentication succeeded
    NAS Failure:
    Username:
    [email protected]
    MAC/IP Address:
    00:26:82:F1:E6:32
    Network Device:
    WLC : 192.168.1.225 :  
    Allowed Protocol:
    TDS-PEAP-TLS
    Identity Store:
    AD1
    Authorization Profiles:
    TDS-WLAN-PERMIT-ALL
    SGA Security Group:
    Authentication Protocol :
    EAP-TLS
     Authentication Result
    [email protected]
     State=ReauthSession:c0a801e10000007f54ffe828
     Class=CACS:c0a801e10000007f54ffe828:ISE-TDS/215430381/59
     Termination-Action=RADIUS-Request
     cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-508adc03
     MS-MPPE-Send-Key=5a:9a:ca:b0:0b:2a:fe:7d:fc:2f:8f:d8:96:25:50:bb:c8:7d:91:ba:4c:09:63:57:3e:6e:4e:93:5d:5c:b0:5d
     MS-MPPE-Recv-Key=24:fa:8d:c3:65:94:d8:29:77:aa:71:93:05:1b:0f:a5:58:f8:a2:9c:d0:0e:80:2d:b6:12:ae:c3:8c:46:22:48
     Airespace-Wlan-Id=1
     Related Events
     Authentication Details
    Logged At:
    March 11,2015 7:27:32.475 AM
    Occurred At:
    March 11,2015 7:27:32.474 AM
    Server:
    ISE-TDS
    Authentication Method:
    dot1x
    EAP Authentication Method :
    EAP-TLS
    EAP Tunnel Method :
    Username:
    [email protected]
    RADIUS Username :
    [email protected]
    Calling Station ID:
    00:26:82:F1:E6:32
    Framed IP Address:
    Use Case:
    Network Device:
    WLC
    Network Device Groups:
    Device Type#All Device Types,Location#All Locations
    NAS IP Address:
    192.168.1.225
    NAS Identifier:
    WLC-TDS
    NAS Port:
    4
    NAS Port ID:
    NAS Port Type:
    Wireless - IEEE 802.11
    Allowed Protocol:

    Hello,
    I am analyzing your question and seeing the ISE logs i can see that the machine credentials was LENOVO-PC. Do you have shure that these credentials has in your Active Directory to validate this machine ? The machine certificate has the correct machine credentials from the domain ? The group mapped in the ISE rule has the machine inside this group ?
    Differently from the user authentication that happens with success because the domain credentials can be validate from the Active Directory and get access to the network.

  • ISE 1.3 Why are Windows endpoints defaulting to 802.1x machine authentication in wireless profile and not User or User&Computer

    We are running ISE 1.3 tied to AD with WLC 7.6.130.0.  Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP.  We are just running PEAP.  We have a mix of IOS, Android, and Windows 7/8 devices.  IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue.  Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication.  This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only.  This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity.  The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication?  I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list.  Neither have helped.  I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
    Thank you for any help or ideas,

    When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile.  In that profile, 802.1x computer authentication option is chosen by windows.  That has to be changed to computer or user for the machine to function correctly on the network.
    On 1.2, this behavior was different.  The Windows device would auto select user authentication by default.  At other customer sites, windows devices auto select user authentication.  This of course needs  to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with.

  • Only machine authentication in ISE

    Hello,
    I would like to know is it possible to have only machine authentication (No user auth at all) in ISE infrastructure. If yes then what credential need to be provide at the time of 802.1X auth login or there is no need to provide any credential and workstation automatically passed authentication process.
    Thanks in advanced

    Hi,
    Yes but you will need to use your normal login credentials and set every supplicant to do computer authentication only. Keep in mind most windows supplicant only do machine authentications at certain times.
    Keep in mind you can do machine and user auth and build policies such that only users on authenticated machines are granted access.
    Sent from Cisco Technical Support iPad App

  • ISE and machine authentication

    Hi
    I have ISE 1.1  : user authentication is working fine
    Now I need to implement machine authentication
    But I have 2 requirement
    1- User must remove and plug his network cable as he want (without close windows session or restart his computer) and his computer should be authenticated evry time as with user authentication
    2- I must not install any software or client applicatin on the computer
    Is there any method of machine authentication that respect thise 2 requirements above
    Regards

    I guess you need to review the below listed thread as we are discussing the same thing. You have to create an authorization rule highlighted in the screen shot.
    https://supportforums.cisco.com/message/4044276#4044276
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Apple macosx machine authentication with ISE using EAP-TLS

