ISE 1.2 EAP Chaining and Windows 8 - Auth failures

Similar Messages

• ISE:Doubt on eap-chaining

  Hello guys,
  I would like to use eap-chaining for my ISE deployment so host and user name can be send, chained and authenticated so i only allow full access to corporate devices and users. The thing is i am not using EAP-TLS, no user certificate... Eap chaining depends of eap-fast to work?? Didnt understand that part.
  What can I do to still use the eap chaining without having eap-tls deployment?
  Thanks!!
  Emilio

  Hi Emillo,
  Yes EAP-Chaining uses EAP-FASTv2 and doesnt require certificates.
  For details on how to setup EAP-Chaining, refer this how-to-guide :
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_80_eapchaining_deployment.pdf
  The profile editor mentioned in the guide can be downloaded from here:
  http://software.cisco.com/download/release.html?mdfid=283000185&softwareid=282364313&release=3.1.03103
  Refer this video on ciscolive365 for details on its functionality (need to register a free account) :
  https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=6039&backBtn=true
  HTH
  -Hari

• EAP-TLS and MS AD auth problem

  Hi,
  I have a problem with an ACS to authenticate users with certificate on MS AD.
  Working things:
  PEAP authentication with the MS AD;
  EAP-TLS authentication with the local DB.
  Not working things:
  EAP-TLS authentication with MS AD.
  Because I'm able to auth users with PEAP on MS AD, I guess my config on MS AD is correct.
  Because I'm able to auth users with certif in EAP-TLS, I guess my certif config is correct.
  So, why it's not working with the combination EAP-TLS and MS AD.
  I receive the error 'External DB Account Restriction'
  Thanks for your help.

  This issue is generally seens when there are multiple domains. Try out this step. Choose Network Connections from the control panel. Right-click the local area connection.Choose Properties. Double-click the TCP/IP option. Choose Advanced at the bottom. Click on DNS at the top. Choose Append these DNS suffixes. Add the FQDN for each domain that ACS authenticates against in the field.

• ISE 1.2 EAP-TLS and AD authentication

  Hi,
  I am sure I have had this working but Just cant get it to now.
  So I have a Computer that has a Certificate on it with the SAN - princible name = to [email protected] This is an auo enroled Cert from my AD.
  My Authentication profile says
  IF the SSID (called-station) contianes eduroam and Princible name containes @mydomain.com then user a certification authentication profile. (see attachemnt below) 
  Then my authorization profile says
  if active directoy group = "Domian computers" then allow access.
  When my computer trys to join it passes the certificate test, but when it gets to the AD group is get the below.
  24433          Looking up machine in Active Directory - [email protected]
  24492          Machine authentication against Active Directory has failed
  22059          The advanced option that is configured for process failure is used
  22062          The 'Drop' advanced option is configured in case of a failed authentication request
  But I know my machine is in AD? What do i need to do to get the PC to use EAP-TLS to authenicate and AD group to authorize?
  Cheers

  This accepts all requsts to one SSID and then as you can see if it is EAP TLS uses Cert store (see below), other wise AH
  This jsut says if AD Group = /user/domainComputer allow full access (simple rule)

• EAP Chaining user, machine, rsa with iSE

  Hi,
  Is there any way to configure the following using ISE and Anyconnect/NAM module:
  eap-chaining:
  1. USER auth, Machine fail = Internet (works)
  2. User auth, Machine auth = limited corporate (works)
  3. User auth, Machine auth, RSA auth = Full (not sure about this one)
  Ideally we'd like the RSA prompts to appear on the successful completion of user/machine auth.
  Alternatively can we prompt RSA, and it that fails still test User/Machine?
  Thanks,

  Please check the following document, will be helpful in your scenarios,
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_80_eapchaining_deployment.pdf

