ISE/802.1x - IP Conflict at 0.0.0.0?
Has anyone seen this issue?
We have Windows 7 clients running 802.1x that will pop up a message in the eventlog that there is an IP conflict with 0.0.0.0. This seems to cause an infinite loop of DHCP NACK and BAD_ADDRESS in the scope.
I am on code 1.1.1.268.
Thanks in advance.
-Ryan
Hello i have the same issue only on a windows7 computer (all other computers are windows7 WindowsXP and are working fine)
switches : 3750-X in version 15.0.1.SE2
dot1x activated on switches, not on computer
sometimes, a duplicate message IP 0.0.0.0 appear on the W7 computer, and it is not able to commmunicate after that, even it has a FIXED ip
This is not a real duplicate Ip, the MAC AMC that has taken the IP 0.0.0.0 is a4:4c:11:44:xx:xx (seems to be a cisco switch ....)
I have found at : http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750x_3560x/software/release/15.0_1_se/command/reference/cli1.html#wp9596478
that
The ARP probe default source IP address is the Layer 3 interface and 0.0.0.0 for switchports.
Since i have no IP for the user vlan on the 3750-x switch where ip device tracking is done, i assume this 0.0.0.0 Ip is viewed because of ARP probe requests sent by the switch ....
But we don't have the ip device tracking probe delay parameter on 3750 switches ... only seen on 4500
If anyone can confirm that ...
Perhaps adding an IP in the user vlan could be a workaround as it won't use 0.0.0.0 IP for arp probes ?
Ce message a été modifié par: Guillaume BARBEROT
Similar Messages
-
ISE 802.1x EAP-TLS machine and smart card authentication
I suspect I know the answer to this, but thought that I would throw it out there anway...
With Cisco ISE 1.2 is it possible to enable 802.1x machine AND user smart card authentication simultaneously for wired/wireless clients (specifically Windows 7/8, but Linux or OSX would also be good). I can find plenty of information regarding 802.1x machine authentication (EAP-TLS) and user password authentication (PEAP), but none about dual EAP-TLS authentication using certificates for machines and users at the same time. I think I can figure out how to configure such a policy in ISE, but options seem to be lacking on the client end. For example, the Windows 7 supplicant seems only able to present either a machine or user smart card certificate, not one then the other. Plus, I am not sure how the client would know which certificate to present, or if the type can be specified from the authenticator.Hope this video link will help you
http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls -
Cisco ISE 802.1X Client Provisioning
Hi,
I have a requirement for ISE client provisioning for both Windows and mac. I have the following setup:
1. 2 SSIDs, Guest and Employee
2. Guest is open access
3. Employee is 802.1x eap-peap (username/password)
I was wondering if client local administrator privillege is required for 802.1x provisioning for windows client? I believe it is required for MAC OS however not too sure if it may be required for Windows?
Example Employee A connect to Guest SSID and is redirect to the guest web portal. Upon login, they will be presented with the device registration portal. Upon being presented by the ISE on the supplication wizard, will they be requested for local administrator/domain admin privillege to install the supplicant wizard package/provisioning agent successfully?
Any suggestion is appreciated.
Thanks.Hi,
Appreciate for the feedback.
Thanks -
Cisco ISE: 802.1x [EAP-TLS] + List of Applicable Hot-Fixes
Dear Folks,
Kindly suggest the list of all possible Hot-Fixes required for the Cisco ISE EAP-TLS solution... We have applied 9 HotFixes so far. But, still the connectivity is intermittent. Is there any list for all applicable Hot-Fixes?
OS = Win 7 SP1 (32/64 Bit) and Win 8
Thanks,
Regards,
Mubasher SultanHi Mubasher
KB2481614: If you’re configuring your 802.1x settings via Group Policy you’ll see sometimes EAP-PEAP request from clients in your radius server log during booting even if you’ll set EAP-TLS. This error happened in our case with 1/3 of the boots with some models. The error is caused by a timing problem during startup. Sometimes the 802.1x is faster and sometimes the Group Policy is, and if the 802.1x is faster than the default configuration is taken, which is PEAP. Which lead to a EAP-NAK by the radius server.
