ISE : Authentication for IKEv2

Similar Messages

• WLC to ISE authentication for Guest

  Hi Experts,
  Hope if you could guide me with our setup for Guest users. Below is what we are doing
  a)     Guest connects to SSID
  b)     WLC is being used to redirect Guest HTTP to WLC internal Portal
  c)     WLC forwards guest authentication details to cisco ISE [ISE and WLC radius]
  The guest connects to SSID and does get WLC portal for authentication, when the username and password entered on Cisco ISE i see error message as
  'User Identity not found in any of Identity Store' though it is going through correct Store and the Guest name is certainly configured on Cisco ISE. ISE version is 1.2 and WLC is 7.4, please let me know if i am missing anything here.
  Appreciate your help

  The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
  Please follow below guide for step by step configuration:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• ISE - AAA radius authentication for NAD access

  Hi ,
  I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
  for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
  While testing the login access to the switches we've come up with 2 results :
  1.A domain user can indeed login to the switch as intended.
  2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
  So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
  of the IT_department only .
  I haven't been successfull , would appreciate any ideas on how to accomplish this .
  Switch configurations :
  =================
  aaa new-model
  aaa authentication login default group radius local
  ISE Authentication policy
  ==================
  Policy Name : NADs Authentication
  Condition:  "DEVICE:Device Type Equals :All Device Types#Wired"
  Allowed Protocol : Default Network Access
  use identity source : AD1

  Thank you for the quick replys , and now  ok , I've configured the following authorization policy :
  Rule Name : Nad Auth
  Conditions
  if: Any
  AND : AD1:ExternalGroups EQUALS IT_Departments
  Permissions , then PermitAccess
  What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
  How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ?

• 2 Factor Authentication for Anyconnect VPN using ISE

  We are planning to implement dual factor authentication for Anyconnect VPN.
  The end users will be authenticated using domain name in machine certificates and username password with
  ISE used as radius server.
  We have the following approaches to achieve this :-
  1. Use primary and secondary authentication with user credentials as primary authentication
  and CN field of the certificate as secondary authentication.However this option prompts users for password for
  both the fields while we want the machine certificate to authenticate itself without a password.
  2. Second approach is to authenticate using user credentials and authorize the user to access the network if
  the machine certificate has a domain name in CN field which we are able to validate from the AD using
  Dynamic Access Policy.
  We are looking forward for discussions on the above approaches and are open to any other
  solution.

  Hi Umahar,
  Not sure I understood correct. You would like to authenticate the user using machine certificate for anyconnect and want to extract CN attribute the client's certificate and send it to the ISE server for further authenticate with AD. And also you don't want an additional password prompt to be produced to the user.
  If my understanding is correct. Then user would get a prompt for the password atleast because in the machine certificate there won't be password, but to authenticate with RADIUS/TACACS , we need both username and password. So how will the user gets authenticated without password.
  If you are looking a way to just see if the user is present under AD, not exactly and authentication then this might not be possible.

• Cisco ISE authentication failed because client reject certificate

  Hi Experts,
  I am a newbie in ISE and having problem in my first step in authentication. Please help.
  I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :
  Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
  I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.
  Regards,
  Ratna

  Certificate-Based User Authentication via Supplicant Failing
  Symptoms or
  Issue
  User authentication is failing on the client machine, and the user is receiving a
  “RADIUS Access-Reject” form of message.
  Conditions (This issue occurs with authentication protocols that require certificate validation.)
  Possible Authentications report failure reasons:
  • “Authentication failed: 11514 Unexpectedly received empty TLS message;
  treating as a rejection by the client”
  • “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
  the client rejected the Cisco ISE local-certificate”
  Click the magnifying glass icon from Authentications to display the following output
  in the Authentication Report:
  • 12305 Prepared EAP-Request with another PEAP challenge
  • 11006 Returned RADIUS Access-Challenge
  • 11001 Received RADIUS Access-Request
  • 11018 RADIUS is reusing an existing session
  • 12304 Extracted EAP-Response containing PEAP challenge-response
  • 11514 Unexpectedly received empty TLS message; treating as a rejection by the
  client
  • 12512 Treat the unexpected TLS acknowledge message as a rejection from the
  client
  • 11504 Prepared EAP-Failure
  • 11003 Returned RADIUS Access-Reject
  • 11006 Returned RADIUS Access-Challenge
  • 11001 Received RADIUS Access-Request
  • 11018 RADIUS is re-using an existing session
  • 12104 Extracted EAP-Response containing EAP-FAST challenge-response
  • 12815 Extracted TLS Alert message
  • 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
  Cisco ISE local-certificate
  • 11504 Prepared EAP-Failure
  • 11003 Returned RADIUS Access-Reject
  Note This is an indication that the client does not have or does not trust the Cisco
  ISE certificates.
  Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
  The client machine is configured to validate the server certificate, but is not
  configured to trust the Cisco ISE certificate.
  Resolution The client machine must accept the Cisco ISE certificate to enable authentication.

