Machine authentication over Client IPSEC tunnel

I am in the process of converting our existing remote access from Microsoft Threat Management Gateway to Cisco ASA. Our security folks just made me aware that in addition to the Radius authentication against AD credentials that they also want me to do machine authentication to make sure that the machine name of the system trying to get remote access has a machinea account in AD.
I have been looking for a way to do this with the IPSEC client but havent found anything as yet. Would appreciate any links that show me how to get this done. Moving to Anyconnect isnt an option at this point due to budgetary issues. I am using the latest Cisco VPN client in the 5.x train and have 8.2.5 code running on my 5520.
What I may be looking at might be NAC (Network Admission Control ?). Looking for all suggestions at this point.
Thanks,
Ron

I've used enrolled user X.509 USER certificates with Cisco VPN Client 4.x / 5.x into an ASA. They were issued by a partner's root CA and the connection was allowed on the basis of that root CA being trusted by the remote ASA.
But yes, what you are asking about is more of a NAC, or the successor Identity Services Engine (ISE) product type of feature. In the case of ISE, it can do what you ask but requires a good bit of investment to get that and many many other features.
I strongly suspect that some additional investment will be necessary to get what your security team is requesting. At the very least AnyConnect Premium licenses and use of the Network Access Manager (NAM) feature. See this reference.

Similar Messages

NAT traffic over a IPSec tunnel (ISR)

Hi.
I's suppose to setup i IPSec tunnel between an 1811 and some sort of CheckPoint firewall. The IPSec part isen't that big of a deal, but the system manager on the "CheckPoint side" want the traffic though the tunnel should originate from a public IP-address, and only one source IP-address.
So, Let say that my ISP have given me 10.10.1.1 - 10.10.1.5, our inside clients have an IP-address from the range 192.168.10.0/24, and the remote application in the "Checkpoint site" has the IP-address 172.16.1.10. The result of this should be:
IPSec tunnel is created using the 10.10.1.1 IP-address.
The traffic from the 192.168.1.0/24 clients should access the application at 172.16.1.10 using 10.10.1.2 as source address OVER the IPSec tunnel.
Is this possible? I guess that it would mean that I have to NAT the traffic going though the IPSec tunnel, but I'm having trouble getting this to work. I have googled all day long looking for something similar.
Anyone who could shed some light? Any insight appreciated.
Sheers!
/Johan Christensson

Thanks jjohnston1127!
Well, i guess that it would work, and I wasen't that far off, but got stuck in the "ip nat inside" rule when I where to specify either a pool och an interface. It diden't accur to me that a pool chould just consist of 1 IP-address.
How ever, this raised a new problem. The "match address" access-list that I use in the crypto map for the IPSec configuration currently looks something like this:
access-list 150 permit ip host 10.10.1.2 host 172.16.1.10
If i change it to something like this, the tunnel negotiation get triggerd.
access-list 150 permit ip 192.168.1.0 0.0.0.255 host 172.16.1.10
How ever i assume that the negotiation failes because the tunnel configuration in my router has a different "local network" than the "remote network" at the Checkpoint site.
Is this because that the NAT'ing dosen't get processed before the IPSec configuration?
Can this behavior be changed?
Best regards,
Johan Christensson

VLAN's over Internet/IPSec Tunnel

Hi All !
I have a problem.
I have trunked 5 VLANS from various sites over sattelite and have them all ending on a hub router ,
but my difficulty now is in getting them sent to the HQ over the internet.
I have thought about only 2 ways of possibly being able to do this
1. Get a leased Line :-)
2. and the only feasable alternative ! is to get the VLANs sent per IPSec over the internet but this is my problem....
How do I get a packet from a VLAN into an IPSec tunnel and vice versa ?
What equipment would I need ? (more switches/routers)
Do I need 1 IPSec tunnel for each VLAN to keep them separate from each other ?
Can someone please help.

You have posted this same question on the WAN Routing and Switching forum where it has gotten some responses. I suggest that we consolidate the discussion of this question on that forum.
HTH
Rick

Novell Client / IPSec Tunnel

Hi!
My organiztion has office and central site inter connected through IPSec VPN using two ISR 1841.
On our central site we have Novell server. At our office we have client PC witch Novell client v 4.91.
When client copy file to Novell server through IPSec VPN (crypto map on interface) - file on Novell server to come to corrupt.
When client copy file to Novell server without IPSec VPN (no crypto map on interface) - file on Novell server to come to ÐÐ.
Our parameters:
crypto ipsec df-bit clear
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key x address y
crypto map 10 10 ipsec-isakmp
set peer y
set transform-set toCenter
match address Center
PS: Copy to Windows server is always OK.
Is it possible to resolve these problem?