KB980295: If an initial 802.1x authentication is passed, but a re-authentication fails, Windows 7 will ignore all later 802.1x requests. This hotfix should also fix a problem with computers waking up from sleep or hibernation – but we’ve disabled these features so I can’t comment on them.
KB976373: This hotfix is called “A computer that is connected to an IEEE 802.1x-authenticated network via another 802.1x enabled device does not connect to the correct network”. I can’t comment on this, as we’ve not deployed 802.1x for our VoIP phones at this point.I would guess it is the same for Windows 7 too. The linked article tells you to install the patch and set some registry key to lower the value.
KB2769121: A short time ago I found this one: “802.1X authentication fails on a Windows 7-based or Windows 2008 R2-based computer that has multiple certificates”. At time of writing I’m not sure if it helps for something in my setup. According to the symptoms list of the hotfix, it does not, but maybe it helps for something else, as the one before does.
KB2736878: An other error during booting – this time it happens if the read process starts before the network adapter is initialized. Really seems that they wanted to get faster boot times, no matter the costs.
KB2494172: This hotfix fixes a problem if you’ve installed a valid and invalid certificate for 802.1x authentication. The workaround is just deleting the invalid certificate. I’m not sure at this point if it affects also wired authentication.
KB976210:This problem occurs only during automated build processes and if you use an EAP method which needs user interaction – as I don’t do that I can’t comment on this hotfix.
For more information please go through this link:
http://robert.penz.name/555/list-of-ieee-802-1x-hotfixes-for-windows-7/
Best Regards:
Muhammad Munir -
ISE 802.1x and Windows Logoff
Hi Guys,
i have a ISE works fine using 802.1x but we have a strange behavior when the client just logoff the windows machine, after the client login again, the machine does not authenticate and stuck as a message " not possible to authenticate". Then I need to take off the cable machine and put again, after this everything works fine.
This happens just using logoff windows.
could someone help me about it?
thanks a lotHi Rik,
I am using this configuration.
interface GigabitEthernet3/33
switchport access vlan 22
switchport mode access
switchport voice vlan 23
ip access-group ACL-DEFAULT in
logging event link-status
authentication event fail action next-method
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
qos trust device cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQos-4.0-Cisco-Phone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
the client are using the NAC Agent the way to perform a posture.
If i take off the cable and put again, everything works fine, but if the client try to logoff and after a time login again, the NIC Card can not be authenticated.
thanks a lot -
About ISE 802.1X question!
Today my colleagues and I deploy ISE found the following question.
Sometimes, can have the user authentication and authorization success under the same interface, user authentication and authorization is not successful.If restart ISE will be normal.
Why is that?