• Cisco ISE - eap-peap and eap-tls

  Hi,
  Does anybody have an example of an ISE authentication policy where authentication requests coming from a WLC can be handled by TLS and PEAP?
  I dont seem to get that working, I do however make the ISE application crash with my config which is not the idea.
  If peap use this identity source, if tls use 'this certificate authentication profile'.
  Thx

  OK,
  so I have just fired up my lab and I actually created an Identity Sequence which contained my AD & my certificate profile.
  The authentication policy was allowing EAP-TLS & EAP-PEAP.
  I then created 2 authorization rules, 1 for users and 1 for machines permitting access based on windows AD group.
  What i found out was that the Windows 802.1x supplicant can only support 1 method of authentication, so if you want this to work properly, you need a different supplicant. I think Cisco do a more advanced one, not sure. You can then specifically choose that for machine auth you use EAP-TLS and for User Auth you use EAP-PEAP.
  In my setup. Machine auth ONLY happens when the user logs off the machine and it is sitting at Ctrl+alt+del so that it can still talk to the network and get all relevant updates etc. I found that not only did the machine authenticate using EAP-PEAP, it also authenticated using TLS... I think that is because of the wireless settings I had. I chose EAP-PEAP for wireless settings
  When the user then logs in, the user account authenticates using EAP-PEAP. I dont think you can authenticate both the logged on user and the machine at the same time. Not with the native windows supplicant anyway. Windows either sends authentication request for the user or the machine but not both.
  Hope that helps.
  Mario

• EAP Chaining with Machine TLS and User PEAP

  We are deploying an ISE based .1x. The design is to use eap-tls for machine and eap-peap for user. Apparently EAP-Chaining is recommended, but can anyone confirm if we can do chaining based on machine TLS and user PEAP. I have done some investigation and could not find any supporting document, but not any document saying not supporting either. Looking at Anyconnect profile editor, it does not look like this configuration is supported. Has anyone done this before?
  Thanks a lot.

  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
  Just change the authentication policy to allow the methods you want to use under eap-fast (eap-chaining) and use the same ones in your nam client configuration settings.

• [ISE] EAP-chaining by using EAP-TLS internal authc for machine cert & user cert

  Hi Guys,
  I'm taking the EAP-chaining into our enterprise workspace authenticaiton, now i meet following issue:
  my anyconnect make the network xml profile which decide the method of  eap-fast authencation ,both  the machine authc & user authc are use the cert.
  Then i found that the client always knock the authoraztion policy about the machine authenticaiton(i set this policy result which is permit access), i believe the " EAP-fast result machine & user are passed " , even though its result using the dacl "permit all", but it doesn't knock the following policy.
  and about the result of  machine authentication , i set the "permit access" , is it too loose? but i check the instance and cisco document , everyone told me that this policy rusult " permit access".
  it would be appreciated that anyone can help this issue.
  lately i will upload my policy and live authencation pic catch. Thanks.

  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
  Just change the authentication policy to allow the methods you want to use under eap-fast (eap-chaining) and use the same ones in your nam client configuration settings.

• Cisco ISE with EAP-FAST and PAC provisioning

  Hi,
  I have search with no result on this topic. So, Does anyone have implemented Cisco ISE authentication with EAP-FAST and PAC provisioning ?
  Since I have an issue with internal proxy, user required to authenticate with an internal proxy before granting access to the internet.
  If you have any documents, it would be appreciated for me.
  Thanks,
  Pongsatorn

  From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
  Is that what you are trying to get clarification on.
  Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
  Sent from Cisco Technical Support iPad App

• ISE EAP-Chaining with machine, certificate and domain credentials

  Good morning,
  A customer wants to do the following for their corporate wireless users (all clients will be customer assets):
  Corp. wireless to authenticate with 2-factor authentication:
  •1. Certificate
  •2. Machine auth thru AD
  •3. Domain creds
  When client authenticates, they want to match on 2 out of the 3 conditions before allowing access.
  Clients are Windows laptops and corporate iPhones.
  Certs can be issued thru GPO and MDM for iPhones
  Client supplicant on laptops is native Windows - which I understand is a compatibility issue from this thread: https://supportforums.cisco.com/thread/2185627
  My first question is: can this be done?
  Second question: how would i implement this from an AuthC/AuthZ perspective?
  Thanks in advance,
  Andrew