• ISE License for WLC

  Hello Experts
  i have ISE with advanced license for 1500 user , and i have WLC 2504 , and i need to integrate the WLC with the ISE to get ISE features for the Wireless users  like posturing , remediation and the authentication as well .
  my question : is the advanced license is enough , or shall i install the Wireless License to the ISE to have the integration...
  your feedback and inputs appreciated....
  Reyad

  Here is some information regarding the different types of licenses -
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_license.html#wp1074395
  Essentially a wireless license is much like the base license if your deployment is 100 percent wireless, the wireless upgrade is the equivalent to the advanced license once again for only a wireless deployment.
  Base and Advanced covers all (wired, wireless, vpn..etc). there are no restrictions to the deployment model.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE Licensing for IP Phones nodes

  Hi Guys,
  I'm currently worknig on an ISE design for a network where they have IP Phones for each end user device:
   Switch <--> IP Phone <--> End User Device.
  My concern is the licensing part; i'm not really interested in authenticating or profiling IP Phone nodes. rather i need only to provide full ISE services for End user devices behind IP Phones (Authenitcation,Authorizatino,Posturing....etc.). so i need to order a base and an advanced license that cover ONLY the number of end user devices without accounting for IP Phone units.
  Considering the above requirements ; what is the best deployment scenario to consider when configuring the switch interface that connect to each IP Phone with Single host port authentication (cdp bypass). would the ip phone consume from license count.
  What if we considered doing MAB for IP Phone nides and Dot1x for End users and considering MDA ? would it consume 2 units from total license number of nodes in this case ?
  What is the best practice for deploying and licensing ISE if i Cisco or a Third Party IP Telephony solution and i don't want to autheticate/authorize/profile ip phones ? 
  Thanks,
  Muayad Jallad,

  If you are using Cisco IP phones you can get away with single-host mode on the port which in effect ignores the phone. If the phone is a third party device you will most likely need to use multi-domain authentication and actually use ISE to allow the phone on the network.
  In summary - CIsco phone means potentially no license, if Avaya or other third party you will need to auth and use a license

• 2 factor authentication for third party devices

  Can anyone recommend a 2factor authentication service that will query a OD user database and process authentication for third part devices ie firewall/vpn via RADIUS?

  Yes it is and you have the following options:
  OTP using external RADIUS server and RSA tokens
  EAP-Chaining using the AnyConnect Agent and Cisco ISE
  MAR (machine access restrictions).  If the machine had not performed authentication the user will not be authorized
  Layer 3 security on the Wireless LAN Controller

• My concern about ise authentication types

  Hi,
  Is it possible to bind a certificate to a computer, so that it should be identity of one device only like a mac address?
  If it is not possible then can anyone tell wat is diff between a user or certificate based authentication except the encryption capability. Because some one can export his computer certificate and install it onto anyother computer and can then plug that pc into network even if that pc is not authorized. So where is the security?
  My other point is  when a staff owns a sigle user-id but he can access using that single user id to access the network from multiple devices simulitanously, my question is why cisco ise allows this?  i must have had atleast  this capability not to allow multiple simulitanous connections using a single id
  Any comments

  We do not recommend exporting the private key associated with a  certificate because its value may be exposed. If you must export a  private key, specify an encryption password for the private key. You  will need to specify this password while importing this certificate into  another Cisco ISE server to decrypt the private key.
  Cisco ISE allows for a wide range of variables within authorization policies to ensure that only
  authorized users can access the appropriate resources when they access the network. The initial release
  of Cisco ISE supports only RADIUS-governed access to the internal network and its resources.
  So, I hope both the points are restrictiable by ISE.