Two ise ,Distributed Deployment,
I test redundancy。I closed the main equipment,The following error:
LOG:==============================================
The normal time:
6509-vss#show authentication sessions interface g1/9/36
Interface: GigabitEthernet1/9/36
MAC Address: 0021.cc68.a63e
IP Address: 172.30.60.11
User-Name: daiyue
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-51ef7db1
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1E3C02000000410155DA40
Acct Session ID: 0x0000006C
Handle: 0x73000041
Runnable methods list:
Method State
mab Failed over
dot1x Authc Success
Interface: GigabitEthernet1/9/36
MAC Address: 0026.2df8.a25f
IP Address: 172.30.60.10
User-Name: daiyue
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-51ef7db1
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1E3C02000000400154E52C
Acct Session ID: 0x0000006D
Handle: 0x91000040
Runnable methods list:
Method State
mab Failed over
dot1x Authc Success
When there is a problem:
6509-vss#
Feb 27 2014 17:43:11: %DOT1X-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:43:11: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:43:11: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:43:11: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:43:11: %AUTHMGR-5-FAIL: Authorization failed for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:47:52: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0026.2df8.a25f) on Interface Gi1/9/36
Feb 27 2014 17:47:52: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.2df8.a25f) on Interface Gi1/9/36
Feb 27 2014 17:48:02: %DOT1X-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:48:02: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:48:02: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:48:02: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:48:02: %AUTHMGR-5-FAIL: Authorization failed for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:48:20: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:48:20: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
Feb 27 2014 17:48:25: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:48:25: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
Feb 27 2014 17:48:29: %DOT1X-5-SUCCESS: Authentication successful for client (0026.2df8.a25f) on Interface Gi1/9/36
Feb 27 2014 17:48:29: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0026.2df8.a25f) on Interface Gi1/9/36
Feb 27 2014 17:48:29: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.2df8.a25f| AuditSessionID AC1E3C020000004D01CCB640| AUTHTYPE DOT1X| EVENT APPLY
Feb 27 2014 17:48:29: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.2df8.a25f| AuditSessionID AC1E3C020000004D01CCB640| AUTHTYPE DOT1X| EVENT IP-WAIT
Feb 27 2014 17:48:30: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.2df8.a25f) on Interface Gi1/9/36
Feb 27 2014 17:48:34: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:48:34: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
6509-vss(config-if)#
6509-vss(config-if)#
Feb 27 2014 17:48:49: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:48:49: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
Feb 27 2014 17:49:02: %AUTHMGR-5-START: Starting 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:49:13: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:49:13: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
Feb 27 2014 17:49:18: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:49:18: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
Feb 27 2014 17:49:21: %MAB-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:49:21: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:49:21: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:49:21: %AUTHMGR-5-START: Starting 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:49:23: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:49:23: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
6509-vss(config-if)#end
6509-vss#show
Feb 27 2014 17:49:27: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:49:27: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.authen
6509-vss#show authentication
Feb 27 2014 17:49:28: %SYS-5-CONFIG_I: Configured from console by consolese
6509-vss#show authentication sessions int
6509-vss#show authentication sessions interface g1/9/36
Interface: GigabitEthernet1/9/36
MAC Address: 0021.cc68.a63e
IP Address: Unknown
User-Name: 0021cc68a63e
Status: Running
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1E3C020000004E01CCCA18
Acct Session ID: 0x00000086
Handle: 0x7300004E
Runnable methods list:
Method State
mab Failed over
dot1x Running
Interface: GigabitEthernet1/9/36
MAC Address: 0026.2df8.a25f
IP Address: Unknown
User-Name: shenshu
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1E3C020000004D01CCB640
Acct Session ID: 0x00000089
Handle: 0xB400004D
Runnable methods list:
Method State
mab Not run
dot1x Authc Success
LOG:============================================Please consider the order of authnetication method fail from here
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html#wp9000028 -
Dear Folks,
Kindly, suggest the best recommended values for the timers in 802.1x (EAP-TLS)... Should i keep default all or change or some of them?
Also, what do we need reauthentication timers? Any benefit to use it? Does it prompt to users or became invisible? and What are the best values, in case if we need to use it?
Thanks,
Regards,
Mubasher
My Interface Configuration is as below;
interface GigabitEthernet1/34
switchport access vlan 131
switchport mode access
switchport voice vlan 195
ip access-group ACL-DEFAULT in
authentication event fail action authorize vlan 131
authentication event server dead action authorize vlan 131
authentication event server alive action reinitialize
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
dot1x pae authenticator
dot1x timeout tx-period 5
storm-control broadcast level 30.00
spanning-tree portfast
spanning-tree bpduguard enableHello Mubashir,
Many timers can be modified as needed in a deployment. Unless you are experiencing a specific problem where adjusting the timer may correct unwanted behavior, it is recommended to leave all timers at their default values except for the 802.1X transmit timer (tx-period).
The tx-period timer defaults to a value of 30 seconds. Leaving this value at 30 seconds provides a default wait of 90 seconds (3 x tx-period) before a switchport will begin the next method of authentication, and begin the MAB process for non-authenticating devices.