    Hello,
    On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
    With windows machines all is working well. We are using computer authentication only.
    Now the problem is that we wish to do the same with MAC OSX machines.
    We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
    in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
    When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
    The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
    Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
    Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
    Thanks
    Gustavo Novais

    Additional information from the above question.
    I have the following setup;
    ACS 3.2(3) built 11 appliance
    -Cisco AP1200 wireless access point
    -Novell NDS to be used as an external database
    -Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
    -Windows XP SP2 Client
    My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
    Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
    When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
    Please help...
    Thanks

  • Cisco ISE Machine failed machine authentication

    Hi, last week we migrated to ISE 1.2 Patch 7 and since then we are having trouble with our corporate SSID.
    We have a rule that says :
    1) User is domain user.
    2) Machine is authenticated.
    But for some reason that I can't figure out some machine(I would say around 200/1000) can't seem to authenticate.
    This is the message I found in the "steps"
    24423     ISE has not been able to confirm previous successful machine authentication for user in Active Directory
    I was wondering if I could force something on the controller or on ISE directly.
    EDIT : In the operation > Authentication I can see that some host/MachineName are getting authenticated.
    Would I be able to force this as a step in my other rule.

    Hi shertica, and thank you for the explanation. I started working with ISE a month ago and still getting familiarized but I think the problem is the relationship between the Machine and the user because I can't find any Host/MachineName fail in the last 24 hour and I can't seem to have any log further than that.
    Failure Reason
    15039 Rejected per authorization profile
    Resolution
    Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
    Steps
    11001
    Received RADIUS Access-Request
    11017
    RADIUS created a new session
    15049
    Evaluating Policy Group
    15008
    Evaluating Service Selection Policy
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule
    11507
    Extracted EAP-Response/Identity
    12300
    Prepared EAP-Request proposing PEAP with challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12302
    Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
    12318
    Successfully negotiated PEAP version 0
    12800
    Extracted first TLS record; TLS handshake started
    12805
    Extracted TLS ClientHello message
    12806
    Prepared TLS ServerHello message
    12807
    Prepared TLS Certificate message
    12810
    Prepared TLS ServerDone message
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12318
    Successfully negotiated PEAP version 0
    12812
    Extracted TLS ClientKeyExchange message
    12804
    Extracted TLS Finished message
    12801
    Prepared TLS ChangeCipherSpec message
    12802
    Prepared TLS Finished message
    12816
    TLS handshake succeeded
    12310
    PEAP full handshake finished successfully
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12313
    PEAP inner method started
    11521
    Prepared EAP-Request/Identity for inner EAP method
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    11522
    Extracted EAP-Response/Identity for inner EAP method
    11806
    Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    11808
    Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
    15041
    Evaluating Identity Policy
    15006
    Matched Default Rule
    15013
    Selected Identity Source - IdentityStore_AD_liadom01
    24430
    Authenticating user against Active Directory
    24402
    User authentication against Active Directory succeeded
    22037
    Authentication Passed
    11824
    EAP-MSCHAP authentication attempt passed
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    11810
    Extracted EAP-Response for inner method containing MSCHAP challenge-response
    11814
    Inner EAP-MSCHAP authentication succeeded
    11519
    Prepared EAP-Success for inner EAP method
    12314
    PEAP inner method finished successfully
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    24423
    ISE has not been able to confirm previous successful machine authentication for user in Active Directory
    15036
    Evaluating Authorization Policy
    24432
    Looking up user in Active Directory - LIADOM01\lidoex
    24416
    User's Groups retrieval from Active Directory succeeded
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule - AuthZBlock_DOT1X
    15016
    Selected Authorization Profile - DenyAccess
    15039
    Rejected per authorization profile
    12306
    PEAP authentication succeeded
    11503
    Prepared EAP-Success
    11003
    Returned RADIUS Access-Reject
    Edit : I found a couple of these :
    Event
    5400 Authentication failed
    Failure Reason
    24485 Machine authentication against Active Directory has failed because of wrong password
    Resolution
    Check if the machine is present in the Active Directory domain and if it is spelled correctly. Also check whether machine authentication is configured properly on the supplicant.
    Root cause
    Machine authentication against Active Directory has failed because of wrong password.
    Username
    host/MachineName
    I also have an alarming number of : Misconfigured Supplicant Detected(3714)

  • ISE - Machine + user authentication

    I've searched forum, community but I couldn't find exactly what I need:
    I have a client that want's to use two step authentication on wireless: first machine authentication to make sure that device is on the domain and then username/password authentication.
    Now, I've read about MAR, EAP chaining, and I understood it all, only thing I didn't understand is:
    If I configure ISE to authenticate machine, it will allow limited access to DC (for example).
    Then, after that AuthZ profile is applied, what will do new authorization? My understanding is once MAR is done, AuthZ profileis applied and authorization is finished.
    Now, I am not asking about turning on laptop, getting PC on the network, then logging in and then providing the user/credentials, etc. I am asking for this scenario:
    How ISE policy and AuthZ profile should look like, for example, I come in the office, my wireless card is disabled, I login to my laptop, then I notice that my wireless card is disabled and now I enable it. I need to have Machine authentciation happening at that point + prompting user for username/password to complete registration on wireless.
    NAM is already refused by client, so I need something that will work on plain Windows 7.
    Thanks.