• "Team Foundation Server" is preventing authentication for whole team !!

  I am getting 2 errors through the event viewer that prevents TFS 2013 authentication for local domain users, also this error started appearing after having TFS upgraded to [ 12.0.30723.0 (Tfs2013.Update3) ].
  1st
  Error (from administrative events):
  The Execute method of job definition Microsoft.SharePoint.Administration.SPUsageImportJobDefinition (ID a51a0244-765d-433b-8502-0bb0540ad1fd) threw an exception.
  More information is included below.
  Access to the path 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS' is denied.
  Tried so far:-
  - changed the path to another folder from "Diagnostic Logging" in another drive, but still getting the same error.
  2nd
  Error (from application server):
  DistributedCOM error
  The application-specific permission settings do not grant
  Local Activation permission for the COM Server application with CLSID 
  {000C101C-0000-0000-C000-000000000046}
   and APPID 
  {000C101C-0000-0000-C000-000000000046}
   to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20)
  from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
  Which I already got fixed using the following steps on a thread I opened before (but still getting the same error).
  https://social.technet.microsoft.com/Forums/windows/en-US/3896e35c-b99a-4d30-b662-f92d337c8d6f/windows-servers-components-services-and-regedit-permissions-are-grayed-out-for-my-admin-account?forum=winservergen
  Other
  Fixes I tried
  - Found on another topic that it is not sharepoint that is causing the problem, but it is the generated ASP.NET web pages used for testing is causing the memory to fill up due to cashing on RAM, the fix suggested to change IIS cashing from RAM to HD to prevent
  loading up using w3wp.exe from processes. 
  Concern
  - by checking other topics for people having the same problem, it was mentioned that this error appeared after the lastest TFS update, is there is a fix for it ?

  Hi Amr,
  For your first error, you can change the "Diagnostic Logging" path, aslo change the path of the usage and health data connection the same with your ULS log location. Check this
  blog for more detils and make sure you follow the instructions. Restart SharePoint tracing service after the operations. You can also check this
  thread for more references. If you still have any other concerns about SharePoint, you can open a new thread in SharePoint forum for a better response.
  About the second error, seems it's not related to TFS. You can also run TFS best practice analyzer to check if there any configuation issues on your application tier server. However, you can also refer to this
  blog
  to get this issue resolved. If the problem persists, you can elaborate more details about your scenario and the reproduce steps or open a new thread related forum.
  Best regards,

• "Sharepoint 2013" is giving error that prevents local domain users authentication for "Team Foundation Server"

  I am getting 2 errors through the event viewer that prevents TFS 2013 authentication for local domain users, also this error started appearing after having TFS upgraded to [ 12.0.30723.0 (Tfs2013.Update3) ].
  1st Error (from administrative events):
  The Execute method of job definition Microsoft.SharePoint.Administration.SPUsageImportJobDefinition (ID a51a0244-765d-433b-8502-0bb0540ad1fd) threw an exception. More information is included below.
  Access to the path 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS' is denied.
  Tried so far:-
  - changed the path to another folder from "Diagnostic Logging" in another drive, but still getting the same error.
  2nd Error (from application server):
  DistributedCOM error
  The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
  {000C101C-0000-0000-C000-000000000046}
   and APPID 
  {000C101C-0000-0000-C000-000000000046}
   to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
  Which I already got fixed using the following steps on a thread I opened before (but still getting the same error).
  https://social.technet.microsoft.com/Forums/windows/en-US/3896e35c-b99a-4d30-b662-f92d337c8d6f/windows-servers-components-services-and-regedit-permissions-are-grayed-out-for-my-admin-account?forum=winservergen
  Other Fixes I tried
  - Found on another topic that it is not sharepoint that is causing the problem, but it is the generated ASP.NET web pages used for testing is causing the memory to fill up due to cashing on RAM, the fix suggested to change IIS cashing from RAM to HD to prevent
  loading up using w3wp.exe from processes. 
  Concern
  - by checking other topics for people having the same problem, it was mentioned that this error appeared after the lastest TFS update, is there is a fix for it ?

