ISE: PEAP-TLS

Hi,
I want to setup ISE for certificate authentication of the device + AD credentials (PEAP+TLS) as far as I understood it.
I can't find any good example of how to setup ISE policies for this scenario.
Client will use Microsoft CA and he will deploy certificates on the domain computers before they can join wireless, so I don't need self enrollment and hopefully no any kind of supplicant (just windows native one).
If you can point me to some design or configuration guide, I would be thankful.
Best regards,
Michael

Refer to the following links this might be of help
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_auth_pol.html#wp1146236
https://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf

Similar Messages

WLC-4402 with PEAP-TLS

Hi,
I need to set a WLAN with the following requirements
laptops must be configured via Active Directory, with the following parameters:
WPA2-Enterprise
AES Encryption
Authentication with EAP type "Protected EAP-TLS (PEAP-TLS)”
Validating Certificate Authority for the RADIUS server certificate is ACME Corporate Internal Root CA
Authentication
Device security and user authentication must take place through Active Directory (AD).
The AD infrastructure must be configured for auto-enrolment of ACME devices into the integral AD internal Public Key Infrastructure (PKI).
The local site wireless controller must directly authenticate both the user and the device using a standard Microsoft RADIUS server enabled
on the local AD controller.
Connection must be authenticated authorised using both the AD machine objectcertificate, confirming that the device is in AD and is a valid ACME device and the user cached Kerberos (AD) credentials, confirming a valid ACME user is logged in to that device.
I have already configured WLAN security options ;Layer2 and AAA servers (authentication server, and LDAP server)
Based on the requirements I do not know how to set the option for certificates.
Should I load to WLC a CA certificate and Device certificate?
I don´t manage the RADIUS and AD controller so I don´t know If the administration staff have already set all the things in order to support PEAP-TLS
Which questions should I ask them in order to be sure all the things necessary are set on their side??
What additional setting are necesary if the requirements is for EAP- TTLS
Regards,

OK so basically what you need to do is doing EAP-TLS with Machince authentication.
Yes, that can be done. However WHO is it going to be authenticating both? IAS? or ACS?
Here it is a configuration example on how you can do this using ACS, doing it with IAS would be basically the same.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

ISE-Peap

Hi
I'm rolling out!
I have seen couple of people with win7 cannot authenticate to ISE:
12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate
I've thought of this: Maybe get a 3rd party cert (go daddy) and have that installed in ISE.
I know i do have to make a CSR Cert.Sign.Request that matches cn=primary.ise.mydomain, would I also need a cert for secondary?
OR:
If I use LEAP as a preferred protocol then it doesn't ask for cert and users are authenticated successfully.
I know they have to say do not validate cert and all that but sometimes it doesn't popupt to them they just can't get on.
Again maybe going wtih 3rd party certs will make it easier while benefiting from using PEAP?
Thanks.

There is a bug in ISE that doesnt allow you to use the same certificate for the eap interface (since you can designate which cert you want for either https or eap). You should be able to present the same cert for eap purposes across your radius servers. In the end you will need a cert for each of your policy service nodes.
Tried to find the bug (but the toolkit isnt working for me).
Thanks,
Tarik Admani
*Please rate helpful posts*

ISE- PEAP- LDAP

Hello All,
In ISE we tried adding active directory but it failed (ISE & AD Integration). Still there was another option in ISE like LDAP and we added the identity stores.
Now with the below security feature,a client can get authentication through LDAP.
L2 Security-WPA2
Encryption-AES
Auth method-PEAP(EAP-MSCHAP V2)
When i tried connecting i am getting error like "Current Identity store does not support this type" in the ISE.
LDAP in ISE has to replaced with the active directory...?
Any quick help will be appreciated

IMO Cisco ISE does very poor integration with LDAP while it supports Active Directory very well. This is a big shortage on ISE as in our environment LDAP is more widely used than our Active Directory.
Basically, you can not use EAP kind authentication on supplicant while your ISE uses LDAP as external identity store. Cisco officially says it only support EAP-GTC and PAP with LDAP. EAP-TLS has nothing to do with LDAP at authentication stage as the supplicant and ISE itself need to trust each other.
We also spent a lot of time on central administrator authentication with LDAP with ISE local authorisation as we do not have the group attributes in our LDAP ISE wants for the administrators, and it turns out that ISE simply does not support it.

ISE - EAP-TLS and then webAuth?

