ISE, MAB issue

Similar Messages

• ISE certifiacte issue

  Hi,
  I have a ISE certifiacte issue when I try to authenticate wireless user with ISE. He show me this: 
  12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
  Please can you help me?
  Regards
  Aristide

  This pretty much means that the authenticating client is not trusting the certificate that is installed in ISE. That certificate is used to build the EAP tunnel that would be used to pass the PEAP credentials. So a couple of questions:
  1. What certificate do you have installed in ISE for EAP?
  2. What certificate is  the supplicant set to trust

• ISE dot1x and MAB issues

  I am trying to set my ISE to attempt dot1x before mab. If I set up the switchport to try mab first, then ISE does its job and assigns the proper vlan. However, when I set the port up to do dot1x first, the port reverts to the default vlan 1. I am able to manually assign the proper vlan on the port and ISE does not interfere, but that kind of defeats the purpose. The port is on a 4506 and below is the port config. Any direction would be greatly appreciated.
  interface GigabitEthernet5/7
   description 1-151
   switchport mode access
   switchport block unicast
   switchport voice vlan 68
   ip arp inspection limit rate 60
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action authorize vlan 40
   authentication event server dead action authorize voice
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order mab dot1x
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication timer inactivity 3600
   authentication violation restrict
   mab
   snmp trap mac-notification change added
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
   spanning-tree bpduguard enable
  end

  Recently i have implemented in one of our customer, find the below switch configuration.
  aaa new-model
  aaa authentication dot1x default group radius local
  aaa authorization network default group radius local
  aaa authorization auth-proxy default group radius
  aaa accounting delay-start all
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting network default start-stop group radius
  aaa server radius dynamic-author
   client <ISE IP ADDRESS> server-key 7 10471A1C25141B1F0F
  aaa session-id common
  ip device tracking probe use-svi
  ip device tracking
  ip admission name Testing_ISE proxy http inactivity-time 10 list ISE_ALLOWED
  epm logging
  dot1x system-auth-control
  spanning-tree mode rapid-pvst
  spanning-tree loopguard default
  spanning-tree portfast bpduguard default
  spanning-tree extend system-id
  spanning-tree uplinkfast
  spanning-tree backbonefast
  spanning-tree vlan 1-1005 priority 8192
  port-channel load-balance src-dst-ip
  vlan internal allocation policy ascending
  interface ran GigabitEthernet X/X
   description "Connected to test PC for ISE testing"
   switchport access vlan x
   switchport mode access
   switchport voice vlan x
   authentication event fail action next-method
   authentication event server dead action authorize vlan 107
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication timer inactivity 180
   authentication violation protect
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  ip http server
  ip http secure-server
  ip access-list extended ISE_REDIR
   deny   udp any any eq bootpc
   deny   udp any any eq bootps
   deny   udp any any eq domain
   deny   ip any host <ISE IP ADDRESS> log
   permit tcp any any eq www
   permit tcp any any eq 443
   deny   ip any any log
  ip access-list extended ISE_ALLOWED
   permit ip any host <ISE IP ADDRESS>
  logging esm config
  snmp-server community string RO
  snmp-server community public RO
  snmp-server community ise RO
  snmp-server trap-source Vlan250
  snmp-server enable traps mac-notification change move threshold
  snmp-server host <ISE IP ADDRESS> version 2c ise  mac-notification
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host <ISE IP ADDRESS> auth-port 1812 acct-port 1813 key 7
  141E010E2C07233F27
  radius-server vsa send accounting
  radius-server vsa send authentication
  Create a Authentication policy in ISE and allow ISE_REDIR ACL.