  Hi Kpdn, 
  Thanks for your post.
  All your participation and support are very important to build such harmonious/ pleasant / learning environment for MSDN community.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Open Authentication for Wireless Access

  Hello,
  The standalone implementation of an existing wireless network is configured as Open Authentication with a TKIP Cipher. The client key management is set to WPA PSK.
  What exacly is the authentication for? I see that MAC and EAP are available options. Would these options be used to block or authorize the actual wireless devices that connect to the AP?
  The next thing I see is Client Authenticated Key management and I am using WPA PSK. What exactly happens once I enter thsi PSK from the client? Is it only used to encrypt the data?
  Thanks,
  Kevin

  Hi Kevin,
  Using WPA we can configure  either Enterprise or pre shared key.. Enterprise comprises of EAP and pre shared key is just the PSK..
  if we are using EAP then auth will be done by the RADIUS and the encryotion will still be TKIP.. now coming back to PSK, this is shared key which will authenticate the users locally...
  EAP is more secured auth compared to PSK..
  Now regarding the "auth open" line.. see there are 2 kinds of auth in 802.11.. here while using wireless we need to auth twice, dot11 authentication and followed by the psk or EAP auth.. the auth open statement will force us to get the dot11 auth successful and then we move towards needed auth like PSK or EAP.. and another is Shared auth is very similar to WEP using open auth!!
  in the nut shel we have 3 kinds of auth..
  1> open - Dot11 auth
  2> Shared - Nothing but WEP
  3> 802.1X suite - EAP
  again, the below link may give you some insights as well!!
  http://www.cisco.com/en/US/docs/wireless/access_point/12.2_13_JA/configuration/guide/s13auth.html#wp1035025
  Lemme know if this answered ur question and please dont forget to rate the usefull posts!!
  Regards
  Surendra

• User Authentication for subfolder not working in Web Browser

  We are using Oracle Application Server 10.1.2.3 and Database Server 10.2.0.5 for our application.
  One of the functionalities of the Application is to send emails with attachments.
  The logic is that the Application would generate the attachment file on the Application Server.
  Then a database package uses Oracle's utl_http package/procedures(more specifically utl_http.request_pieces where the single argument is a URL) to pick up the file from the Application Server via URL, attach the file and send the email.
  Exchange and Relay Server is also set in the Application.
  The problem is that the folder containing the folder which stores the attachments is having user authentication set.
  Example : The main folder is /apps/interface, this folder requires a valid user when it is accessed via URL on a web browser.
  Alias created in httpd.conf
  Alias /int-dir/ "/apps/interface/"
  The folder /apps/interface/email/ is the folder where the attachment files are generated and stored.
  Application Server : 10.12.213.21
  Database Server : 10.12.213.22
  Email Server : 10.12.213.44
  Configuration as per httpd.conf
  Alias /int-dir/ "/apps/interface/"
  <Location /int-dir/>
  AuthName "Interface folder"
  AuthType Basic
  AuthUserFile "/u01/app/oracle/as10g/oasmid/Apache/Apache/conf/.htpasswd"
  require user scott
  </Location>
  <Location /int-dir/email>
  Options Indexes Multiviews IncludesNoExec
       Order deny,allow
       Deny from all
       Allow from 10.12.213.21
       Allow from 10.12.213.22
       Allow from 10.12.213.44
  </Location>
  Using the above configuration the Application is able to attach the files and send the email, however, when we access the following URL :
  http://10.12.213.21:7778/int-dir/ - it prompts for user authentication
  However if we use the following URL :
  http://10.12.213.21:7778/int-dir/email/ - it does not prompt for user authentication, and all the files in the folder are displayed in the browser.
  I have tried so many things including AllowOverride, .htaccess, but i am not able to get user authentication for the email folder.
  Please help me if you can.
  Thanking you in advance,
  GLad to give any more information that i can.
  dxbrocky

  Thanks for your response.  I fixed the problem by selecting "full site" or "full website" at bottom of the web page.  After making this selection the zoom function returned.  Thanks again for your interest.

• How to set up and test the Basic Authentication for HTTP protocol

  Hi,
  I tried configuring the password based Basic Authentication for sending xml document using ebMS - HTTP protocol. I set username and password while configuring the transport server for both trading partners. I want to know, is that sufficient for basic authenticaton. When I open the URI http://localhost:7778/b2b/transportServlet, it is not asking any authentication (username/password). Please note that I have not used SSL certificate. Anyone please help me out to configure Basic authentication.