Hello everyone!
I have a little bit of a complex dilemma in an ISE deployment and I am trying to lean more on how it works technically. Long story short: I am trying to do both machine and user authentication / authorization (per requirements from our Security department) on a wireless network using iDevices (iPads, iPhones, iTouches) that are shared between users. Just an FYI, I know Apple devices are not intended for “multiple users”; hence, why it is a problem I am trying to solve with CWA.
Hardware:
Cisco ISE VM running 1.1.3.124
WLC 5508 running 7.4.100.0
AP 3602I running 7.4.100.0 / IOS 15.2(2)JB$
iPod Touch version 6.1.3(10B329)
Senario:
•- User Authenticates to SSID that is 802.1x WPA2 AES,
•- Machine is checked by having valid Cert issued by CA and given access to ISE CWA
•- User open’s their browser
•- WLC redirects them to ISE CWA
•- User provides credentials on the portal
•- User to CoA’d to full access network
Rules, NSP is a limited profiling access network. CWA is a limited access network with redirect to centeral web auth on ISE. Standard rule 2 & 3 (which are disabled in this screen shot) are the rules that prove the CWA works on an open SSID.
I have gotten the CWA to work great on an open SSID, however when the process involves EAP-TLS everything works but the redirect. The iPod is properly authorized to the CWA (which is the redirect permission), but when I open a browser the iPod just spins searching for the website; it is never redirected to the ISE. My question is, is this even possible? Is there a trick or order of sequence that needs to be changed? I have been told from a Cisco NCE that specializes in ISE that this “may” or “may not” work, but not given an explanation as to why or why not. And if it’s not possible, why not?
Thank you in advance!
Example, now the user is authorized for CWA, but when a user opens the browser it just sits there spinning.
I checked the WLC “Clients>Details” (from the monitoring page) and I noticed something interesting:

Please review the below link which might be helpful :
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

Cisco ISE - EAP-TLS - Machine / User Authentication - Multiple Certificate Authentication Profiles (CAP)

Hello,
I'm trying to do machine and user authentication using EAP-TLS and digital certificates. Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
In ISE, I can define multiple Certificate Authentication Profiles (CAP). For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
Problem is how do you specify ISE to check both in the Authentication Policy? The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.
Any way to resolve this?
Thanks,
Steve

You need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
an example (uses user/pass though, but same concept)
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

Windows 7 Supplicant Configuration - ISE PEAP w Machine Auth

Can anyone tell me the settings for the Windows 7 supplicant that works with ISE and PEAP using machine authentication? I have an authorization profile that permits the user login only after machine 'WasAuthenticated'. I have only found this to work by setting the Windows 7 supplicant up to use Single-Sign-On before Windows logon and to specify 'User or Machine' authentication. Then I'm only successful if I have both wired and wireless connected/on and I perform a logoff/reboot. Surely this isn't right. What if a user logs on without any connection with cached credentials and then wants to use wireless? Can't they just perform both machine and user auth over the wireless connection regardless of prior machine/auth states? I used the videos from LABMINUTES to configure the policies, but I don't need the ACLs for the WLAN controller because these are autonomous APs.
Regards,
Scott

Microsoft will send both and only cares if one passes. This is the same with radius. ACS and ISE allows you to check to see if the user was authenticated which happens initially on boot. After the initial machine auth, the windows machine will only send user creds. The was machine auth is a workaround to be able to do both. The issue is that when the timeout of the machine creds happen, the devices has to be rebooted. In Cisco Live 2012, they even suggested you don't do this due to not knowing when the cached credentials ACS or ISE will keep this info.
Sent from Cisco Technical Support iPhone App

PEAP-TLS: same settings in PEAP Properties and Smart Card & Cert Properties?

When setting up a GPO for a wireless network profile via GPMC in Windows 2008 R2, in the
Protected EAP Properties window there are check boxes for
Validate server certificate and Do not prompt user to authorize new servers or trusted certification authorities, a textbox for
Connect to these servers, and a selections list for
Trusted Root Certification Authorities.
All these configurable options show up again if you click on Configure when using
Smart Card or other certificate as the authentication method. You can set them as you wish there, different from PEAP Properties even.
My question is, which set of options takes precedence? A sane person will probably keep them the same, but why have that confusion in the interface?

