ISE NFR Allowed protocols

Hi all,
I am trying to configure ISE NFR (installed on vmWare) - I had to start from the only available NFR version 1.0 - so I first made upgrade to version 1.1.1(acording to release notes there should be no problem with stright upgrade) then applyed patch 3. Then I started to configure it through GUI. I found I am not able to create "New Allowed Protocol Service" - in
Policy -> Policy Elements -> Results -> Authentication -> Allowed Protocols
I tried te create new one - to be able to allow only EAP-TLS autentication for some authentication rule but whatever I tried I always got error message "Can't create new service" after click on <Submit>.
I just upgraded to version 1.1.2 but this issue is still there.
Has anybody been in the same situation? Any advice how to solve this?
Thanks for any help
Pavel

I haven't upgraded to 1.1.2 yet as I am traveling. However, the plan is to get it done over the weekend. I will post the results there. Although, I have noticed that the uprades can drastically vary based on amount of resources allocated to the VM. Mine is running on my local laptop in Virtual Workstation with minimal resources so upgrades take forever

Similar Messages

Upgraded ISE NFR to 1.2 - now I cant apply patch 1 or 2

I have upgraded my ISE NFR to 1.2. Upgrade went fine, authz/authn config still in place and works with switch and WLC. The problem is now trying to apply a patch to 1.2.
If I try to apply patch1 or patch2, the CLI says its already installed. They definately arent!
Anyone seen this in an NFR or normal license upgrade?
I am facing my first customer upgrade iminently and I something like being unable to patch it afterwards isnt going to go down well!

Have you attempted your patch from both the CLI and the GUI? I had a customer who had issues upgrading their ISE from the GUI and the CLI worked fine, only issue was that each ISE node had to be patched from the CLI, as the patches didn't get pushed as they would from the GUI. If that's not working for you, I still wouldn't worry much about it, I've successfully patched in your exact scenerio so perhaps you have an isolated incedent.

ISE NFR kit is a preconfigured VM. How to integrate it on existing demo scenario?

Hello,
Just got an ISE NFR kit.
I actually thought that this would just as any other Cisco product where you get a license that will limit your amount of registered devices.
Instead we get a preconfigured VM, tuned and tweaked to work on a corp.rf-demo domain.
The problem that I have that will lead to my question is:
- I have set up a fairly complex scenario using ISE on Evaluation license, using own lab/demo infrastructure, meaning specific DNS, AD, PKI, etc.
- from past tests I have discovered that ISE will NOT accept you changing the FQDN of the machine on the CLI, as internal variable substitution is done based on the initial setup FQDN - for instance for CWA or CPP URL redirection.
- I'd really like to simply license the scenario I already have so that it become part of our somewhat permanent demo showroom.
My questions are:
- is it possible to simply get a NFR license that you can install on a VM, and turn an Eval deployment into an NFR one? Cisco Licensing just told me that the NFR part number is non-licenseable. Does anybody have another idea?
- instead, is it possible to successfully change the FQDN name of the ISE NFR VM into whatever FQDN we need it to be, in case I do find the time to rebuild the entire configuration in this VM?
I have tried adding the NFR VM into my existing deployment as a secondary Admin node, but its license just got overriden by the eval one, as it should.
I'm assuming that if I backup the existing deployment and restore it to the NFR VM, the license will also get overriden. Can anybody confirm?
Thanks for any help/ideas.
Gustavo

Hello Gustavo,
If you resolve this please assist me :
1) Is it possible to customise the NFR version of ISE?
2) would we be able to get an extended evaluation license, both base and advanced, to apply to our lab ISE node.?
ISE NFR 1.2 software - logging not working after changingIP address of ISE. It is not possible to delete the "Remote Logging Targets" which includes itself and the IP address 10.1.100.21. Please advise on how to customize.