  You can do this configuring anyconnect with NAM modules on endpoints! But I don't make sense configure some clients with certificate and others with domains credentials...
  For your information, I'm actually configuring EAP-Chaining on ISE 1.2 and i'm gotting some problems. The first one I got with windows 8, for some reason windows was sending wrong information about the machine password but I solved the problem installing a KB on windows 8 machines (http://support.microsoft.com/kb/2743127/en-us). The second one I got with windows 7 that are sending information correctly about domain but wrong information about user credentials, on ISE logs I can see that windows 7 are sending user "anonymous" + machine name on the first longin... after windows 7 start if I remove the cable and connect again the authentication and authorization happen correctly. I still invastigate the root cause and if there is a KB to solve the problem as I did with windows 8.
  Good luck and keep in touch.
  http://support.microsoft.com/kb/2743127/en-us

• ISE 1.2 - MAR cache with PEAP vs EAP Chaining

  Does EAP chaining with EAP-FAST v2 and NAM 3.1 present the machine certificate for authentication during each connection to wireless?  It's not still tied to the windows log in event as with PEAP?
  I found this article, but would like to see if anyone has experience working with EAP chaining in ISE.
  https://tswireless.wordpress.com/2012/09/22/cisco-ise-machine-authentication-cache/

  Yes if you set up NAM for EAP-Chaining - Machine and User, and then select EAP-TLS w/cert, nam will send both when a user logs in. When the machine is booting only the machine identity will be sent (because we don't know the users identity before they have attempted to log in).

• EAP Chaining with Cisco ACS 5.x and the Cisco Anyconnect NAM Client

  Hi Guys,
  Whilst I’m well aware of the limitations of the built in the windows Wireless 802.1x supplicant. Is there a way, using the NAM client to authenticate both a computer and a user simultaneously, when used for authentication to wireless networks?
  As has been posted many times before on this forum, this isn’t possible due to windows not authenticating with the 'computer account' whilst the user is logged in, but with the NAM client it seems possible to do both user and computer authentication based on the options it gives you with EAP-Fast and 'EAP Chaining'.
  Can anyone validate this is possible? I have the design guide for exactly this for Cisco ISE but i need it to work on ACS (5.x).
  Thanks in advance.
  SteveH

  Bobby, I ran into the same issue with the "15015 Could not find ID Store" issue.  It turned out to be an issue with communication between the ACS and AD.  It looked like AD was connected successfully, but until I rebooted ACS, I kept getting the same error.  It was like it couldn't see the AD security groups even though it could scan the AD tree successfully.
  So, try rebooting ACS if you haven't already and see if that resolves the error.

• ISE 802.1x EAP-TLS machine and smart card authentication

  I suspect I know the answer to this, but thought that I would throw it out there anway...
  With Cisco ISE 1.2 is it possible to enable 802.1x machine AND user smart card  authentication simultaneously for wired/wireless clients (specifically  Windows 7/8, but Linux or OSX would also be good).  I can find plenty of  information regarding 802.1x machine authentication (EAP-TLS) and user  password authentication (PEAP), but none about dual EAP-TLS  authentication using certificates for machines and users at the same time.  I think I can figure out how to configure such a policy in ISE, but options seem to be lacking on the client end.  For example, the Windows 7 supplicant seems only able to present either a machine or user smart card certificate, not one then the other.  Plus, I am not sure how the client would know which certificate to present, or if the type can be specified from the authenticator.