    Hello Align-
    In your post you are referring to two completely separate and independent solutions:
    1. MAR
    2. EAP-Chaining
    MAR only happens when the machine first boots up and the host presents its machine domain credentials. Then the machine MAC address is saved in ISE. The MAC is preserved in ISE as long as configured in the machine timer. Keep in mind that if let's say a computer was booted while connected on the wired network, only that MAC address will be authenticated. If the user moves to wireless, the connection will be denied as ISE will not have any records of the wireless MAC. Along with all of that, you will need another method (usually PEAP) to perform the user authentication. Usually this method is not a very good one to implement due to the issues listed
    EAP-Chaining on the other hand utilizes EAP-FAST and it s a multi-phase method during which both machine and user information is passed in a secured TLS tunnel. For that you need to implement Cisco AnyConnect as it is the only software supplicant that supports it at the moment. For more info you might wanna look into Cisco's TrustSec guide:
    http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_80_eapchaining_deployment.pdf
    I hope this helps!
    Thank you for rating!

  • Is LDAP or AD as a external identity store recommended in ISE implementation for machine authentication

    Hi Experts,
    I have question about External identity store integration in ISE . I had chance to go through the cisco doc for ISE configuration especially for external identity store .
    there are two ways to configure external identity store.
    1) AD
    2) LDAP
    Which one is actually recommended ? technically which one would be convinient to configure to set-up machine authentication. do we have any limitation in terms of functionality in either of one ?

    Hi Leo,
    its not duplicate post , I have created one more post where you have linked that is for client policy enforcement . I want to understand how certificates will be pushed to client.
    This post is to understand the LDAP & AD intergration with ISE .
    I have requirement where client is asking to intergrate machine database using LDAP.
    I am quite new for LDAP intergration that is the reason I have created this discussion.

  • Machine authentication using certificates

    Hi,
    I am facing this error while machine authenticates agaist AD for wireless users. My requirement is users with corporate laptop get privileged vlan and BYOD should get normal vlan.I am using Cisco ISE 1.1.1 and configured authentication policies to diffrenciate clients based on corp asset and BYOD. Authentication policy result is identity sequnce which uses certificate profile and AD. All corp laptops should be authenticated using certificates and then followed by AD user and pass. when I configure XP users to validate server certificate this error comes in ISE log "Authentication failed : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client" and if I disable validate sewrver certificate then this error "Authentication failed : 22049 Binary comparison of certificates failed".
    Any help??
    Thanks in advance.

    Hi [answers are inline]
    I  have tried using Cisco Anyconnect NAM on Wondows XP for machine and  user authentication but EAP-chaining feature is not working as expected.  I am facing few challenges. I have configured NAM to use eap-fast for  machine and user authentication and ISE is configured with required  authorisation rule and profiles/results. when machine boots up it sends  machine certificate and gets authenticated against AD and ISE matches  the authorisation rule and assigns authZ profile without waiting for  user credentials.
    This is expected for machine authentication, since the client hasnt logged in machine authentication will succeed so the computer has connectivity to the domain.
    Now when a user logs on using AD user/pass,  authentication fails as the VLAN assigned in AuthZ profile does not have  access to AD. ISE should actually check with their external database  but Its not.
    Do you see the authentication report in ISE? Keep in mind that you are authenticating with a client that has never logged into the workstation before. I am sure you are looking for the feature which starts the NAM process before the user logs in. Try checking this option here:
    http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac04namconfig.html#wp1074333
    Note the section below:
    –Before  User Logon—Connect to the network before the user logs on. The user  logon types that are supported include user account (Kerberos)  authentication, loading of user GPOs, and GPO-based logon script  execution.
    If you choose Before User Logon, you also get to set Time to Wait Before Allowing a User to Logon:
    Time to Wait Before Allowing User to Logon—Specifies the maximum (worst  case) number of seconds to wait for the Network Access Manager to make a  complete network connection. If a network connection cannot be  established within this time, the Windows logon process continues with  user log on. The default is 5 seconds.
    Note If the Network Access Manager is configured to manage wireless connections, set Time to wait before allowing user to logon to 30 seconds or more because of the additional time it may take to  establish a wireless connection. You must also account for the time  required to obtain an IP address via DHCP. If two or more network  profiles are configured, you may want to increase the value to cover two  or more connection attempts.
    You will have to enable this setting to allow the supplicant to connect to the network using the credentials you provide, the reason for this is you are trying to authenticate a user that has never logged into this workstation before. Please make changes to the configuration.xml file, and then select the repair option on the anyconnect client and test again.
    Interestingly, if I login with an AD user which is local to  the machine its gets authenticated and gets correct AuthZ  profile/access level. If I logoff and login with different user, Windows  adapter gets IP address and ISE shows successful authentication /authz  profile but NAM agent prompts limited connectivity. Any help??
    Please make the changes above and see if the error message goes away.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Machine authentication with Windows 7