CIsco ISE NFR

Hi All
i have just got ISE NFR 1.2 and i couldn’t find document that show the credentials or even how it is preconfigured , After search i found a threat that tells ISE credential is admin\default1A but didn’t work for me and i had to break it but i have another issues
1- i still need Linux VM credential
2-document that show the installation process
3- NFR team email support
thanks in advance

The USB key that the NFR shipped with should have had a readme, but if you don't see it the readme references this article that has all of the information you will need.
You will have to login with your partner credentials to access the link.
https://communities.cisco.com/docs/DOC-36078

ISE NFR expand disk to 200gb

Hi,
I have an ISE NFR server running 1.1.1.268 which i have upgraded to 1.2, which works fine, except for one minor thing, the disk required is 200gb, and the NFR is created with 60GB, and so i get alot of alarms in the gui. I know i could probably just disabled the alarm, but i would like to know if there is any way of resizing the disks in ISE ? I resized in my VM settings, but i have no apparent way of making ISE resize the actual filesystem partion.

I solved the problem the following way:
I installed a completely new ISE with the HW-requirements met and added that to my NFR-deployment. Then change roles (in my case add another ISE) and later remove the original one.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ISE NFR VMWare - Default username and password

Hi,
i've just installed the NFR USB version of ISE on an ESXi server.
The ISE boot just fine, but the default username/password (admin/cisco) dosn't work.
I'm trying to login to the Red Hat to set correct ip address etc.
The partno is:
ISE-1.0-MR2-NFR-USB
Anyone who have tried to install this and been able to login?
Thanks in advance
/Torben

Thats correct for the ISO install.
But this is the NFR (Not-For-Resell) version on a USB Stick.
It's a complete VMware image, that is booting up the CLI (which is a RedHat :o) asking for a predefine username and password.
It's not asking for a new username/password combination, since the installation step has been provided by Cisco.
But no one seems to know this username/password.
/Torben

ABGN - controlling allowed protocols - IOS based 1140 ap

So I wonder if someone has done all this leg work yet and if so could you give us your impressions... I am waiting for a new network card for my laptop so I can do some N testing. We have a mix of 1100,1130 and some 1140 access points with all of them eventually being upgraded to 1140s.
What I want to do is give the N users the best chance to have great throughput. I figure the best way to do this is allow N on the 5.8Ghz radio and allow G and N on the 2.4Ghz radio. With that in mind I have the following questions. We have a WLSE and are still using IOS mode for our access points.
I know the easy way to disable B on the 2.4Ghz radio is not allow 11mbps or lower.
No problem ... I don't want B anymore. Is there a different command to do this?
Also what IOS command do I use to determine if there are any people using B?
If G and N are allowed on the 2.4Ghz radio do they both work at the same time?
If there are G connections does it change the modulation away from the best/N modulation?
If I want N only on 2.4Ghz do I disable every speed below 54 mbps? Is there a better way to disable G?
If A and N are allowed on the 5.8Ghz radio do they both work at the same time?
If there are A connections does it change the modulation away from the best/N modulation?
If I want N only on 5.8Ghz do I disable every speed below 54 mbps?
Thanks
Joe

There are plenty of places to find this information and I was able to go read up on it before anyone gave impressions.
Here are the answers I have found.
Basically disabling the rate of the protocol you don't want to use seems to be the best way to eliminate that protocol altogether. For example you can disable N on the 2.4 ghz radio by not allowing speed m0-m15 (I guess ).
If you enable N on the 2.4ghz radio you can't enable bonding so there is no need to worry about enhanced troughput on 2.4.
Althoug you will experience better throughput since N interacts with the radio and other clients in such a way that it will perform better when connected at 2.4.
The same is not true of the 5.8ghz radio you can enable bonding so you will get better throughput. I still have not found out exactly how A interferes with N but I am not going to worry about it since new devices will have N.
I have configured my access point identically as before but enabled the 5.8ghz radio, enabled beam forming on both radios and allowed bonding on the 5.8ghz radio.
I supposed I was confused on the modulation and speed thing, they go hand in hand, so if your N client is sharing the radio with a G client you will be stuck using the modulation and speed of the G client. (I may still be confused, someone clarify this for me?) Although N supports High Throughput (HT) in all cases which makes it interact with the AP better?
Anyhow no matter how confused I am the bottom line that I understand is "Don't try to do anything special with your 2.4ghz radio (except for beamform) and do it all on the 5.8 radio since it has so many more channels you can now bond a couple of them" (I originally thought N on 2.4 would allow G to work on a single channel and N to bond and still interoperate). When upgrading access points with the improved antenna MIMO 5.8ghz will work almost exactly as good as the old 2.4 and 2.4 will have about 20% better coverage. Previously I found that 5.8ghz was useless and never used it. The design guide seems to skim over A interfereing with N on 5.8 except for saying there are not enough A clients to worry about, througput will still be better and A is on it's way out...
Lastly bonding on 2.4 is not supported by any of the new N chipsets even intel.
Message was edited by: jbarger add one more comment...