If you just want to allow the IPSec traffic between the Novell to pass through the PIX only, you just need to open up the esp protocol and for the Novell that is inside the PIX and udp port 500

Can ASA send it's syslogs over it's own IPsec tunnel?

I'd like to send syslogs etc sourced on an ASA to a destination that is connected via an IPsec tunnel on the ASA sourcing the traffic. Is this possible?
I'd have to have a a no-nat matching the traffic and also "same-security-traffic permit intra-interface". But which interface would I put on my "logging host" statement?
Appreciate any pointers

* Yes, the ASA can source traffic which can be sent over an IPSec tunnel.
* For a syslog, you will want to create a site-to-site VPN connection (as opposed to configuring the ASA as a VPN head-end).
* You will not need the 'same-security-traffic permit intra-interface' command -- the syslog traffic is being source from the ASA itself -- the syslog traffic is not being sourced 'from an interface'.
* You will not need the 'no-nat' command either. Once again the syslog traffic is not traversing from one interface to another interface; therefore, an xlate will not be created.
* When configuring your site-to-site VPN tunnel, you must specify 'interesting' traffic which is to be encrypted. Traffic from the ASA to the Syslog server should be marked as interesting (by matching the ACL which defines interesting traffic).
* you specific the interface off which the syslog server resides in the 'logging host' command.
In other words:
* say your syslog server has IP address 1.1.1.1 which resides on the Internet.
* say your outside interface on your ASA has an ip address of 200.200.200.200
* say your syslog server is located at a remote operations center which reside on the Internet. You will create a VPN tunnel from the remote operations center to your ASA (site-to-site tunnel). Create an ACL for interesting traffic that says to 'permit ip host 200.200.200.200 host 1.1.1.1' to mark traffic as interesting from the ASA to the syslog server.
* you will specify the outside interface in your 'logging host' command.
THINGS YOU DON'T NEED:
Because the syslog traffic is not transitting from one interface to another interface:
* you do not need to configure an ACL to permit syslog traffic to leave the ASA to go to the syslog server
* you do not need to configure NAT. An xlate is not required.
Let me know if this gets you going. I would be happy to set this up in a lab environment to provide you a sample configuration if you need it. I don't have a syslog server but could demonstrate this by running administrative traffic to and from the ASA via the VPN tunnel.
Regards,
Troy

Enforce AnyConnect client to do machine authentication when user is logged on

Hi All,
I want to use AnyConnect as a supplicant to our corporate WLAN and also use Machine Authentication feature on ACS 5.3.
Is there a way how to enforce AnyConnect client to do machine authentication when user is logged on? Sometimes can happen, when user just hybernate the computer and do not log off and log on. If they don't do this in some period, then they are not allowed to use WLAN.
Thanks for your help.
Regards
Karel

The problem appears to be if a user hibernate or ACS is reloaded and machine authentication timer expired and user need to logout and wait or reboot the machine. After that it authenticates and then user can login again. Anyconnect 3.1 will allow eap chainging and should be able to address that problem.

AP registration over IPSEC Tunnel(ASA)

Guys,
I have my WAP sitting behind ASA and have ipsec tunnel between ASA and router.below is the topology:-
WAP>>ASA<<< IPSEC TUNNEL>>> Router<<<WLC
Recently we have replaced router with ASA 5505 for security reasons and since then WAP is not able to registered to WLC. we have VPN tunnel up and working. Even WAP is able to ping to WLC ip address.
Do we have any special configuration in my ASA considering my above topology. I can confirm that capwap and lwap ports are opened in asa.
Please let me know if some one has faced this issue before.

