ISE:Doubt on eap-chaining

Similar Messages

• ISE 1.2 EAP Chaining and Windows 8 - Auth failures

  Hi All,
  I've got a couple sites that appear to have issues with EAP chaining, ISE 1.2 and Anyconnect client on windows 8 enterprise.
  Basically the windows 8 machines authenticate intermittently and randomly but largely fail auth. 
  Often the client will work perfectly for a boot even after a few reboots etc and then might stop working.  Other clients won't work at all no mater what settings you configure.
  Outer Method - EAP-FASTv2
  Inner Method - MSChapV2
  ISE 1.2 with Patch 1 (latest)
  Windows 8 Enterprise - with patch http://support.microsoft.com/kb/2743127
  Anyconnect Client  3.1.0466 (latest)
  Machine and User Auth Against AD.
  Cert checks disabled for testing.
  Clients using same configuration.xml file
  Symptom is Anyconnect prompts for username / password instead of using existing credentials.  Typing credentials doesn't work.
  Logs show failed "anonymous" authentications or client EAP timeouts.
  Cheers
  Peter.

  Hi Peter,
  It sounds like the Inner Method is not being negotitated properly so its only reading the Outer Method which by default is set to show "Anonymous" in AnyConnect Profiles.
  Is it possible to upload a PDF version or copy paste the output of the failure from ISE's perspective?
  Kind Regards,
  Vlad

• ISE 1.2 - MAR cache with PEAP vs EAP Chaining

  Does EAP chaining with EAP-FAST v2 and NAM 3.1 present the machine certificate for authentication during each connection to wireless?  It's not still tied to the windows log in event as with PEAP?
  I found this article, but would like to see if anyone has experience working with EAP chaining in ISE.
  https://tswireless.wordpress.com/2012/09/22/cisco-ise-machine-authentication-cache/

  Yes if you set up NAM for EAP-Chaining - Machine and User, and then select EAP-TLS w/cert, nam will send both when a user logs in. When the machine is booting only the machine identity will be sent (because we don't know the users identity before they have attempted to log in).

• ISE EAP-Chaining with machine, certificate and domain credentials

  Good morning,
  A customer wants to do the following for their corporate wireless users (all clients will be customer assets):
  Corp. wireless to authenticate with 2-factor authentication:
  •1. Certificate
  •2. Machine auth thru AD
  •3. Domain creds
  When client authenticates, they want to match on 2 out of the 3 conditions before allowing access.
  Clients are Windows laptops and corporate iPhones.
  Certs can be issued thru GPO and MDM for iPhones
  Client supplicant on laptops is native Windows - which I understand is a compatibility issue from this thread: https://supportforums.cisco.com/thread/2185627
  My first question is: can this be done?
  Second question: how would i implement this from an AuthC/AuthZ perspective?
  Thanks in advance,
  Andrew

  You can do this configuring anyconnect with NAM modules on endpoints! But I don't make sense configure some clients with certificate and others with domains credentials...
  For your information, I'm actually configuring EAP-Chaining on ISE 1.2 and i'm gotting some problems. The first one I got with windows 8, for some reason windows was sending wrong information about the machine password but I solved the problem installing a KB on windows 8 machines (http://support.microsoft.com/kb/2743127/en-us). The second one I got with windows 7 that are sending information correctly about domain but wrong information about user credentials, on ISE logs I can see that windows 7 are sending user "anonymous" + machine name on the first longin... after windows 7 start if I remove the cable and connect again the authentication and authorization happen correctly. I still invastigate the root cause and if there is a KB to solve the problem as I did with windows 8.
  Good luck and keep in touch.
  http://support.microsoft.com/kb/2743127/en-us

• EAP Chaining user, machine, rsa with iSE

  Hi,
  Is there any way to configure the following using ISE and Anyconnect/NAM module:
  eap-chaining:
  1. USER auth, Machine fail = Internet (works)
  2. User auth, Machine auth = limited corporate (works)
  3. User auth, Machine auth, RSA auth = Full (not sure about this one)
  Ideally we'd like the RSA prompts to appear on the successful completion of user/machine auth.
  Alternatively can we prompt RSA, and it that fails still test User/Machine?
  Thanks,

  Please check the following document, will be helpful in your scenarios,
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_80_eapchaining_deployment.pdf