Problems with Authorization Policy, the USER has expired and the ISE is allowing access.

Hi,
My end customer reported an issue with ISE 1.1.4-218.
The GUEST user is expired but still can authenticate in the WLAN.
That's an known issue/bug?
Thanks!
Regards,
Rafael Eloi

Check if the option in the configuration part of the Authentication process = CONTINUE.
For example, when you use CWA, the IF AUTHENTICATION FAILED Option = CONTINUE so the MAB Auth always fails but based on that Option your connection continues so you are actually redirected using the AUTHORIZATION Policy.

ISE 1.2 and EAP-MD5

Hi,
I have HP procurve switches that need to get authenticated with EAP-MD5 but I cant get it to work in ISE 1.2 with patch 2.
We have tried all combination for EAP-MD5 in allowed protocols but get the same message when trying to authenticate.
The ISE deployemnt do not run in FIPS-140 2 mode.
And when using the switch with NPS we get this to work, so switch configuration is ok.
Failure Reason: 12003 Failed to negotiate EAP because EAP-MD5 not allowed in the Allowed Protocols
Resolution: Ensure that the EAP-MD5 protocol is allowed by ISE in Allowed Protocols.
Root cause :The client's supplicant sent an EAP-Response/NAK packet rejecting the previously-proposed EAP-based protocol, and requesting to use EAP-MD5 instead. However, EAP-MD5 is not allowed in Allowed Protocols.
Any thoughts on this?
Cheers

Choose Policy > Policy Elements > Results >Authentication > Allowed Protocols
Select EAP-MD5—Check the Allow EAP-MD5 check box and check Detect EAP-MD5 as Host Lookup check box.
Save the Allowed Protocol service.
~BR
Jatin Katyal
**Do rate helpful posts**

ISE 1.2 Error Messages

Hi forum,
We have an ISE deployment that we are lab testing.
This is running v1.2.0.899 with Patch 2 installed.
We have an authC policy configured for domain-joined computers for 802.1x and domain credentials:
     Condition: Wired_802.1X
     Allow Protocols: PEAP_CHAPv2
     Use: AD
This works, and authenticates both the machine (pre-login) and user (post-login).
However, I am seeing some errors int the Auth logs before the 5200 Authentication succeeded message.
These messages are not shown in the Cisco ISE Log Messages spreadsheet!
    5441 Endpoint started new EAP session while the packet of previous EAP session is being processed. Dropping new session.
    5405 RADIUS Request dropped
    5440 Endpoint abandoned EAP session and started new
Has anybody else exxperienced this or can explain why I am seeing this behaviour?
All helpful responses rated!
Thanks Ash.

This is an external defect but duplicate of
CSCui21439    message texts do not reflect 1.2 added/modified value
I'm going to paste the description/content here from the defect.
Environment:
Build: 1.2.0.891
install from iso and configured from scratch.
Deployment:
Node1: pri(A), Pri(M),PDP
Node2: Sec(A)
Node3: Sec(M)
Node4: PDP
Node5: PDP
Node4 and Node5 were placed in node group.
Procedure:
1. configured multiple nics on node4 and node5 with ip address and host alias.
2. Configured policy sets to serve requests coming for eth0 and eth1.
3. tried round-trips ( BYOD flows ) with both eth0 and eth1.
Observation:
1. Under live authentications page, admin could see events which are having below failure reasons without event details ( i.e. event column is blank )
"5441 Endpoint started new EAP session while the packet of previous EAP session is being processed. Dropping new session."
"5440 Endpoint abandoned EAP session and started new"
2. But under Operations -- > Reports -- > Auth service status --- > Radius errors report, event details are getting appeared
so the problem is in reports admin could able to see event details for above failure reasons but not in live authentications page.
so, there is no functional impact as admin could see event details from reports section.
~BR
Jatin Katyal
**Do rate helpful posts**