Hi,
I hope you have already allowed the below mentioned ports as per your requirement.
You must enable these ports:
Enable these UDP ports for LWAPP traffic:
Data - 12222
Control - 12223
Enable these UDP ports for mobility traffic:
16666 - 16666
16667 - 16667
Enable UDP ports 5246 and 5247 for CAPWAP traffic.
TCP 161 and 162 for SNMP (for the Wireless Control System [WCS])
These ports are optional (depending on your requirements):
UDP 69 for TFTP
TCP 80 and/or 443 for HTTP or HTTPS for GUI access
TCP 23 and/or 22 for Telnet or SSH for CLI access
Also if it goes over the IPSec VPN, MTU size for the path between AP and WLC should be of 1500, if it has the lesser MTU, then communication fails.
Can you get me your WLC and ASA OS versions?
Regards
Karthik

"Discoverying Proxy" across a IPSEC Tunnel over wireless

Bear with me here, there are lot of moving parts in this puzzle, and I'm unsure where to look.
Users are using IE7 (some IE8's), group policy has "Automatically Detect Settings", and we have published a WPAD DNS entry, and are hosting the PAC file on the S370 box. We're very early in our deployment, so we're still functioning in "Monitor mode", till management has some information, and will direct us on what traffic they will allow .
The majority of users are located at our main site, the same site our Proxy is at, these users are having zero problems. For all intents and purposes, they don't even know the proxy is there.
about 30% of our users are located at remote sites. They are connected via an IPSEC L2L VPN tunnel (ASA5505 at remote site, connecting to an ASA5550 at main site)
The users using a wired connection work fine
Wireless users, connecting via LWAPP accesspoints (Wireless LAN controller version 4.2.176.0) at the remote sites, experience a delay connecting to the proxy, usually a few minutes. I actually believe that they are bypassing the proxy, since it takes two minutes. Unfortually, most of my users at the remote sites are wireless.
Thing's I'm immediately going to try are upgrading to the latest version of WLAN controller software, and then open a TAC case on the wireless LAN controller, but before I do this, has anyone run across something similar to this before? (Proxy discovery having issues across an IPSEC tunnel)
Mike

Hi Javier,
Please explain to me how I should explain this technically elaborate issue to either ISP tech support? :-P
Well, I tried my best and ended up on the phone for 5 hours with 6 different techs between Verizon and TWC BC. I should get paid for explaining them the basics of networking.
Anyhow, my last desperate attempt was to ask the tech to reboot my ONT so I'd get a new IP. Maybe some traffic balancer or filter didn't like my source and destination IP combination. Maybe it was cursed.
Ring. Ring. I finally got an awesome tech (John) from Verizon who actually knew what he was talking about. I connected my Verizon supplied router again and asked if he could log into it or run pings from it remotely (to show him that I'm not crazy). Though other techs told me that was not possible, he did in just a few seconds without much pain. He saw the pings failing as well. Then he said pings from the Verizon ONT gateway were successful, so I assumed it must have been an issue somewhere in Verizon's neck of the (network) woods where the problem persisted.
Long story short: The new IP address worked like a charm and no more packet drops.

Cisco ASA 5505 IPSec tunnel won't establish until remote site attempts to connect

I have a site to site IPSec tunnel setup and operational but periodically the remote site goes down, because of a somewhat reliable internet connection. The only way to get the tunnel to re-establish is to go to the remote site and simply issue a ping from a workstation on the remote network. We were having this same issue with a Cisco PIX 506E but decided to upgrade the hardware and see if that resolve the issue. It ran for well over a year and our assumtions was that the issue was resolved. I was looking in the direction of the security-association lifetime but if we power cycle the unit, I would expect that it would kill the SA but even after power cycling, the VPN does not come up automatically.
Any assistance would be appreciated.
ASA Version 8.2(1)
hostname KRPS-FW
domain-name lottonline.org
enable password uniQue
passwd uniQue
names
interface Vlan1
nameif inside
security-level 100
ip address 10.20.30.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
description Inside Network on VLAN1
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
description Inside Network on VLAN1
ftp mode passive
dns server-group DefaultDNS
domain-name lottonline.org
access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTSIDE_ACCESS_IN in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.20.30.0 255.255.255.0 inside
http 10.20.20.0 255.255.255.0 inside
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYNMAP 65535 set transform-set ESP-AES-256-SHA
crypto map VPNMAP 1 match address KWPS-BITP
crypto map VPNMAP 1 set peer xxx.xxx.xxx.001
crypto map VPNMAP 1 set transform-set ESP-AES-256-SHA
crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
crypto map VPNMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
ssh timeout 5
console timeout 0
management-access inside
tunnel-group xxx.xxx.xxx.001 type ipsec-l2l
tunnel-group xxx.xxx.xxx.001 ipsec-attributes
pre-shared-key somekey

Hi there,
I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
I don't know, the device is too old to stay alive.
thanks