• ISE MAB is not Triggered for Linux Host

  Hello,
  We have configured MAB for hostst that do not support 802.1x, and in general working for most of the devices. For Some linux machines however, MAB is never triggered, i.e "debug mab all" and "debug radius" commands do not produce any output for the port. "show authentication session interface" command shows the 802.1x fail over to MAB, and after it MAB process starts to run but stays in running state without finishing.
  If we put another MAB host as Windows 7 or XP or Printer, it works properly passsing tthe MAB Authentication and assigned Vlan. If we put the port as to the normal "switchport mode access" and "switchport access vlan x", the device shows up in the MAC address table of the switch, and starts to work.
  As additional steps we have configured "authentication mode open" and "dot1x control-direction in" inorder to trigger or start the MAB Process allowing the packets out, but the "show interface " command the input packets counter remains 0, although output packet counters seem to increase continously to 1000 and above.
  The IP Addresses are static, and it is a requirement, so dhcp may trigger MAB but this is not a choice currently.
  IP device tracking is enabled, but again this did not change anything
  Any recommendations or workarounds for this Problem? Although seems an endpoint issue, that it never produces a single packet  , there may be some
  solutions to trigger MAB or learn the switch the Mac address of the Linux host, i.e. keepalive. We are also looking at the host side,
  The port configuration is:
  switchport access vlan 98
  switchport mode access
  ip access-group ACL-ALLOW in
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 97
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication open
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  Thanks in Advance,
  Best Regards,

  Hi Ravi,
  Since the linux is some kind of embedded linux, we could not get the tcp dump on the PC itself, but tried to see what is going on with a span of this port. What is interesting is that the machine does not produce even a single ethernet or IP packet and remains completely silent. (We thought dhcp would be solution but the configuration file only allows to statically assign IP address).
  What we think is that somehow the machine starts to send packets after receiving a packet like Wake on LAN or arp. As you see on the port configuration the machine starts in Vlan 98, so in this Vlan it is not possible to get this packet from any other hosts on the same IP subnet since the IP of the host is Vlan 6. But in order to ISE to assign this Vlan 6 to the port with MAB, Mac Address of the host needs to be authenticated, which is not occuring because of the silence problem.
  As a workaround to a similar problem, we changed the "switchport access vlan 98" to "switchport access vlan 6" and with this configuration the Mac address is learned and the host is authenticated by ISE and port is assigned to Vlan 6 dynamically which is observed on "show authentication session interface" command output. This is also not accepted because the access port configuration is required to be as standard as possible due to changing of the cabling frequently. So every MAB host should start with a PreAuthentication Vlan, and go to final Vlan after Authentication and authorizaiton with Posture checking or profiling.
  As a second workaround these kind of machines are being worked on supporting dot1x, but this is a tedious process because often you need to escalate to the producer, and enhancement requests often prolong to be confirmed or denied.
  Since we meet this problem also with some Printers, we think this is a problem of the TCP/IP Stack of the Operating System of the host. We are searching if there can be some mechanism to be able to make the host start conversation with a packet through a keepalive or some other protocol (or a script)  that can be enabled.
  Best Regards,

• ISE mab authentication with Avaya/Nortel switches

  Currently using Cisco ISE 1.1 to authentication both dot1x and mab from Cisco switches. Both features are authenticating properly.
  When we use a Nortel/Avaya switch for the authenticator, we are unable to authenticate using mac bypass (non-eap (or neap) in Avaya talk..). The correct authentication policy is found in the ISE, but the mac address is not found in the database. We know it is there because the same mac is authenticating with the Cisco switch. Dot1x authenticates properly from both the Cisco and Avaya authenticators.
  Could this be an issues with the username/password format in the Radius packet from the Cisco?
  Thanks in advance for any assistance.
  -Kurt

  As requested...
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fet
  chBugDetails&bugId=CSCuc22732
  MAB works from a cisco switch because the cisco switch places the mac address in the calling-station-attribute and the user-name attribute. The Cisco ISE platform is looking at the calling-station attribute to find the user name.This is the problem.
  The radius RFC says the user name must be in the user-name attribute. The calling-station-attribute is not a required field and is used for the phone number of a voip phone. Basically, the ISE platform is looking at the wrong field for the mac address.

• ISE Provisioning Issues - Public Certificate & EAP-TLS

  Anyone run into the issues similar to the below?:
  Public Certificate bound for HTTPS
  Internal AD Certificate Bound for EAP
  Issue is SPW or Native Supplicant will be provisioned with Root CA of Public Cert then SCEP enrolls EAP-TLS with Internal CA however as client device (ipad/iphone/android) doesnt get the Internal Root CA provisioned they will fail EAP-TLS communication
  Running ISE 1.1.2 patch2, 2 node-cluster
  Guest Portal being used for Provisioning if AD credentials passed
  Works a treat if i bind both https & eap on the Internal identity ceritficate (only issue then is Guests/BYOD devices get Certificate Warnings on the portal)
  Cheers
  Kam