ISE 1.2 EAP-TLS handshake to external RADIUS

Hi everyone!
I'm trying to implement ISE to authenticate a wireless network using a cisco WLC 5508, I have an ISE virtual Appliance version 1.2 and a WLC 5508 version 7.6 with several 3602e Access Points (20 aproximately).
Right now they are authenticating with a RADIUS Server (which I don't manage, it's out of my scope), the WLC uses this RADIUS Server to authenticate using 802.1x and EAP-TLS (which means the clients need to have a valid certificate and be in the RADIUS database which is integrated to the Active Directory), I can't touch the CA either. So now I need to authenticate using Cisco ISE instead of the RADIUS Server (at least directly), the problem is that for "security" reasons or whatever they don't let me integrate the ISE to the CA, so I added the RADIUS server as an external identity source and made my authentication Policy rule pointing at it, like this:
If: Wireless_802.1X Allow Protocols: Default Network Access Use: RADIUS
Then I added ISE as a RADIUS Server on my WLC and made a Test SSID 802.1X pointing to ISE to authenticate and all that, I did some tests and I got this error:
12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate
Which means the clients are trying to do the EAP-TLS Process to validate the certificate with the Cisco ISE (but ISE does not have the certificate because they won't let me integrate to the CA directly) so it fails. Is there any way I can do something to redirect that EAP-TLS handshake to the exernal RADIUS Server? Making ISE kind of like a connecting point only for the authentication, I realize it's not the best scenario but giving the circumstances it's the best I can do for now, later on I will add the AD to ISE and start creating some authorization policies based on that, but right now I just want them to authenticate.
Any help is appreciated, thanks in advance!

ISE 1.2 Auth Avg Response Time

Hi Guys,
We have recently moved to ISE 1.2 (distributed deployment on UCS C220 blades) from ACS 5.x. We are seeing Avergage Auth response time ~150ms in each PSN nodes (4 in total) & wonder whether this is too slow.
Is this normal or we should have much lower average response time for thos radius authentications ? What are the typical value you guys observed in those sort of deployment
Any input would be much appreciated
Rasika

Hi,
Where did you get your information from? Is it from the ISE Authentication Report Summary? If so, which of the Average responses are you concerned about? Authentications By Day, Identity Group, Identity Store, Allowed Protocol etc.
In my network average response based on protocol PEAP is 121ms. Authentication by day is 74ms. Then again my network may be smaller than yours. Also I have an appliance and not a Virtual Server. In my opinion, I don't think 150ms is that much to make the user notice. If authentication response gets close to 300ms, then you have an issue.
If you have a very large network like a University Campus, then 150ms is OK.