All the traffic go through IPsec tunnel(site to site ) ,but something seems not working correctly

Hi, all,
I have seen a good post in google.com about how to make all the client's traffic though IPsec tunnel then out to the Internet from the Main site,now I attach this configuration and application for discussion, and what the problem is that I am still confused with the configuration on Main site , I hope anyone who can tell me more detail and how to accomplish it. Any answer will be appreciated , thank you !
Quote :
Question ? :
Mine is a very simple configuration. I have 2 sites linked via an IPsec tunnel. Dallas is my Main HQ R1 and Austin R2 is my remote office. I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.
Dallas (Main) Lan Net is: 10.10.200.0/24
Austin (Remote) LAN Net is: 10.20.2.0/24
The Dallas (Main) site has a VPN config of:
Local Net: 0.0.0.0/0
Remote Net: 10.20.2.0/24
The Austin (Remote) site has a VPN config of:
10.20.2.0/24
Remote Net: 0.0.0.0/0
The tunnel gets established just fine. From the Austin LAN clients, I can ping the router at the main site (10.10.200.1). This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 8.8.8.8.
I'm sure it's something simple I failed to configure. Anyone have any pointers or hints?
Answer:
Thanks to Jimp from the other thread, I was able to see why it was not working. To fix, I had to change the Outbound NAT on the main side to Manual. Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0). Basically, I just created a copy of the default rule and changed the Source network.
Once I made this change, Voila! Traffic from the remote side started heading out to the Internet. Now all traffic flows thru the Main site. It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction.
My question ?
The answer said "To fix, I had to change the Outbound NAT on the main side to Manual. Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0). Basically, I just created a copy of the default rule and changed the Source network." what this mean and
how to do it , could anybody give me the specific configuration ? thanks a lot.

Thank you for Jouni's reply, following is the configuration on Cisco 2800 router ,no firewall enable, :
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2
crypto isakmp key x.x.x address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60
crypto ipsec transform-set IPsectrans esp-3des esp-md5-hmac
crypto dynamic-map IPsecdyn 100
set transform-set IPsectrans
match address 102
crypto map IPsecmap 100 ipsec-isakmp dynamic IPsecdyn
interface Loopback1
ip address 10.10.200.1 255.255.255.0
interface FastEthernet0/0
ip address 113.113.1.1 255.255.255.128
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map IPsecmap
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 113.113.1.2
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip any 10.20.2.0 0.0.0.255

The tale of two IPSec Tunnels...