Based on numerous deployments, the best-practice recommendation is to set the tx-period value to 10 seconds to provide the optimal time for MAB devices. Setting the value below 10 seconds may result in the port moving to MAC authentication bypass too quickly.
Configure the tx-period timer.
C3750X(config-if-range)#dot1x timeout tx-period 10 -
ISE - 802.1X - Loop not detected by spanning-tree
Hello,
I have recently implemented the 802.1X on switchs 3750-X running 15.0(2)SE IOS version.
The spanning-tree bpdufilter and bpduguard are globally enabled on the switchs.
A user has created a loop on the network by connecting its Cisco IP-Phone twice on the network : one wire connected normally from switch to the RJ-45 phone connector and the second wire that should be connected to the PC had also been connected to the switch !
The loop created has not been detected by the switch !
I have made several tests and re-created the problem 3 times on 4 (only one time, the loop has been detected by bpduguard 20 seconds after the port up).
Notice that without 802.1X configured on the same switch port, the loop is quickly detected and ports are err-disabled shutdown.
Switch port with 802.1X is following :
interface GigabitEthernet1/0/9
switchport access vlan 950
switchport mode access
switchport nonegotiate
switchport voice vlan 955
no logging event link-status
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 950
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 10.00
storm-control multicast level 10.00
spanning-tree portfast
If I change the host-mode to multi-domain, a MAC violation restriction occurs and shutdown the port. But this is not the config I need.
Is there any reason for spanning-tree not works properly with 802.1X ?
Thanks,
OlivierHello Olivier
When using bpdufilter, bpduguard and portfast all at the same time there are many things going on which are not well documented. Now when you add 802.1x to the mix then you really have no documentation. I had to do many labs on my own to finally have my configuration, and also discovered some bugs. According to my experience you shouldn't use bpdufilter and you should use bpduguard on the switchport not in the global config.
Please read the following links about the differences between global and port bpdufilter, differences between global and port bpduguard, configuring bpduguard along with portfast , configuring bpdufilter along with portfast, and configuring bpduguard along with bpdufilter.
http://aitaseller.wordpress.com/2010/01/17/bpdu-filter-vs-bpdu-guard-what-is-the-difference/
http://costiser.wordpress.com/2011/05/23/subtle-difference-for-portfast-bpdufilter-used-together-globally-or-at-interface-level/
https://learningnetwork.cisco.com/thread/21103
http://blog.ipexpert.com/2010/12/06/bpdu-filter-and-bpdu-guard/
Please rate if this helps -
Cisco ip phones authenticate 802.1x with cisco ise 1.3
Dear all,
I want to configure cisco ise 1.3 with 802.1x , to authenticate cisco ip phones ( CUCM 10.5.2 ) with LSC certificate.
How I have to configure cisco ise authentication rules for 802.1x with cisco ip phones? Are there any configuration examples ?
Thanksfollowing are ISE 802.1x sample authentication rules..you can change the protocol (Policy -> policy elements - > results -> authentication and you can select the proctocal)
-
ISE 1.1 - 24492 Machine authentication against AD has failed
We implement Cisco ISE 802.1X and Machine Authentication With EAP-TLS.