ISE 1.1 - 24492 Machine authentication against AD has failed

We implement Cisco ISE 802.1X and Machine Authentication With EAP-TLS.
Authentication Summary
Logged At:
March 11,2015 7:00:13.374 AM
RADIUS Status:
RADIUS Request dropped : 24492 Machine authentication against Active Directory has failed
NAS Failure:
Username:
[email protected]
MAC/IP Address:
00:26:82:F1:E6:32
Network Device:
WLC : 192.168.1.225 :
Allowed Protocol:
TDS-PEAP-TLS
Identity Store:
AD1
Authorization Profiles:
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
RadiusPacketType=Drop
AuthenticationResult=Error
Related Events
Authentication Details
Logged At:
March 11,2015 7:00:13.374 AM
Occurred At:
March 11,2015 7:00:13.374 AM
Server:
ISE-TDS
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
[email protected]
RADIUS Username :
host/LENOVO-PC.tdsouth.com
Calling Station ID:
00:26:82:F1:E6:32
Framed IP Address:
Use Case:
Network Device:
WLC
Network Device Groups:
Device Type#All Device Types,Location#All Locations
NAS IP Address:
192.168.1.225
NAS Identifier:
WLC-TDS
NAS Port:
4
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:
TDS-PEAP-TLS
Service Type:
Framed
Identity Store:
AD1
Authorization Profiles:
Active Directory Domain:
tdsouth.com
Identity Group:
Allowed Protocol Selection Matched Rule:
TDS-WLAN-DOT1X-EAP-TLS
Identity Policy Matched Rule:
Default
Selected Identity Stores:
Authorization Policy Matched Rule:
SGA Security Group:
AAA Session ID:
ISE-TDS/215430381/40
Audit Session ID:
c0a801e10000007f54ffe828
Tunnel Details:
Cisco-AVPairs:
audit-session-id=c0a801e10000007f54ffe828
Other Attributes:
ConfigVersionId=7,Device Port=32768,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=c0a801e10000007f54ffe828;30SessionID=ISE-TDS/215430381/40;,Airespace-Wlan-Id=1,CPMSessionID=c0a801e10000007f54ffe828,EndPointMACAddress=00-26-82-F1-E6-32,GroupsOrAttributesProcessFailure=true,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.1.225,Called-Station-ID=e0-d1-73-28-a7-70:TDS-Corp
Posture Status:
EPS Status:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12571 ISE will continue to CRL verification if it is configured for specific CA
12571 ISE will continue to CRL verification if it is configured for specific CA
12811 Extracted TLS Certificate message containing client certificate
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
Evaluating Identity Policy
15006 Matched Default Rule
24433 Looking up machine/host in Active Directory - [email protected]
24492 Machine authentication against Active Directory has failed
22059 The advanced option that is configured for process failure is used
22062 The 'Drop' advanced option is configured in case of a failed authentication request
But the user can authenticated by EAP-TLS
AAA Protocol > RADIUS Authentication Detail
RADIUS Audit Session ID :
c0a801e10000007f54ffe828
AAA session ID :
ISE-TDS/215430381/59
Date :
March 11,2015
Generated on March 11, 2015 2:48:43 PM ICT
Actions
Troubleshoot Authentication
View Diagnostic MessagesAudit Network Device Configuration
View Network Device Configuration
View Server Configuration Changes
Authentication Summary
Logged At:
March 11,2015 7:27:32.475 AM
RADIUS Status:
Authentication succeeded
NAS Failure:
Username:
[email protected]
MAC/IP Address:
00:26:82:F1:E6:32
Network Device:
WLC : 192.168.1.225 :
Allowed Protocol:
TDS-PEAP-TLS
Identity Store:
AD1
Authorization Profiles:
TDS-WLAN-PERMIT-ALL
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
[email protected]
State=ReauthSession:c0a801e10000007f54ffe828
Class=CACS:c0a801e10000007f54ffe828:ISE-TDS/215430381/59
Termination-Action=RADIUS-Request
cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-508adc03
MS-MPPE-Send-Key=5a:9a:ca:b0:0b:2a:fe:7d:fc:2f:8f:d8:96:25:50:bb:c8:7d:91:ba:4c:09:63:57:3e:6e:4e:93:5d:5c:b0:5d
MS-MPPE-Recv-Key=24:fa:8d:c3:65:94:d8:29:77:aa:71:93:05:1b:0f:a5:58:f8:a2:9c:d0:0e:80:2d:b6:12:ae:c3:8c:46:22:48
Airespace-Wlan-Id=1
Related Events
Authentication Details
Logged At:
March 11,2015 7:27:32.475 AM
Occurred At:
March 11,2015 7:27:32.474 AM
Server:
ISE-TDS
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
[email protected]
RADIUS Username :
[email protected]
Calling Station ID:
00:26:82:F1:E6:32
Framed IP Address:
Use Case:
Network Device:
WLC
Network Device Groups:
Device Type#All Device Types,Location#All Locations
NAS IP Address:
192.168.1.225
NAS Identifier:
WLC-TDS
NAS Port:
4
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:

Hello,
I am analyzing your question and seeing the ISE logs i can see that the machine credentials was LENOVO-PC. Do you have shure that these credentials has in your Active Directory to validate this machine ? The machine certificate has the correct machine credentials from the domain ? The group mapped in the ISE rule has the machine inside this group ?
Differently from the user authentication that happens with success because the domain credentials can be validate from the Active Directory and get access to the network.