    Version: ISE 1.2p12
    Hello,
    I'm doing user and machine authentication with ISE.
    I use a first authorization rule to authenticate the machine against the AD. If it's part computers of the domain.
    Then I use an authorization rule to check if the user's group in AD with the credential he used to open the session + "Network Access:WasMachineAuthenticated = True"
    Things seems to be working and I see my switch port is "Authz Success" but shortly after the Windows 7 machine is behaving like 802.1X authentication fails. The little computer on the bottom right has a cross on it.
    If I disable and enable again the network card of that windows machine it works.
    Does any one of you have an idea about this problem ? something to tweak on Windows 7 like timers...
    Thank you

    Hi Mika. My comments below:
    a) You told me that MAR ("Network Access:WasMachineAuthenticated = True") has some drawbacks. When hibernation is used it can cause problems since the MAC address could have been removed from the cache when the user un-hibernate its computer. Then why not increasing the MAR cache to a value of 7 days then ? Regarding the roaming between wire and wireless it's a problem indeed.
    NS: I don't believe that the MAR cache would be affected by a machine hibernating or going to sleep. There are some dot1x related bug fixes that Massimo outlined in his first pos that you should look into. But yes, you can increase the MAR timer to a value that fits your environent
    b) You suggest to use one authorization rule for the device which should be part of the AD and one authorization rule for the user with the extra result "IdentityAccessRestricted = False". By the was, are we really talking about authorization rules here ? I will try this but it's difficult for me to imagine how it would really work.
    NS: Perhaps there is some confusion here but let me try to explain this again. The "IdentityAccessRestricted" is a check that can be done against a machine or a user account in AD. It is an optional attribute and you don't have to have it. I use it so I can prevent terminated users from gaining access to the network by simply disabling their AD account. Again, that account can be either for a "user" or for a "machine"
    z) One question I was asking myself for a long time. All of us want to do machine+user authentication but Windows write Machine OR User Authentication. This "OR" is very confusing.
    NS: At the moment, the only way you can accomplish a true machine+user authentication is to use the Cisco AnyConnect supplicant. The process is also known as "EAP-Chaining" and/or "EAP-TEAP." In fact there is an official RFC (RFC 7170 - See link below). Now the question is when and if Microsoft, Apple, Linux, etc will start supporting it:
    https://tools.ietf.org/html/rfc7170
    Thank you for rating helpful posts!

  • Machine authentication over Client IPSEC tunnel

    I am in the process of converting our existing remote access from Microsoft Threat Management Gateway to Cisco ASA.  Our security folks just made me aware that in addition to the Radius authentication against AD credentials that they also want me to do machine authentication to make sure that the machine name of the system trying to get remote access has a machinea account in AD.
    I have been looking for a way to do this with the IPSEC client but havent found anything as yet.  Would appreciate any links that show me how to get this done.  Moving to Anyconnect isnt an option at this point due to budgetary issues.  I am using the latest Cisco VPN client in the 5.x train and have 8.2.5 code running on my 5520.
    What I may be looking at might be NAC (Network Admission Control ?).  Looking for all suggestions at this point.
    Thanks,
    Ron

    I've used enrolled user X.509 USER certificates with Cisco VPN Client 4.x / 5.x into an ASA. They were issued by a partner's root CA and the connection was allowed on the basis of that root CA being trusted by the remote ASA.
    But yes, what you are asking about is more of a NAC, or the successor Identity Services Engine (ISE) product type of feature. In the case of ISE, it can do what you ask but requires a good bit of investment to get that and many many other features.
    I strongly suspect that some additional investment will be necessary to get what your security team is requesting. At the very least AnyConnect Premium licenses and use of the Network Access Manager (NAM) feature. See this reference.

Maybe you are looking for