  the process doesnt fail as such for the onboarding/provisioning on the iphone, however the when entering domain credentials to the guest portal which intiates the onboarding/provisioning process, i notice the root CA certificate is prompted to be installed on the iphone is that of the public certificate instead of the internal root CA, the rest of the user certificate and scep process properly completes however as the root CA for the internal CA wasnt installed i get warnings when connect to our dot1x eap-tls SSID.
  On other devices this process fails which i can only assume is down to the lack of internal root CA cert
  so as per the above im pretty much following this (differentiated access via certificates) :
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
  however my setup is slighlty different as the EAP & HTTPS indentity certificate is not the internal, i have installed a public cert for HTTPS to remove certificate warnings on guest portal (as BYOD devices and guests will only have non-domain machines thus a public cert removes the certificate warnings)
  does that clarify anymore?
  Cheers
  Kam

• ISE Replication Issue

  Hi All
  I have a pair of ISE appliances running 1.2.1.198 code.
  I have the 2 nodes setup as primary and secondary and they were synced OK.
  There was a DNS issue in the network and the ISE nodes were not able to resolve the hostname of the other node so the link between the 2 dropped.
  The DNS issue was resolved but the connection stayed down and there doesn't seem to be anyway to re-initiate the connection.
  My solution was to de-register the secondary node and then register it again. However, although the de-registration seemed to go OK, the secondary node never came back up in standlaone mode so I was unable to register it on the primary again.
  The only solution seemed to be to re-image the appliance.
  This seems a very drastic solution for a simple issue such as DNS failing.
  Does anyone have any useful comments on this issue?

  Hi Neno
  The syncup button was disabled and wouldn't do anything. That's why I elected to de-register the secondary.
  The de-registration went OK but when I tried to register the secondary node the message I got was that the node wasn't in 'standalone mode' and therefore couldn;t be registered.
  Logging into the secondary showed no options to switch it back to standalone. I attempted to change it from secondary to primary but that wouldn't work either. The only option left was to re-image.
  Having done the re-image I was able to register the second node successfully.
  Regards
  Roger

• Cisco WLC ISE integration issue

  Dear all,
  We have wlc 5508 and ISE integration, out wireless clients can connect to Guest or Corporate SSID
  When connecting to Corporate SSID, they can obtain IP address and successfully associate, to use internal service like (email, corporate service and etc) user need to download Airwatch agent and etc, but initially he can use ONLY internet connection, so the issue is client randomly reassociate, downtime of client less than a second, for example Android phone shows that periodically it disconnecting and reasociating again to SSID, i dont know if it is bug or some timers need to be configured, any ideas ?

  There is no problem with non-802.1x SSID
  The problem is on ISE timers ?

• IBNS with ISE, authorization issue

  I'm running the 90-day ISE demo and trying to configure IBNS with it. I love the feel of the interface and almost instantly had a set of policies up and working fine. My issue is this:
  I have an authorization service for machines so before a user logs in, their machine will authenticate to a list of machines in AD. This will give them guest/limited access.
  I have a second authorization service for users. Once the user authenticates to AD, they should get access based on user group or other AD attributes. However once the user authenticates to AD, the previous authorization service that they had before is still enforced. The user is stuck with machine authorization. I figured that it was because the setting was "First Matched Rule Applies" so I switched to Multiple and now after the login, it still matches machine authorization but it now also matches on Default which will deny access...how can something match both authorized and default?
  Because of that I have to make the machine authorization setting open to everything. Can anyone provide any guidance on this issue as config examples and such aren't out yet for ISE and the admin guide wasn't very helpful with this particular issue.
  Thanks
  Xavier

  The problem is that when the user is authorised after the machine is authorised, he still gets Machine Access (number 6). The user is supposed to get Engineer Access based on the IBNS User Authorisation Rule in number 1.
  Comparing 5 and 6, the username for 5 is host/machineName/domain which should be granted Machine Access based on how AD is set up (with a list of hostnames of Domain Computers). In number 6 the username is domain/username which indicates it's a domain user and so he should get engineer access. For some reason, ISE doesn't want to match with the new authorisation rule and just keeps the one that I had before.