  Hi Ramesh,
  Thanks for ur response. Could you please tell me where to set the Additional Transport header : authtype-basic#realm=myRealm(in which property file). In enqueue code, I could see the following attributes
  queue
  msgID
  replyToMsgID
  from
  to
  eventName
  doctypeName
  doctypeRevision
  msgType
  payload
  attachment
  subscriber
  Is it possible to set username/password in the enqueue attributes?
  Do i need to add username/password and Transport header in the input XML and defined that elements in xsd?

• Authentication for multiple AD domains

  Hello,
  Currently we have MS AD datasource as UME for all our internal portal users. We also have spnego setup for authentication  for our EP 7.0 The user path and group path is of the form   dc=dom1 dc=company dc=domain dc=com.
  Now we are planning to add additional domains to authenticate users .
  Will the configuration differ if they are maintained on a different ldap server altogether or when only the user and group paths are different for the new domains as shown below?  The user path and group path is of the form dc=dom2,dc=company,dc=domain,dc=com and
  dc=dom3,dc=company,dc=domain,dc=com.
  It seems that we have to change the datasource file for the additional ldap scenario.But are both of these the same,Would appreciate if someone could clarify this.
  Rgds

  Vineeth,
  Within the 1 file, you can setup n-number of datasources.  Below is an example.
  As for having SPNego work for only 1 of those datasources (AD domains), I can't say if that will work.  We have SPNego working for all our domains.  There is probably something you can do within AD or your domain controller to limit Kerberos authentication.
  <?xml version="1.0" encoding="UTF-8"?>
  <!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/dataSourceConfiguration_ads_readonly_db.xml#6 $ from $DateTime: 2004/08/20 09:55:24 $ ($Change: 17140 $) -->
  <!DOCTYPE dataSources SYSTEM "dataSourceConfiguration.dtd">
  <dataSources>
       <dataSource id="PRIVATE_DATASOURCE1" className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence" isReadonly="false" isPrimary="true">
            <homeFor>
                 <principals>
                      <principal type="group"/>
                      <principal type="user"/>
                      <principal type="account"/>
                      <principal type="team"/>
                      <principal type="ROOT"/>
                      <principal type="OOOO"/>
                 </principals>
            </homeFor>
            <notHomeFor/>
            <responsibleFor>
                 <principals>
                      <principal type="group"/>
                      <principal type="user"/>
                      <principal type="account"/>
                      <principal type="team"/>
                      <principal type="ROOT"/>
                      <principal type="OOOO"/>
                 </principals>
            </responsibleFor>
            <privateSection/>
       </dataSource>
      <dataSource id="PRIVATE_DATASOURCE2" className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence" isReadonly="false" isPrimary="true">
              <homeFor>
                  <principals>
                      <principal type="group"/>
                      <principal type="user"/>
                      <principal type="account"/>
                      <principal type="team"/>
                      <principal type="ROOT"/>
                      <principal type="OOOO"/>
                  </principals>
              </homeFor>
              <notHomeFor/>
              <responsibleFor>
                  <principals>
                      <principal type="group"/>
                      <principal type="user"/>
                      <principal type="account"/>
                      <principal type="team"/>
                      <principal type="ROOT"/>
                      <principal type="OOOO"/>
                  </principals>
              </responsibleFor>
              <privateSection/>
      </dataSource>
      <dataSource id="PRIVATE_DATASOURCE3" className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence" isReadonly="false" isPrimary="true">
              <homeFor>
                  <principals>
                      <principal type="group"/>
                      <principal type="user"/>
                      <principal type="account"/>
                      <principal type="team"/>
                      <principal type="ROOT"/>
                      <principal type="OOOO"/>
                  </principals>
              </homeFor>
              <notHomeFor/>
              <responsibleFor>
                  <principals>
                      <principal type="group"/>
                      <principal type="user"/>
                      <principal type="account"/>
                      <principal type="team"/>
                      <principal type="ROOT"/>
                      <principal type="OOOO"/>
                  </principals>
              </responsibleFor>
              <privateSection/>
      </dataSource>
  </dataSources>