• [ISE] EAP-chaining by using EAP-TLS internal authc for machine cert & user cert

  Hi Guys,
  I'm taking the EAP-chaining into our enterprise workspace authenticaiton, now i meet following issue:
  my anyconnect make the network xml profile which decide the method of  eap-fast authencation ,both  the machine authc & user authc are use the cert.
  Then i found that the client always knock the authoraztion policy about the machine authenticaiton(i set this policy result which is permit access), i believe the " EAP-fast result machine & user are passed " , even though its result using the dacl "permit all", but it doesn't knock the following policy.
  and about the result of  machine authentication , i set the "permit access" , is it too loose? but i check the instance and cisco document , everyone told me that this policy rusult " permit access".
  it would be appreciated that anyone can help this issue.
  lately i will upload my policy and live authencation pic catch. Thanks.

  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
  Just change the authentication policy to allow the methods you want to use under eap-fast (eap-chaining) and use the same ones in your nam client configuration settings.

• EAP Chaining with Cisco ACS 5.x and the Cisco Anyconnect NAM Client

  Hi Guys,
  Whilst I’m well aware of the limitations of the built in the windows Wireless 802.1x supplicant. Is there a way, using the NAM client to authenticate both a computer and a user simultaneously, when used for authentication to wireless networks?
  As has been posted many times before on this forum, this isn’t possible due to windows not authenticating with the 'computer account' whilst the user is logged in, but with the NAM client it seems possible to do both user and computer authentication based on the options it gives you with EAP-Fast and 'EAP Chaining'.
  Can anyone validate this is possible? I have the design guide for exactly this for Cisco ISE but i need it to work on ACS (5.x).
  Thanks in advance.
  SteveH

  Bobby, I ran into the same issue with the "15015 Could not find ID Store" issue.  It turned out to be an issue with communication between the ACS and AD.  It looked like AD was connected successfully, but until I rebooted ACS, I kept getting the same error.  It was like it couldn't see the AD security groups even though it could scan the AD tree successfully.
  So, try rebooting ACS if you haven't already and see if that resolves the error.

• EAP Chaining with Machine TLS and User PEAP

  We are deploying an ISE based .1x. The design is to use eap-tls for machine and eap-peap for user. Apparently EAP-Chaining is recommended, but can anyone confirm if we can do chaining based on machine TLS and user PEAP. I have done some investigation and could not find any supporting document, but not any document saying not supporting either. Looking at Anyconnect profile editor, it does not look like this configuration is supported. Has anyone done this before?
  Thanks a lot.

  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
  Just change the authentication policy to allow the methods you want to use under eap-fast (eap-chaining) and use the same ones in your nam client configuration settings.

• Distributed ISE & Distributed PKI = EAP-TLS issues ... Correct?

  In a distributed ISE deployment with regional intermediate CA, I am getting failed authentication due to " EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain".  Client device have only one client certificate issued from regional intermediate CA. When client device goes across the region, they can't authenticate and gets this "unknown” CA error. The admin node has certificates of all intermediate CAs and root CA.
  One possible solution is to add intermediate CA certificates to all regional Node groups but apparently it is not possible on ISE policy nodes.
  Have a look at the diagram below and let me know you think (Client authentication failure at both location 1 and 3).

  Thanks Jan for reply. And short answer is Yes ....
  we have identified the issue and it has been resolved now. It was down to one of the cert corruption on primary admin.
  It was only identified after going to debug logs in prrt. Verification was done by export that particular cert and analyzing it. Don't know how it got corrupted but it did.
  In CA cert section on primary admin node, it was displaying correct value like issue date etc but when it was exported for analysis, I couldn't open it.
  So moral of the story is that the someone thought that they need to put a status field against every cert on ISE and it wasn't decided how to check its status - no offence.