ISE ver 1.1.2.145 advanced license consumption

Hello,
I am puzzled with this scenario when it comes to advanced licensing, any insight is greatly appreciated:
I have an XP machine that I am using to access network though ISE authentication and authorization. My authentication is EAP-TLS with machine authentication to simulate company asset. Everytime the XP station connects, ISE consumes a Base license and an Advanced license. Why?? I am note using the profiled group, posture assessment, nor even onboarding in my Authz policy.
Here is the authorization rule:
Here is the licensing page:
base                             advanced
1/20
1/20
Here is the only active session from active session report:
xp-test.ashour.local
00:22:FB:1A:59:C2
10.30.30.117
dot1x
EAP-TLS
NotApplicable
N/A
WindowsXP-Workstation
Running
ise
And here is the live authentication:
Authentication Summary
Logged At:
December 10,2012 5:27:36.331 PM
RADIUS Status:
Authentication succeeded
NAS Failure:
Username:
xp-test.ashour.local
MAC/IP Address:
00:22:FB:1A:59:C2
Network Device:
5508-WLC : 10.255.255.20 :
Allowed Protocol:
Default Network Access
Identity Store:
Authorization Profiles:
PermitAccess
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
User-Name=xp-test.ashour.local
State=ReauthSession:0affff140000005550c6598d
Class=CACS:0affff140000005550c6598d:ise/144192099/4026
Termination-Action=RADIUS-Request
MS-MPPE-Send-Key=99:b0:49:f5:e1:eb:20:a6:2b:2a:97:fe:f1:68:a0:02:a7:98:3c:03:12:2a:90:70:3a:6c:fd:ed:1c:3b:bc:4b
MS-MPPE-Recv-Key=8e:c8:88:f8:fb:75:02:3d:32:48:8a:b0:9e:7d:74:5d:04:f7:de:48:3c:b9:c3:e7:36:e5:05:f3:c7:6c:21:7d
Related Events
Dec 10,12 5:27:36.072 PM
Radius authentication passed for USER:   CALLING STATION ID: 00:22:FB:1A:59:C2 AUTHTYPE:
Radius authentication passed
Dec 10,12 5:23:56.647 PM
Radius authentication passed for USER:   CALLING STATION ID: 00:22:FB:1A:59:C2 AUTHTYPE:
Radius authentication passed
Dec 10,12 5:06:07.317 PM
Radius accounting start
Radius accounting start
Authentication Details
Logged At:
December 10,2012 5:27:36.331 PM
Occurred At:
December 10,2012 5:27:36.331 PM
Server:
ise
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
xp-test.ashour.local
RADIUS Username :
host/xp-test.ashour.local
Calling Station ID:
00:22:FB:1A:59:C2
Framed IP Address:
Use Case:
Network Device:
5508-WLC
Network Device Groups:
Device Type#All Device Types#WIRELESS,Location#All Locations#ASHOUR RESIDENCE
NAS IP Address:
10.255.255.20
NAS Identifier:
ASHOUR-WLC1
NAS Port:
1
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:
Default Network Access
Service Type:
Framed
Identity Store:
Authorization Profiles:
PermitAccess
Active Directory Domain:
Identity Group:
Profiled:Workstation
Allowed Protocol Selection Matched Rule:
Dot1X
Identity Policy Matched Rule:
Default
Selected Identity Stores:
Authorization Policy Matched Rule:
Company asset
SGA Security Group:
AAA Session ID:
ise/144192099/4026
Audit Session ID:
0affff140000005550c6598d
Tunnel Details:
Tunnel-Type=(tag=0) VLAN,Tunnel-Medium-Type=(tag=0) 802,Tunnel-Private-Group-ID=(tag=0) 30
Cisco-AVPairs:
audit-session-id=0affff140000005550c6598d
Other Attributes:
ConfigVersionId=5,DestinationPort=1812,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=0affff140000005550c6598d;28SessionID=ise/144192099/4026;,Airespace-Wlan-Id=1,ExternalGroups=ashour.local/users/domain computers,CPMSessionID=0affff140000005550c6598d,EndPointMACAddress=00-22-FB-1A-59-C2,EndPointMatchedProfile=WindowsXP-Workstation,HostIdentityGroup=Endpoint Identity Groups:Profiled:Workstation,Device Type=Device Type#All Device Types#WIRELESS,Location=Location#All Locations#ASHOUR RESIDENCE,Model Name=5508,Software Version=7.2,Device IP Address=10.255.255.20,Called-Station-ID=f0:25:72:3d:3c:d0:ISE BYOD
Posture Status:
NotApplicable
EPS Status:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12568 Lookup user certificate status in OCSP cache
12570 Lookup user certificate status in OCSP cache succeeded
12554 OCSP status of user certificate is good
12568 Lookup user certificate status in OCSP cache
12570 Lookup user certificate status in OCSP cache succeeded
12554 OCSP status of user certificate is good
12811 Extracted TLS Certificate message containing client certificate
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
Evaluating Identity Policy
15006 Matched Default Rule
22037 Authentication Passed
12506 EAP-TLS authentication succeeded
11503 Prepared EAP-Success
Evaluating Authorization Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
15016 Selected Authorization Profile - PermitAccess
11002 Returned RADIUS Access-Accept