• Cisco ISE CWA issue

  Good Day,
  I have Cisco ISE 1.2 with Cisco 2960 NAD.
  I configured the authorization for the employee successfully, but my issue is with the guest users the link is not redirected.
  Please advise what I have put in the authentication policy default rule?? deny access ?
  And on the switch I should put the guest connect to a specific ports or I have to configure specific VLAN in the authorization profile?
  Appreciate your support,

  In your authorization policy you are giving your Wired-Guest the same result as Wired-Webauth.
  First time through you don't know he's a guest so he hits Wired-Webauth and gets redirected. Second time through, you have him in guest flow, so you know he's an authenticated guest, he hits Wired-Guest, but you send him the same permissions "Web_Auth". Create a profile that you want to give to your authenticated guests - Guest_Allowed for instance.

• Cisco ISE Deployment issue

  Hi dears,
  I deployed the ISE primary and secondary mode. Then I did deregister the secondary ISE at Primary ISE. Now i want to register the same second ISE as secondary mode on Primary ISE. but this error occur:
  Unable to register SecondaryISE. Node is not a Standalone node.
  I connect the secondary ISE and see deployement personas
  Administration: Secondary
  Monitoring: Secondary
  Then  I did promote to primary command after that ISE is log out but the problem is not solve.
  version 1.20.8xx of both ISE's
  How i solve this issue?
  Thanks

  try by promoting the secondary ISE which you  have  de-registered to standlone and try registering it on primary now

• 2960S - 15.0(2)SE MAB Issue

  We have a Cisco 2960S configured for TrustSec (802.1x+MAB), with several
  workstations/users connected to it through their Cisco IP Phones. The users are using
  802.1x and their phones are being MAB'd.
  Intermittently, the MAB functionality seems to stall, see by the output below. The issue
  is not isolated to a given port, but does not occur on other switches (3560Gs) in the environment.
  This switch is running 15.0(2)SE
  Authentication Session command does not show a phone, only a workstation:
  NFF-Cat2960S-off#sh authen sess int gi1/0/13
              Interface:  GigabitEthernet1/0/13
            MAC Address:  082e.5f86.4345
             IP Address:  192.168.1.111
              User-Name:  <removed>
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  10
                ACS ACL:  xACSACLx-IP-ACL-PERMITALL-50bfa391
        Session timeout:  14400s (server), Remaining: 14353s
         Timeout action:  Reauthenticate
           Idle timeout:  N/A
      Common Session ID:  C0A8011600000F4AFC60371C
        Acct Session ID:  0x000010D5
                 Handle:  0xD6000F4B
  Runnable methods list:
         Method   State
         dot1x    Authc Success
         mab      Not run
  CAM shows the phone as connected and communicating (even after a shut/noshut):
  NFF-Cat2960S-off#sh mac add int gi1/0/13
            Mac Address Table
  Vlan    Mac Address       Type        Ports
    10    082e.5f86.4345    STATIC      Gi1/0/13
    10    e804.6212.9903    DYNAMIC     Gi1/0/13
    20    e804.6212.9903    DYNAMIC     Gi1/0/13
  Total Mac Addresses for this criterion: 3
  Interface Configuration: (same as others on this switch and others)
  interface GigabitEthernet1/0/13
  switchport access vlan 10
  switchport mode access
  switchport nonegotiate
  switchport voice vlan 20
  ip access-group ACL-DEFAULT in
  srr-queue bandwidth share 1 30 35 5
  priority-queue out
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 10
  authentication event server dead action authorize voice
  authentication host-mode multi-auth
  authentication open
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  mls qos trust device cisco-phone
  mls qos trust cos
  dot1x pae authenticator
  dot1x timeout tx-period 10
  auto qos voip cisco-phone
  spanning-tree portfast
  service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
  end
  Phone has DHCP, but traffic is being blocked by ACL-DEFAULT, as the switch is not
  performing MAB to download a more permissive dACL:
  Jan  2 15:21:10.365 EST: %SEC-6-IPACCESSLOGP: list ACL-DEFAULT denied tcp
  192.168.20.77(49858) -> 192.168.20.5(2000), 1 packet
  Finally, the switch is reporting that MAB on this port is in an ACQUIRING state, even though the MACs are discovered:
  MAB details for GigabitEthernet1/0/13
  Mac-Auth-Bypass           = Enabled
  MAB Client List
  Client MAC                = Waiting
  Session ID                = C0A8011600000FB006D7DCEA
  MAB SM state              = ACQUIRING
  Authen Status             = FAIL

  Hi,
  Just out of curiosity can you post your port configuration.
  Thanks.
  Sent from Cisco Technical Support Android App