• ISE 1.2 EAP-TLS handshake to external RADIUS

  Hi everyone!
  I'm trying to implement ISE to authenticate a wireless network using a cisco WLC 5508, I have an ISE virtual Appliance version 1.2  and a WLC 5508 version 7.6 with several 3602e Access Points (20 aproximately).
  Right now they are authenticating with a RADIUS Server (which I don't manage, it's out of my scope), the WLC uses this RADIUS Server to authenticate using 802.1x and EAP-TLS (which means the clients need to have a valid certificate and be in the RADIUS database which is integrated to the Active Directory), I can't touch the CA either. So now I need to authenticate using Cisco ISE instead of the RADIUS Server (at least directly), the problem is that for "security" reasons or whatever they don't let me integrate the ISE to the CA, so I added the RADIUS server as an external identity source and made my authentication Policy rule pointing at it, like this:
  If: Wireless_802.1X          Allow Protocols: Default Network Access          Use: RADIUS
  Then I added ISE as a RADIUS Server on my WLC and made a Test SSID 802.1X pointing to ISE to authenticate and all that, I did some tests and I got this error:
  12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate
  Which means the clients are trying to do the EAP-TLS Process to validate the certificate with the Cisco ISE (but ISE does not have the certificate because they won't let me integrate to the CA directly) so it fails. Is there any way I can do something to redirect that EAP-TLS handshake to the exernal RADIUS Server? Making ISE kind of like a connecting point only for the authentication, I realize it's not the best scenario but giving the circumstances it's the best I can do for now, later on I will add the AD to ISE and start creating some authorization policies based on that, but right now I just want them to authenticate.
  Any help is appreciated, thanks in advance!

• ISE 802.1x EAP-TLS machine and smart card authentication

  I suspect I know the answer to this, but thought that I would throw it out there anway...
  With Cisco ISE 1.2 is it possible to enable 802.1x machine AND user smart card  authentication simultaneously for wired/wireless clients (specifically  Windows 7/8, but Linux or OSX would also be good).  I can find plenty of  information regarding 802.1x machine authentication (EAP-TLS) and user  password authentication (PEAP), but none about dual EAP-TLS  authentication using certificates for machines and users at the same time.  I think I can figure out how to configure such a policy in ISE, but options seem to be lacking on the client end.  For example, the Windows 7 supplicant seems only able to present either a machine or user smart card certificate, not one then the other.  Plus, I am not sure how the client would know which certificate to present, or if the type can be specified from the authenticator.

  Hope this video link will help you
  http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls

• ISE problem with EAP-TLS Supplicant Provisioning

  Hi All,
  I have a demo built using ISE v1.1.3 patch 1 and a WLC using v7.4.100.0 software.  The aim of the demo is to provision a device's supplicant with an EAP-TLS Certificate...  'device on-boarding'
  The entire CWA / Device Registration process is all fine and works well.  I'm using a publically signed Cert on ISE that is built from [Root CA + Intermediate CA + Host Cert] which is used for both HTTPS and EAP and I also have SCEP operating against my Win 2k8 Enterprise Edition CA that is part of my Active Directory.  All of this works fine.
  The problem is that when ISE pushes the WLAN config down to the device, it instructs the Client to check for the Root CA, but the RADIUS processes within ISE are bound to the Intermediate CA.  This leads to a problem where the Client doesn't trust the Certificate presented to it from ISE.  There doesn't seem to be any way to configure this behaviour within ISE.
  Has anybody else encountered this? Know a solution? Have suggestions for a workaround?
  Cheers,
  Richard
  PS - Also using WinSPWizard 1.0.0.28

  Hi Richard,
  This is a misbehavior that ISE is provisioning the intermediate CA certificate during the BYOD registration process in similar (hierarchical certificate authority) scenarios. It is going to be fixed soon. Engineering is almost ready with the fix.
  Istvan Segyik
  Systems Engineer
  Global Virtual Engineering
  WW Partner Organization
  Cisco Systems, Inc
  Email: [email protected]
  Work: +36 1 2254604
  Monday - Friday, 8:30 am-17:30 pm - UTC+1 (CET)