  Hope this video link will help you
  http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls

• ISE v1.2 - Endpoint abandoned EAP session and started new

  Hi.
  I have lots of clients that are not able to log on to both wired and wireless networks, and they always fails with these errors.
  5411 Supplicant stopped responding to ISE
  5440 Endpoint abandoned EAP session and started new
  This is with certificate authentication, both for client and for machine.
  The clients are for the most part Windows 7.
  We use both Cisco and Aerohive for wireless, and the switch I have tested with is a Cisco2960S
  A few strange things:
  It works perfectly for a lot of clients too, with the excact same configuration.
  One PC I'm testing with works fine when authenticating via wireless, but when I plug it into the switch, I get these errors.
  I seems to be a timeout of some kind, either to short or too long, but where?
  In the Win7 supplicant?
  In the switch?
  In the Cisco WLC
  or in the Aerohive AP?
  I have spent hours and hours on this problem, but I can't make it go away, it is very exhausting.
  There surely must have been others with the same problem?
  Thank you.

  Thank for trying to help out, but this is.. insanely vague.
  How can i verify that NAS (the C2960S) is properly configured?
  What timers are we talking about here? There are many to choose from..
  The problem is still here, even with the latest patch 7 for ISE 1.2. It works fine on wireless, but not with wired, from the same computer. So it is logic to assume it has something to do with the switch.
  This is the configuration from the switch:
  interface GigabitEthernet1/0/20
    switchport mode access
   authentication event fail action next-method
   authentication open
   authentication order dot1x mab
   authentication port-control auto
   snmp trap mac-notification change added
   dot1x pae authenticator
   spanning-tree portfast
  end
  sh dot1x int g1/0/20
  Dot1x Info for GigabitEthernet1/0/20
  PAE                       = AUTHENTICATOR
  QuietPeriod               = 60
  ServerTimeout             = 0
  SuppTimeout               = 30
  ReAuthMax                 = 2
  MaxReq                    = 2
  TxPeriod                  = 30
  sh run aaa
  aaa authentication login default group radius local
  aaa authentication dot1x default group radius
  aaa authorization exec default group radius local
  aaa authorization network default group radius
  aaa accounting dot1x default start-stop group radius!
  aaa server radius dynamic-author
   client 192.168.100.85
   server-key nope!
   auth-type any
  radius server hmz
   address ipv4 192.168.100.85 auth-port 1812 acct-port 1813
   key nope!
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  aaa new-model
  aaa session-id common
  Some debug from the switch:
  Apr  6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] Create attr list, session 0x1E0000E0:
  Apr  6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding MAC d43d.7e97.1e26
  Apr  6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Swidb 0x4F8BAC8
  Apr  6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding AAA_ID=14B
  Apr  6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Audit_sid=C0A864FA0000014B6983A2E0
  Apr  6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Domain=DATA (1)
  Apr  6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding [email protected]
  Apr  6 11:07:01.745: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e97.1e26) on Interface Gi1/0/20 AuditSessionID C0A864FA0000014B6983A2E0
  Apr  6 11:07:01.745: AUTH-DETAIL: No default action(s) for event RX_METHOD_AGENT_FOUND.
  Apr  6 11:08:21.182: %DOT1X-5-FAIL: Authentication failed for client (d43d.7e97.1e26) on Interface Gi1/0/20 AuditSessionID C0A864FA0000014B6983A2E0
  Apr  6 11:08:21.187: %AUTHMGR-7-STOPPING: Stopping 'dot1x' for client d43d.7e97.1e26 on Interface Gi1/0/20 AuditSessionID C0A864FA0000014B6983A2E0
  Apr  6 11:08:21.187: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (d43d.7e97.1e26) on Interface Gi1/0/20 AuditSessionID C0A864FA0000014B6983A2E0
  Apr  6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] Create attr list, session 0x1E0000E0:
  Apr  6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding MAC d43d.7e97.1e26
  Apr  6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Swidb 0x4F8BAC8
  Apr  6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding AAA_ID=14B
  Apr  6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Audit_sid=C0A864FA0000014B6983A2E0
  Apr  6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Domain=DATA (1)
  Apr  6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Username=host/HovedPC.gaasdal.net
  Apr  6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] Create attr list, session 0x1E0000E0:
  Apr  6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding MAC d43d.7e97.1e26
  Apr  6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Swidb 0x4F8BAC8
  Apr  6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding AAA_ID=14B
  Apr  6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Audit_sid=C0A864FA0000014B6983A2E0
  Apr  6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Domain=DATA (1)
  Apr  6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Username=host/HovedPC.gaasdal.net
  Apr  6 11:09:22.079: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e97.1e26) on Interface Gi1/0/20 AuditSessionID C0A864FA0000014B6983A2E0
  Apr  6 11:09:22.079: AUTH-DETAIL: No default action(s) for event SESSION_STARTED.