Hi Roland,
All of these two settings will take effect.
PEAP is an EAP method that addresses this security issue by first creating a secure channel that is both encrypted and integrity-protected with TLS. Then, a new EAP negotiation with another EAP method occurs within the secure channel, authenticating the
network access attempt of the access client.
Therefore, the first settings is the settings of the TLS secure channel (outer layer), and the second settings is the settings of new EAP negotiation (inner layer). If we choose "Smart Card or other certificate" as the authentication method of PEAP,
there will be two TLS secure channel actually.
For detailed information, please refer to the link below,
Extensible Authentication Protocol Overview
http://technet.microsoft.com/en-us/library/bb457039.aspx
Best Regards.
Steven Lee
TechNet Community Support

ISE - EAP-TLS authentication with multi-tier PKI

Hi Cisco Support Community,
and again I'm struggling with my ISE understanding. It's kind of frustrating - daily more and more questions arise :)
Here's the thing and I hope some of the ISE experts here know the answer:
I want to authenticate my wired and wireless clients using 802.1X. I'm using a multi-tier PKI (see picture below)
The ISE uses a certificate from the "Signing CA1" (Chain: Root CA - Signing CA1).
The clients uses a certificate from the "Signing CA2" (Chain: Root CA - Intermediate CA1 - Signing CA2).
Do I have to add the complete client certificate chain (Signing CA2, Intermediate CA1, Root CA) to the ISE trusted certificates in order to authenticate the client? Or is it enough for example just to add the root CA or the intermediate CA? I couldn't find any hints in the admin guide (1.3)
Thanks in advance!

Hello Johannes-
You will need to add the root and all/any intermediate certificates in the trusted certificate store of ISE.
Thank you for rating helpful posts!

ISE & EAP-TLS Wired document

All,
Is there a document out there that explicitly shows wired authentication via EAP-TLS and explains the steps?
I have a good handle on what's needed, but I had trouble finding relevant documentation.

Please review the below link:
http://http://www.cisco.com/en/US/docs/solutions/SBA/August2012/Cisco_SBA_BN_LANAndWirelessLAN802.1xAuthenticationDeploymentGuide-Aug2012.pdf

ISE wired TLS with group mapping

Hi. We authenticate wired clients using EAP-TLS with Computer Certificates. This works fine so far. Now we need an authorization with LDAP and set the VLAN based on the AD Group of the Computer. Is there a way to use the CN of the Certificate and retrieve the Attributes of the Client over LDAP?
Does anybody know how this could be done?
Regards,
Urs

You should be able to do this, as long as the cn name is in the corrext format which for computer certificates it ahould be fine. Setup the ldap external store, find the grouo and map that to your authz policy.
Sent from Cisco Technical Support Android App

Cisco ISE: 802.1x [EAP-TLS] + List of Applicable Hot-Fixes

Dear Folks,
Kindly suggest the list of all possible Hot-Fixes required for the Cisco ISE EAP-TLS solution... We have applied 9 HotFixes so far. But, still the connectivity is intermittent. Is there any list for all applicable Hot-Fixes?
OS = Win 7 SP1 (32/64 Bit) and Win 8
Thanks,
Regards,
Mubasher Sultan

Hi Mubasher
KB2481614:      If you’re configuring your 802.1x settings via Group Policy you’ll see      sometimes EAP-PEAP request from clients in your radius server log during      booting even if you’ll set EAP-TLS. This error happened in our case with      1/3 of the boots with some models. The error is caused by a timing problem      during startup. Sometimes the 802.1x is faster and sometimes the Group      Policy is, and if the 802.1x is faster than the default configuration is      taken, which is PEAP. Which lead to a EAP-NAK by the radius server.
KB980295:      If an initial 802.1x authentication is passed, but a re-authentication      fails, Windows 7 will ignore all later 802.1x requests. This hotfix should      also fix a problem with computers waking up from sleep or hibernation –      but we’ve disabled these features so I can’t comment on them.
KB976373:      This hotfix is called “A computer that is connected to an IEEE      802.1x-authenticated network via another 802.1x enabled device does not      connect to the correct network”. I can’t comment on this, as we’ve not      deployed 802.1x for our VoIP phones at this point.I would guess it is the      same for Windows 7 too. The linked article tells you to install the patch      and set some registry key to lower the value.
KB2769121:      A short time ago I found this one: “802.1X authentication fails on a      Windows 7-based or Windows 2008 R2-based computer that has multiple      certificates”. At time of writing I’m not sure if it helps for something      in my setup. According to the symptoms list of the hotfix, it does not,      but maybe it helps for something else, as the one before does.
KB2736878:      An other error during booting – this time it happens if the read process      starts before the network adapter is initialized. Really seems that they      wanted to get faster boot times, no matter the costs.
KB2494172:      This hotfix fixes a problem if you’ve installed a valid and invalid      certificate for 802.1x authentication. The workaround is just deleting the      invalid certificate. I’m not sure at this point if it affects also wired      authentication.
KB976210:This      problem occurs only during automated build processes and if you use an EAP      method which needs user interaction – as I don’t do that I can’t comment      on this hotfix.
For more information please go through this link:
http://robert.penz.name/555/list-of-ieee-802-1x-hotfixes-for-windows-7/
Best Regards:
Muhammad Munir