• Cisco ISE Admin and EAP certificate renewal

  Hi board,
  maybe I'm asking a rather dumb question here, but anyway :)
  I'm currently thinking about how to renew an admin/EAP certificate on an ISE node and the effect on the endpoint authentication.
  Here's the thing I do, when I initially install an ISE node
  1.) CSR creation on ISE (PAN) - CN=$FQDN$ and SAN="fqdn as well"
  2.) Sign CSR and bind certificate on ISE node - done
  Now after 10 month or so (if the certificate is valid for one year) I want to renew the ISE admin/EAP certificate.
  CSR creation: I cannot use the $FQDN$ as the CN, because there is still the current certificate (CN must be unique in the store, right?)
  So what to do now? Do I really need to create a temporary SSC and make it the admin/EAP certificate, delete the current certificate and then create a new CSR? There must be a better and more important non-disruptive way of doing this.
  How do you guys do this in your deployments?
  Thanks in advance and sorry again if this is a silly question.
  Johannes

  you can install a new certificate on the ISE before it is active, Cisco recommends that you install the new certificate before the old certificate expires. This overlap period between the old certificate expiration date and the new certificate start date gives you time to renew certificates and plan their installation with little or no downtime. Once the new certificate enters its valid date range, enable the EAP and/or HTTPS protocol. Remember, if you enable HTTPS, there will be a service restart
  Certificate Renewal on Cisco Identity Services Engine Configuration Guide
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116977-technote-ise-cert-00.html

• CSCut26025 - Doc. ISE 1.3 certificate chain is not being send till services restarted

  hi,
  i got issues with a chained certificate for the guest portal too. could you please let me know which service/services need to be restarted? or should i restart the whole ise after importing the required certificates?
  regards
  thilo

  Hi,
  You would have to restart the services, there is a note in the Cisco ISE document. Please refer it below:
  If you are using Firefox and Internet Explorer 8 browsers and you change the HTTPS local certificate on a node, existing browser sessions connected to that node do not automatically switch over to the new certificate. You must restart your browser to see the new certificate.
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_cert.html#pgfId-1183856
  Regards,
  Tushar Bangia
  Note : Please do rate post if you find it helpful!!

• Cisco ISE: 802.1x [EAP-TLS] + List of Applicable Hot-Fixes

  Dear Folks,
  Kindly suggest the list of all possible Hot-Fixes required for the Cisco ISE EAP-TLS solution... We have applied 9 HotFixes so far. But, still the connectivity is intermittent. Is there any list for all applicable Hot-Fixes?
  OS = Win 7 SP1 (32/64 Bit) and Win 8
  Thanks,
  Regards,
  Mubasher Sultan

  Hi Mubasher
  KB2481614:      If you’re configuring your 802.1x settings via Group Policy you’ll see      sometimes EAP-PEAP request from clients in your radius server log during      booting even if you’ll set EAP-TLS. This error happened in our case with      1/3 of the boots with some models. The error is caused by a timing problem      during startup. Sometimes the 802.1x is faster and sometimes the Group      Policy is, and if the 802.1x is faster than the default configuration is      taken, which is PEAP. Which lead to a EAP-NAK by the radius server.
  KB980295:      If an initial 802.1x authentication is passed, but a re-authentication      fails, Windows 7 will ignore all later 802.1x requests. This hotfix should      also fix a problem with computers waking up from sleep or hibernation –      but we’ve disabled these features so I can’t comment on them.
  KB976373:      This hotfix is called “A computer that is connected to an IEEE      802.1x-authenticated network via another 802.1x enabled device does not      connect to the correct network”. I can’t comment on this, as we’ve not      deployed 802.1x for our VoIP phones at this point.I would guess it is the      same for Windows 7 too. The linked article tells you to install the patch      and set some registry key to lower the value.
  KB2769121:      A short time ago I found this one: “802.1X authentication fails on a      Windows 7-based or Windows 2008 R2-based computer that has multiple      certificates”. At time of writing I’m not sure if it helps for something      in my setup. According to the symptoms list of the hotfix, it does not,      but maybe it helps for something else, as the one before does.
  KB2736878:      An other error during booting – this time it happens if the read process      starts before the network adapter is initialized. Really seems that they      wanted to get faster boot times, no matter the costs.
  KB2494172:      This hotfix fixes a problem if you’ve installed a valid and invalid      certificate for 802.1x authentication. The workaround is just deleting the      invalid certificate. I’m not sure at this point if it affects also wired      authentication.
  KB976210:This      problem occurs only during automated build processes and if you use an EAP      method which needs user interaction – as I don’t do that I can’t comment      on this hotfix.
  For more information please go through this link:
  http://robert.penz.name/555/list-of-ieee-802-1x-hotfixes-for-windows-7/
  Best Regards:
  Muhammad Munir