I'm trying to set up an ipsec tunnel at a particular site, and I am just stumped at this point. I have two sites I'm working with, a test site on my bench and the other actual site at another location. Both are ASA 5510's, both are running ASA v8.2(5). The test site has a 3560 off of it, and the production site has a 3750 stack off it. I don't think that part should matter, though.
I used the wizard to create the ipsec configuration on both devices, test and prod, and used the same naming on both to help compare. The test site connects and I can ssh to the 3560 behind it just fine. The production site, however, cannot connect to that 3750 or ping it to save my life. I've poured through the configs on both, and although there are just a couple of differences, the two ASA's are pretty close in configs.
At first I thought it was an acl issue, but I've filtered the logs by syslog id 106023 to watch for denys by access group. When I try to connect to the 3750, I get absolutely no entry in the log that anything is being denied, so I figure that's not it.
Then I thought it may be a routing issue. The one difference between the two sites is that the test site is using eigrp to disperse routes between the asa and switch, while the production site is using static routes. But I also didn't think that would've mattered, because on the static route switch I even put a static route in there to the vpn network which didn't make a difference.
I've also run packet traces on the firewall when doing a ping, and on the test siteI see echo requests and replies. Oon the production site I only see requests, no replies. My encap counters don't increment during pings, but the decap counters do, which make sense.
Other things to note: The test site that works also has a site-to-site vpn up and runnning, so you'll see that in the config as well. Client is Mac OS X 10.6.8, using the Cisco IPSec Config.
I'm hoping someone can look at my configs and tell me if they see anything I'm missing on them that could help solve my problems. I'd appreciate it! Thanks
Test Site that works
Production Site that Doesn't
testasa01-5510# sh run
: Saved
ASA Version 8.2(5)
hostname testasa01-5510
names
interface Ethernet0/0
nameif outside
security-level 0
ip address <outsideif> 255.255.255.240
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.39.194.2 255.255.255.248
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
access-list inside_access_in extended permit ip 10.39.0.0 255.255.0.0 any log disable
access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.16.139.0 255.255.255.240
access-list outside_cryptomap extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list remoteaccess extended permit ip 172.16.139.0 255.255.255.240 any log disable
tcp-map WSOptions
tcp-options range 24 31 allow
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn_ip_pool 172.16.139.0-172.16.139.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
global (outside) 100 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 100 10.39.0.0 255.255.0.0
access-group inside_access_in in interface inside
router eigrp 100
network 10.0.0.0 255.0.0.0
passive-interface default
no passive-interface inside
route outside 0.0.0.0 0.0.0.0 <outsideif> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 management
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs group1
crypto map outside_map1 1 set peer 209.242.145.200
crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 170
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 60
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server <server> source inside
webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 8.8.8.8
vpn-filter value remoteaccess
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
split-tunnel-all-dns disable
vlan none
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool vpn_ip_pool
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
tunnel-group 111.222.333.444 type ipsec-l2l
tunnel-group 111.222.333.444
general-attributes
default-group-policy GroupPolicy1
tunnel-group 111.222.333.444
ipsec-attributes
pre-shared-key *****
class-map WSOptions-class
match any
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class WSOptions-class
set connection advanced-options WSOptions
policy-map type inspect ip-options ip-options-map
parameters
eool action allow
nop action allow
router-alert action allow
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
mp01-5510asa# sh run
: Saved
ASA Version 8.2(5)
hostname mp01-5510asa
names
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.29.194.2 255.255.255.252
interface Ethernet0/1
nameif dmz
security-level 50
ip address 172.16.29.1 255.255.255.0
interface Ethernet0/2
description
nameif backup
security-level 0
ip address <backupif> 255.255.255.252
interface Ethernet0/3
description
speed 100
duplex full
nameif outside
security-level 0
ip address <outsideif> 255.255.255.248
interface Management0/0
nameif management
security-level 100
ip address 10.29.199.11 255.255.255.0
management-only
banner login Authorized Use Only
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object-group network DM_INLINE_NETWORK_1
network-object 10.29.1.0 255.255.255.0
network-object 10.29.15.0 255.255.255.0
network-object 10.29.199.0 255.255.255.0
network-object 10.29.200.0 255.255.255.0
network-object 10.29.31.0 255.255.255.0
access-list inside_access_in extended permit ip 10.29.0.0 255.255.0.0 any log warnings
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any log warnings
access-list inside_access_in extended permit ip 192.168.29.0 255.255.255.0 any log warnings
access-list inside_access_in extended permit ip 10.29.32.0 255.255.255.0 any log warnings
access-list outside_access_in extended permit ip any host 50.59.30.116 log warnings
access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.254.29.0 255.255.255.0 log warnings
access-list remoteaccess extended permit ip 10.254.29.0 255.255.255.0 any log warnings
access-list RemoteAccess2_splitTunnelAcl standard permit 10.29.0.0 255.255.0.0
pager lines 24
logging enable
logging list acl-messages message 106023
logging buffered acl-messages
logging asdm acl-messages
mtu inside 1500
mtu dmz 1500
mtu backup 1500
mtu outside 1500
mtu management 1500
ip local pool vpn_ip_pool3 10.254.29.0-10.254.29.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
asdm history enable
arp timeout 14400
global (inside) 201 interface
global (dmz) 101 interface
global (backup) 101 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.29.1.0 255.255.255.0
nat (inside) 101 10.29.15.0 255.255.255.0
nat (inside) 101 10.29.31.0 255.255.255.0
nat (inside) 101 10.29.32.0 255.255.255.0
nat (inside) 101 10.29.199.0 255.255.255.0
nat (inside) 101 10.29.200.0 255.255.255.0
nat (inside) 101 192.168.29.0 255.255.255.0
static (inside,outside) <outsideif> 10.29.15.10 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.59.30.113 1 track 1
route backup 0.0.0.0 0.0.0.0 205.179.122.165 254
route management 10.0.0.0 255.0.0.0 10.29.199.1 1
route inside 10.29.0.0 255.255.0.0 10.29.194.1 1
route inside 192.168.29.0 255.255.255.0 10.29.194.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 management
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 100
type echo protocol ipIcmpEcho 74.125.239.16 interface outside
num-packets 3
frequency 10
sla monitor schedule 100 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 100 reachability
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 10.0.0.0 255.0.0.0 management
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.200.1.41 source inside
webvpn
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 8.8.8.8
vpn-filter value remoteaccess
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
split-tunnel-all-dns disable
vlan none
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool vpn_ip_pool3
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
testasa01-5510# sh crypto ipsec sa
interface: outside
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
      local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.139.1/255.255.255.255/0/0)
      current_peer: <peer ip>, username: blah
      dynamic allocated peer ip: 172.16.139.1
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0
      local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: 0A7F396F
      current inbound spi : E87AF806
    inbound esp sas:
      spi: 0xE87AF806 (3900372998)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 3587
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x7FFFFFFF
    outbound esp sas:
      spi: 0x0A7F396F (176109935)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 3587
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
mp01-5510asa# sh crypto ipsec sa
interface: outside
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
      local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.254.29.1/255.255.255.255/0/0)
      current_peer: <peer ip>, username: blah
      dynamic allocated peer ip: 10.254.29.1
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0
      local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: 096265D4
      current inbound spi : F5E4780C
    inbound esp sas:
      spi: 0xF5E4780C (4125390860)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 3576
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x001FFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x096265D4 (157443540)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 3576
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Config (non working site) looks fine(unless I missed something:)) . You may want to add :
access-list RemoteAccess_splitTunnelAcl standard permit 192.168.29.0 255.255.255.0
Try by taking out vpnfilter : vpn-filter value remoteaccess
To further t-shoot, try using packet tracer from ASA to the client...
https://supportforums.cisco.com/docs/DOC-5796
Thx
MS