Hi,
Please make sure that the profiling is disabled for this node, it seems as if the radius probe and the user agent is learned via the http probe.
It also seems as if you are hitting this bug I understand the description doesn't line up but you may want to have TAC clarifiy if this isnt experience on authenticating networks:
CSCub56607
Cisco ISE applies a wireless access session against the Advanced license allowable user count when it should not
The wireless session in question should be applied against the Base license count. This issue has been observed in Cisco ISE, Release 1.1.1 where the following functions are set:
•MAC Filtering is enabled on the SSID and the Central Web Authentication authorization policy is applied
•Profiling is disabled
•Posture is disabled
•The device in question has not been registered via the My Devices Portal
Note There is no known workaround for this issue.
Tarik Admani
*Please rate helpful posts*

ISE authentication fail during windows re-logon

Background:
Deployed a Cisco ISE 1.1.2. that is used to authenticate and posture validate for wired users, attached to Cisco IP Phones. Backend database is Microsoft AD.
Problem:
At the first time both, users and IP Phones, pass authentication and posture validation steps successfully. When the user logs off from windows, the log off is done whithout any problem, and I can see it switch.
The problem takes place when the user try to log on again. The ise does not match the configured authenticion rules as in the first time, and put the user directly to default "DenyAccess" policy (rule).
Anyone out there experienced something similar or have any ideas on why this is happening?
Thanks.

Hi
Possible Causes
• This could be either a MAB or 802.1X authentication issue.
• The authorization profile could be missing the Cisco av-pair=”device-traffic-class=voice” attribute. As a result, the switch does not recognize the traffic on the voice VLAN.
• The administrator did not add the endpoint as static identity, or did not allow an unregistered endpoint to pass. create a policy rule to (“Continue/Continue/Continue” upon failure).
Resolution
• Verify that the Authorization Policy is framed properly for groups and conditions, and check to see whether the IP phone is profiled as an “IP phone”or as a “Cisco-device.”
• Verify the switch port configuration for multidomain and voice VLAN configuration.
• Add the continue/continue/continue to allow the endpoint to pass:
Choose Policy > Policy Elements > Results > Authentication > Allowed
Protocols to create a Protocol Policy. MAC authentications use PAP/ASCII and EAP-MD5 protocols. Enable the following MAB Protocols settings:
– Process Host Lookup
– PAP/ASCII
– Detect PAP as Host Lookup
– EAP-MD5
– Detect EAP-MD5 as Host Lookup
• From the main menu, choose Policy > Authentication.
• Change the authentication method from Simple to Rule-Based
• Use the action icon to create new Authentication Method entries for MAB:
– Name: MAB
– Condition: IF MAB RADIUS:Service-Type == Call Check
– Protocols: allow protocols MAB_Protocols and use
– Identity Source: Internal
– Hosts: Continue/Continue/Continue

ISE NFR Allowed protocols

Similar Messages

Maybe you are looking for