Authentication Summary
Logged At:
March 11,2015 7:00:13.374 AM
RADIUS Status:
RADIUS Request dropped : 24492 Machine authentication against Active Directory has failed
NAS Failure:
Username:
[email protected]
MAC/IP Address:
00:26:82:F1:E6:32
Network Device:
WLC : 192.168.1.225 :
Allowed Protocol:
TDS-PEAP-TLS
Identity Store:
AD1
Authorization Profiles:
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
RadiusPacketType=Drop
AuthenticationResult=Error
Related Events
Authentication Details
Logged At:
March 11,2015 7:00:13.374 AM
Occurred At:
March 11,2015 7:00:13.374 AM
Server:
ISE-TDS
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
[email protected]
RADIUS Username :
host/LENOVO-PC.tdsouth.com
Calling Station ID:
00:26:82:F1:E6:32
Framed IP Address:
Use Case:
Network Device:
WLC
Network Device Groups:
Device Type#All Device Types,Location#All Locations
NAS IP Address:
192.168.1.225
NAS Identifier:
WLC-TDS
NAS Port:
4
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:
TDS-PEAP-TLS
Service Type:
Framed
Identity Store:
AD1
Authorization Profiles:
Active Directory Domain:
tdsouth.com
Identity Group:
Allowed Protocol Selection Matched Rule:
TDS-WLAN-DOT1X-EAP-TLS
Identity Policy Matched Rule:
Default
Selected Identity Stores:
Authorization Policy Matched Rule:
SGA Security Group:
AAA Session ID:
ISE-TDS/215430381/40
Audit Session ID:
c0a801e10000007f54ffe828
Tunnel Details:
Cisco-AVPairs:
audit-session-id=c0a801e10000007f54ffe828
Other Attributes:
ConfigVersionId=7,Device Port=32768,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=c0a801e10000007f54ffe828;30SessionID=ISE-TDS/215430381/40;,Airespace-Wlan-Id=1,CPMSessionID=c0a801e10000007f54ffe828,EndPointMACAddress=00-26-82-F1-E6-32,GroupsOrAttributesProcessFailure=true,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.1.225,Called-Station-ID=e0-d1-73-28-a7-70:TDS-Corp
Posture Status:
EPS Status:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12571 ISE will continue to CRL verification if it is configured for specific CA
12571 ISE will continue to CRL verification if it is configured for specific CA
12811 Extracted TLS Certificate message containing client certificate
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
Evaluating Identity Policy
15006 Matched Default Rule
24433 Looking up machine/host in Active Directory - [email protected]
24492 Machine authentication against Active Directory has failed
22059 The advanced option that is configured for process failure is used
22062 The 'Drop' advanced option is configured in case of a failed authentication request
But the user can authenticated by EAP-TLS
AAA Protocol > RADIUS Authentication Detail
RADIUS Audit Session ID :
c0a801e10000007f54ffe828
AAA session ID :
ISE-TDS/215430381/59
Date :
March 11,2015
Generated on March 11, 2015 2:48:43 PM ICT
Actions
Troubleshoot Authentication
View Diagnostic MessagesAudit Network Device Configuration
View Network Device Configuration
View Server Configuration Changes
Authentication Summary
Logged At:
March 11,2015 7:27:32.475 AM
RADIUS Status:
Authentication succeeded
NAS Failure:
Username:
[email protected]
MAC/IP Address:
00:26:82:F1:E6:32
Network Device:
WLC : 192.168.1.225 :
Allowed Protocol:
TDS-PEAP-TLS
Identity Store:
AD1
Authorization Profiles:
TDS-WLAN-PERMIT-ALL
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
[email protected]
State=ReauthSession:c0a801e10000007f54ffe828
Class=CACS:c0a801e10000007f54ffe828:ISE-TDS/215430381/59
Termination-Action=RADIUS-Request
cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-508adc03
MS-MPPE-Send-Key=5a:9a:ca:b0:0b:2a:fe:7d:fc:2f:8f:d8:96:25:50:bb:c8:7d:91:ba:4c:09:63:57:3e:6e:4e:93:5d:5c:b0:5d
MS-MPPE-Recv-Key=24:fa:8d:c3:65:94:d8:29:77:aa:71:93:05:1b:0f:a5:58:f8:a2:9c:d0:0e:80:2d:b6:12:ae:c3:8c:46:22:48
Airespace-Wlan-Id=1
Related Events
Authentication Details
Logged At:
March 11,2015 7:27:32.475 AM
Occurred At:
March 11,2015 7:27:32.474 AM
Server:
ISE-TDS
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
[email protected]
RADIUS Username :
[email protected]
Calling Station ID:
00:26:82:F1:E6:32
Framed IP Address:
Use Case:
Network Device:
WLC
Network Device Groups:
Device Type#All Device Types,Location#All Locations
NAS IP Address:
192.168.1.225
NAS Identifier:
WLC-TDS
NAS Port:
4
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:Hello,
I am analyzing your question and seeing the ISE logs i can see that the machine credentials was LENOVO-PC. Do you have shure that these credentials has in your Active Directory to validate this machine ? The machine certificate has the correct machine credentials from the domain ? The group mapped in the ISE rule has the machine inside this group ?