• ISE MAB Host Lookup - PAP or EAP-MD5

  In the docs, it says that MAB uses PAP/ASCII or EAP-MD5 to pass the MAC as username / password.
  In the attached setup, MAB is talking place successfully for an iPhone, without having PAP or EAP-MD5 enabled as Allowed Protocols. 
  Is the "Host Lookup" under allowed protocols, provides for the MAC address to be passed in PAP / EAP-MD5 even if these two protocols are not enabled below under the Authentication Protocols section of the configuration?
  How could we dictate to our switch to start using EAP-MD5 to pass the MAC?  If you look at the attached authentication details output, it lists in the AV Pair a EAP-Key.  Is that it?
  Thank you.
  Cath.

  Hello Cath-
  Question #1: Yes, I think you are correct. I believe that the "Host Lookup" is type of "protocol" used to process the MAB. If you look at the top of the authenticaiton session what do you under "Authentication Protocol?" My guess is that you see "Lookup" (see attached screen shot)
  Question #2: You can force the switch to use EAP-MD5 by appending "EAP" to the "MAB" command under the individual ports:
       interface fa0/1
       mab eap
  Things to conisider:
       1) If you make that change the default/built-in condition in ISE "Wired-MAB" will have to be changed since the
  service-type radius attribute will change from "Call Check" to "Framed." Thus, your MAB devices can easily skip the MAB authenticaiton rule and be denied on the network
       2) Because the MAC address is sent in the clear text  "Attribute 31" (Calling-Station-Id), MAB EAP does not offer any additional security by encrypting the MAC address in the password
       3) Because the service type for MAB EAP is the same as an IEEE 802.1X request, the RADIUS server will not be able to easily differentiate MAB EAP requests from IEEE 802.1X requests
  Here is a good document that you can reference as well:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html
  Hope this helps...
  Thank you for rating!

• ISE : MAB, SoA ...

  Hello,
  I'd like to implement Cisco ISE on my network so that 802.1x authentication will be operationnal.
  When I give a look to this document : http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html#wp55038
  There's a lot of Catalyst 2950 on my network and I see that some features aren't supported on these devices : MAB, dACL, SGA.
  What are the consequences of these non-supported technologies ? I've found out for instance that MAB was used to authenticate devices which doesnt allow or support 802.1x, so will the printers of my network still work ?
  And what about dACL and SGA ? Are these features really useful or isn't it that bad if I can't use them ?
  Thanks.

  If you want to manage your limited investment you can follow a phased  implementation approach. Though it would be little laborious. You can  swap 2950 switches with 2960 or 3750 wherever you have devices like  printers. So you can connect your printers on either 2960 or 3750  switches only and PCs on 2950 switches. Then setup flexauth (MAB >  dot1x) order and priority as required, on those switches where printers  etc are connected. Jatin Katyal has righly suggested, I agree with him
  With this approach, you can setup and enable all other features i.e.  profiling, client provisioning, CoA for certain identity groups which  are connected on supported switches (2960, 3750)
  Note: Please make sure to review the IOS on your 2960 switches and  compare the same in “ISE Network Component Compatibility Document”

• ISE - Multiple Issuing Subordinate CAs for EAP Auth?

  Is it possible to utilise multiple issuing subordinate CAs with an ISE implementation? In short I have a situation where the client is wanting to issue certificates for one group of users from CA1 and issue certificates for another group of users from CA2.
  As far as I can see it is not possible to have two different server certificates installed on a policy node for the purposes of EAP authentication. Is the only way around this to install a policy node per issuing certifcate server?

  Ok to add to this I would really like some clarification on certificate installation for the purposes of EAP-TLS. The Cisco doco is at best vague on this topic. I have a distributed deployment with 2 x Admin, 1 x monitoring and 2 x PSN. I have installed a Public HTTPS server auth cert on each device and all nodes are joined. I would now like to utilise MS CA cert infrastructure to authenticate EAP-TLS.
  My understanding is that I need the MS CA Root Cert and Subordinate Cert on the Admin node with the subordinate cert ticked for trust for EAP Auth. Is there a requirement for a Server Authentication certificate on the Admin Node? Going forward with that Is there a requirement to add a server authentication certificate to the PSN Nodes?
  In addition back to my first question is it possible to utilise multiple subordinate CAs for client authentication if so how as I cannot seem to click trust for EAP on multiple certs