ISE 1.1 - 24492 Machine authentication against AD has failed

We implement Cisco ISE 802.1X and Machine Authentication With EAP-TLS.
Authentication Summary
Logged At:
March 11,2015 7:00:13.374 AM
RADIUS Status:
RADIUS Request dropped : 24492 Machine authentication against Active Directory has failed
NAS Failure:
Username:
[email protected]
MAC/IP Address:
00:26:82:F1:E6:32
Network Device:
WLC : 192.168.1.225 :
Allowed Protocol:
TDS-PEAP-TLS
Identity Store:
AD1
Authorization Profiles:
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
RadiusPacketType=Drop
AuthenticationResult=Error
Related Events
Authentication Details
Logged At:
March 11,2015 7:00:13.374 AM
Occurred At:
March 11,2015 7:00:13.374 AM
Server:
ISE-TDS
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
[email protected]
RADIUS Username :
host/LENOVO-PC.tdsouth.com
Calling Station ID:
00:26:82:F1:E6:32
Framed IP Address:
Use Case:
Network Device:
WLC
Network Device Groups:
Device Type#All Device Types,Location#All Locations
NAS IP Address:
192.168.1.225
NAS Identifier:
WLC-TDS
NAS Port:
4
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:
TDS-PEAP-TLS
Service Type:
Framed
Identity Store:
AD1
Authorization Profiles:
Active Directory Domain:
tdsouth.com
Identity Group:
Allowed Protocol Selection Matched Rule:
TDS-WLAN-DOT1X-EAP-TLS
Identity Policy Matched Rule:
Default
Selected Identity Stores:
Authorization Policy Matched Rule:
SGA Security Group:
AAA Session ID:
ISE-TDS/215430381/40
Audit Session ID:
c0a801e10000007f54ffe828
Tunnel Details:
Cisco-AVPairs:
audit-session-id=c0a801e10000007f54ffe828
Other Attributes:
ConfigVersionId=7,Device Port=32768,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=c0a801e10000007f54ffe828;30SessionID=ISE-TDS/215430381/40;,Airespace-Wlan-Id=1,CPMSessionID=c0a801e10000007f54ffe828,EndPointMACAddress=00-26-82-F1-E6-32,GroupsOrAttributesProcessFailure=true,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.1.225,Called-Station-ID=e0-d1-73-28-a7-70:TDS-Corp
Posture Status:
EPS Status:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12571 ISE will continue to CRL verification if it is configured for specific CA
12571 ISE will continue to CRL verification if it is configured for specific CA
12811 Extracted TLS Certificate message containing client certificate
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
Evaluating Identity Policy
15006 Matched Default Rule
24433 Looking up machine/host in Active Directory - [email protected]
24492 Machine authentication against Active Directory has failed
22059 The advanced option that is configured for process failure is used
22062 The 'Drop' advanced option is configured in case of a failed authentication request
But the user can authenticated by EAP-TLS
AAA Protocol > RADIUS Authentication Detail
RADIUS Audit Session ID :
c0a801e10000007f54ffe828
AAA session ID :
ISE-TDS/215430381/59
Date :
March 11,2015
Generated on March 11, 2015 2:48:43 PM ICT
Actions
Troubleshoot Authentication
View Diagnostic MessagesAudit Network Device Configuration
View Network Device Configuration
View Server Configuration Changes
Authentication Summary
Logged At:
March 11,2015 7:27:32.475 AM
RADIUS Status:
Authentication succeeded
NAS Failure:
Username:
[email protected]
MAC/IP Address:
00:26:82:F1:E6:32
Network Device:
WLC : 192.168.1.225 :
Allowed Protocol:
TDS-PEAP-TLS
Identity Store:
AD1
Authorization Profiles:
TDS-WLAN-PERMIT-ALL
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
[email protected]
State=ReauthSession:c0a801e10000007f54ffe828
Class=CACS:c0a801e10000007f54ffe828:ISE-TDS/215430381/59
Termination-Action=RADIUS-Request
cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-508adc03
MS-MPPE-Send-Key=5a:9a:ca:b0:0b:2a:fe:7d:fc:2f:8f:d8:96:25:50:bb:c8:7d:91:ba:4c:09:63:57:3e:6e:4e:93:5d:5c:b0:5d
MS-MPPE-Recv-Key=24:fa:8d:c3:65:94:d8:29:77:aa:71:93:05:1b:0f:a5:58:f8:a2:9c:d0:0e:80:2d:b6:12:ae:c3:8c:46:22:48
Airespace-Wlan-Id=1
Related Events
Authentication Details
Logged At:
March 11,2015 7:27:32.475 AM
Occurred At:
March 11,2015 7:27:32.474 AM
Server:
ISE-TDS
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
[email protected]
RADIUS Username :
[email protected]
Calling Station ID:
00:26:82:F1:E6:32
Framed IP Address:
Use Case:
Network Device:
WLC
Network Device Groups:
Device Type#All Device Types,Location#All Locations
NAS IP Address:
192.168.1.225
NAS Identifier:
WLC-TDS
NAS Port:
4
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:

Hello,
I am analyzing your question and seeing the ISE logs i can see that the machine credentials was LENOVO-PC. Do you have shure that these credentials has in your Active Directory to validate this machine ? The machine certificate has the correct machine credentials from the domain ? The group mapped in the ISE rule has the machine inside this group ?
Differently from the user authentication that happens with success because the domain credentials can be validate from the Active Directory and get access to the network.

Cisco ISE 1.2 AD Auth and Internal Auth on Same SSID?

Hello everyone... I'm fairly new to Cisco ISE 1.2 and am looking to try and setup a certain configuration. I'm trying to figure out how to create what amounts to a BYOD dmz'd wireless network that is PEAP based (or tls) but authenticates known users (employees from AD groups) but for users not found in those AD groups uses the internal user database and/or Web Auth? Make sense?
So, I of course can get the Authentication/Authorization policies configured for PEAPTLS and make to AD based on group and provide a VLAN number. No problem... I'm having trouble wrapping my head around how to combine the internal users or web auth users in this mix on the same ssid? I know by reading the ISE statement that the authentication policy if PEAP/TLS, ect is used, then a user not found is rejected and does not continue... Can someone provide an example as to how to accomplish this?
As a side note in 1.2, is there the ability to limit the number of consective logins as in ACS, outside of guess access only? What about in 1.3, which makes me nervous to upgrade in reading the instructions and the 'newness' of it.
Thank you for any help, it's greatly appreciated.

I'd like to confirm if the required changes in the VM server were
made, as there are a few changes in the ISE OS. The changes required are
listed in the release notes, under "VMware Operating System to be
Changed to RHEL 5 (64-bit)". Here's a direct link to the relevant section:
http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.html#wp384531
Other causes can be :-
certificate issue on ISE or not enough disk space.

AD Machine Authentication with Cisco ISE problem

Hi Experts,
I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
Authentication policy:
Allowed protocol = PEAP & TLS
Authorization Policy:
Condition for computer to be checked in external identity store (AD) = Permit access
Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
Switchport configuration:
===============================================
ip access-list extended ACL-DEFAULT
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
permit ip any host (AD)
permit icmp any any
permit ip any host (ISE-1)
permit ip any host (ISE-2)
permit udp any host (CUCM-1) eq tftp
permit udp any host (CUCM-2)eq tftp
deny ip any any
===============================================
switchport config
===============================================
Switchport Access vlan 10
switchport mode access
switchport voice vlan 20
ip access-group ACL-DEFAULT in
authentication open
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 100
====================================================
One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
Your help will highly appreciated.
Regards,

You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab. If your switch configuration is on auth failure continue to next method, then this makes sense. The question is why is the user failing auth but the machine is passing, could be something in the policy. Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched. Easy way to check is remove that rule from your policy and see if the same thing happens.
I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time. The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining. This is great because you can do two part authentication. EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet. I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy.

ISE: PEAP-TLS

Similar Messages

Maybe you are looking for