Differently from the user authentication that happens with success because the domain credentials can be validate from the Active Directory and get access to the network. -
We just implemented ISE 802.1x in couple of our Cisco 4507 switches and we are seeing the following error in the log.
%HA_EM-3-LOG: NAC-RADIUS-FAIL-OPEN-DEAD: All RADIUS servers are dead changing the nac-enforcement ACL to permit all
I paste it in the Cisco error message decoder and came back with not found.
Thanks...Jimmy,
Srory for the late reply but it turned out to be we needed to add the missing auth data vlan command on the switch. After that the error went away.
Thanks for you input I do appreciate it.
Jack. -
Should ACL be applied on port in Closed mode
Hi,
while reading about Closed mode deployment of ISE, I came across conflict in Cisco's "HowTo-10-Universal_Switch_Config" and "HowTo-25-Closed_Mode" documents.
According to "HowTo-10-Universal_Switch_Config", in Closed Mode, we need to apply a ACL on switch port as follows
ip access-list ext ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Drop all the rest
deny ip any any log
But according to "HowTo-25-Closed_Mode", in Closed Mode, we don't apply this ACL on switchport.
So my question is, if the ACL need to applied on Switchport or not..and how it will affect switchport
Thanks,
AdityaHello Aditya-
Very good question. The default ACL will always be there on the switch weather you configure one or not. Check out this document:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/sw8021x.html#pgfId-1193896
You have two options:
1. Create your own default ACL to avoid the default one (that only allows DHCP). Your default ACL should be more permissive than the default one. For instance, mine always included "permit ip any any." That way authenticated and authorized hosts are not blocked from accessing any resources on the network.
2. Always return a DACL in your ISE authorization profiles (even if it is just "permit ip any any". That way the default-ACL is removed
I prefer method number #2 that way I don't have to bother with the default ACL and it also allows me to control traffic based on the different authorization profiles and DACLs that I apply.
I hope this helps!
Thank you for rating helpful posts! -
Duplicate IP 0.0.0.0 Conflict on 802.1X Windows 7 Clients
Hi,
Ever since we implemented ISE 1.x with 802.1X authentication about two years ago, a number of our Windows 7 user stations occassionally report the well known error message: "duplicate ip 0.0.0.0" . Only wired stations are affected and it happens randomly but not frequently. On further investigation I found that the conflicting device mac address in every case is in fact the bia of the switch port that the Windows 7 PC client is connected. The characteristics of each case is consistent with the Cisco device tracking process as detailed in TAC Document ID: 116529, Updated: Oct 09, 2013
http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/8021x/116529-problemsolution-product-00.html
We have Cisco C6500 access switches with IOS Ver: 12.2(33)SXJ1.The output of "Show ip device track all" command on the switches:
access-switch#sh ip device track all
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
I found that Cisco recommends three Solution options as follows:
1. ip device tracking probe delay 10
2. ip device tracking probe use-svi
3. ip device tracking probe interval <seconds>
However, the ios only shows track probe "count" and "interval" for change. There is no option to change the probe delay or use-svi in this IOS.
What is your advice?
Many thanks.
SankungYou may have a look at this document if you have not seen it yet. It goes over device tracking a little more in detail and possible workarounds.
http://tekdigest.blogspot.com/2013/11/windows-7-with-address-conflict-for-ip.html
HTH
luke -
ISE 1.2 - WLC 5508 (7.5x) - Windows 7 802.1X
Hi ,
We deployed ISE 1.2 (patch 3) with 5580 WLC to authenticate machines and users using 802.1x .