• EAP-TLS with windows machine

  I had configured everything for certificate authentication EAP-TLS in Windows 2003 AD with enterprise CA. After logging a machine to domain I receive a certificate for computer, then setup XP SP3 to reauthenticate perion 120 sec (by Microsoft KB). I try two different machines with XP to use EAP-TLS authentication, but reason is not toward success.
  I use "authentication open" on switch therefore machines could communicate with whole network. Nothing appars in Failed Attempts.csv of Passed Attempts.csv (of couse).
  Just list of RDS.log appears some activity ended with
  NAS: 172.24.34.62:27910:25 Cleaning lookup entry. AND reapeted
  If I change an authentication type to PEAP, and I had not it configured on ACS, than failed attempt log issue is arrised: EAP_PEAP Type not configured.
  Is it necessary to use http://support.microsoft.com/kb/957931 on windows XP to success machine authentication?
  Please let attentions to Attachments and let me know
  what could be a problem of my unsuccessness of use EAP-TLS.
  configuration of interface which I use for testing:
  interface GigabitEthernet0/42
  description Test 802.1X klient - Filip
  switchport access vlan 34
  switchport mode access
  switchport voice vlan 31
  authentication host-mode multi-domain
  authentication open
  authentication port-control auto
  authentication periodic
  authentication violation protect
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  end

  Hi Filip,
  Just noticed your post...
  In order to use EAP-TLS you should ensure that you have the complete certs chain. I've noticed that EAP-TLS and service pack 3 has some compatibility issue so please try authenticating with a windows XP sp2 machine.
  Microsoft has done some changes in SP 3 for wired 802.1x
  Changes to the 802.1X-based wired network connection settings in Windows XP
  Service Pack 3
  http://support.microsoft.com/kb/949984/
  In Windows XP Service Pack 2 (SP2), both the wired and wireless connections are handled by the Wireless Zero Config (WZCSVC) service. Additionally, this service is always running. In Windows XP SP3, this WZCSVC functionality is divided into the following separate services as part of Network Access Protection (NAP) integration:
  * The WZCSVC service
  * The Wired AutoConfig service (DOT3SVC)
  As we are using wired authentication, I would suggest you to check whether wired autoconfig service is running or not.You can check by going to Manually start the Wired AutoConfig service
  If you are an end-user who has already installed Windows XP SP3, follow
  these steps:
  1. Click Start, and then click Run.
  2. In the Open box, type services.msc, and then press ENTER.
  3. Locate the Wired AutoConfig service, right-click it, and then click
  Start
  Since, we are not getting any hits on the ACS for EAP-TLS, it's clearly indicates that supplicant is not sending access-request...
  CERTIFICATE REQUIREMENT IN EAP-TLS:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39121
  ACS CONFIGURATION:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39247
  MICROSOFT XP CLIENT CONFIGURATION:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39392
  As far as peap is concerned where we are getting EAP_TYPE not configured. Here you need to enable peap-mschapv2 under the on the ACS >system configuration > global authentication setup and check the PEAP and EAP-TLS.
  Also make sure that your logging is set to full > Go to system configuration > services control > check the radio button for FULL > click on Restart.
  Also, let me know the full ACS version and platform.
  HTH
  JK
  Do rate helpful posts-