We are experiencing a strange issue - randomly some machines authenticate fine over wireless and we are able to see logs on ISE and nexst day the same machine stops authenticating itself and ISE doesnt generate any log.. seems like somehow no request is coming to ISE.
we have checked all the settings including wireless settings ,services, 802.1x settings on the laptop but struggling to find the a reason why randomly machine would work and then not work.
whenever a machine works we see all the logs but when a machine doesnt work no log is generated in ise.
has anyone experienced a similar issue?
ThanksThanks, we have figured it out.
Machine Auth timer would expire after 12 hours and ISE had another setting where it would blacklist the client and supress logs for an hour if it sees more then certain amount of failed authentication attempts.
Thanks -
ISE 1.2, Supplicant configured for 802.1x but need to MAB
I posted this yesterday but deleted the thread thinking I had fixed the issue - alas I was wrong. In summary I have a scenario where I am doing wired 802.1x and also wired MAB/CWA. The issue is that a certain number of external/BYOD hosts have supplicants configured for 802.1x at their "home" organisations which for obvious reasons can't authenticate on this network. The idea is that MAB and CWA become a fallback but these hosts in question don't efficiently fail to MAB.
If the host has validate server certificates enabled (and doesn't have our root selected) then 802.1x fails and goes to MAB as per the tx timers etc. Hosts that don't validate certificates essentially fail authentication, abandon the EAP session and start new... this process seems to continue for a very long time.
Does anyone have any similoar experiences and if so can you provide some info? I am looking into tweaking 802.1x port timers to make this fail quicker/better but am not confident this will fix the issue.
Thanks in advanceMaybe the held-period and quite-period parameters would help. I would not change the TX period to anything shorter than 10 seconds. Every cisco doc that I have ever seen has said this same recomendation and I can tell you from experience you will have devices at times that will authenticate via MAB when you dont want them to if you decrease lower than 10 seconds.
Read this doc for best pratices including the timers listed below.
I hope this link works. http://d2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKSEC-3698.pdf
If not goto www.ciscolive365.com (signup if you havn't already) and search for
"BRKSEC-3698 - Advanced ISE and Secure Access Deployment (2014 Milan) - 2 Hours"
Change the dot1x hold, quiet, and ratelimit-period to 300.
held-period seconds
Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt). The range is from 1 to 65535. The default is 60.
quiet-period seconds
Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state)
following a failed authentication exchange before trying to reauthenticate the client. For all platforms except the Cisco 7600 series Switch, the range is from 1 to 65535. The default is 120.
ratelimit-period seconds
Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs that send EAP-START packets that result in the wasting of switch processing power). The authenticator ignores EAPOL-Start packets from clients that have successfully authenticated For the rate-limit period duration. The range is from 1 to 65535. By default, rate limiting is disabled.
Maybe you are looking for
-
Battery issue on Satellite U400
I bought my Dad a Satellite U400 10J laptop for his birthday just under 2 years ago. Being over 60 and not too enthusiatic about using a laptop, he left the unit in his cupboard for close to a year before turning on. The first problem materialsed wit
-
Error in run Hyperion S9 EPM Architect Process Manager
and i installing Hyperion 9.3.1 winxpSP2 I can't able to start the following services. -> Hyperion S9 EPM Architecht process Manager -> Hyperion S9 EPM Architecht job Manager -> Hyperion S9 EPM Architecht Event Manager -> Hyperion S9 EPM Architecht E
-
Hello everyone, I've been using Adobe Acrobat Pro 9 to convert PDF files to PDF/a and recently added a batch process to take care of the task. Anytime the process is executed, a copy of the original file (the file being converted) with "_A1b" tagged
-
How can i use 3d models without open gl in PScc?
i dont know if i have a open gl function. when i go to the pres i dont have the option to activate open gl.. anyone can calp me please. thanks alot
-
How do I get Firefox for Android to OPEN a document instead of Download it?
I have an android tablet and am using a web application that has links to Word documents. I need this to be very simple for the end user. By default Firefox downloads the file (which is on a share on our server). The user then has to find it and open