ISE 1.1 - 24492 Machine authentication against AD has failed

We implement Cisco ISE 802.1X and Machine Authentication With EAP-TLS.
Authentication Summary
Logged At:
March 11,2015 7:00:13.374 AM
RADIUS Status:
RADIUS Request dropped : 24492 Machine authentication against Active Directory has failed
NAS Failure:
Username:
[email protected]
MAC/IP Address:
00:26:82:F1:E6:32
Network Device:
WLC : 192.168.1.225 :
Allowed Protocol:
TDS-PEAP-TLS
Identity Store:
AD1
Authorization Profiles:
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
RadiusPacketType=Drop
AuthenticationResult=Error
Related Events
Authentication Details
Logged At:
March 11,2015 7:00:13.374 AM
Occurred At:
March 11,2015 7:00:13.374 AM
Server:
ISE-TDS
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
[email protected]
RADIUS Username :
host/LENOVO-PC.tdsouth.com
Calling Station ID:
00:26:82:F1:E6:32
Framed IP Address:
Use Case:
Network Device:
WLC
Network Device Groups:
Device Type#All Device Types,Location#All Locations
NAS IP Address:
192.168.1.225
NAS Identifier:
WLC-TDS
NAS Port:
4
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:
TDS-PEAP-TLS
Service Type:
Framed
Identity Store:
AD1
Authorization Profiles:
Active Directory Domain:
tdsouth.com
Identity Group:
Allowed Protocol Selection Matched Rule:
TDS-WLAN-DOT1X-EAP-TLS
Identity Policy Matched Rule:
Default
Selected Identity Stores:
Authorization Policy Matched Rule:
SGA Security Group:
AAA Session ID:
ISE-TDS/215430381/40
Audit Session ID:
c0a801e10000007f54ffe828
Tunnel Details:
Cisco-AVPairs:
audit-session-id=c0a801e10000007f54ffe828
Other Attributes:
ConfigVersionId=7,Device Port=32768,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=c0a801e10000007f54ffe828;30SessionID=ISE-TDS/215430381/40;,Airespace-Wlan-Id=1,CPMSessionID=c0a801e10000007f54ffe828,EndPointMACAddress=00-26-82-F1-E6-32,GroupsOrAttributesProcessFailure=true,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.1.225,Called-Station-ID=e0-d1-73-28-a7-70:TDS-Corp
Posture Status:
EPS Status:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12571 ISE will continue to CRL verification if it is configured for specific CA
12571 ISE will continue to CRL verification if it is configured for specific CA
12811 Extracted TLS Certificate message containing client certificate
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
Evaluating Identity Policy
15006 Matched Default Rule
24433 Looking up machine/host in Active Directory - [email protected]
24492 Machine authentication against Active Directory has failed
22059 The advanced option that is configured for process failure is used
22062 The 'Drop' advanced option is configured in case of a failed authentication request
But the user can authenticated by EAP-TLS
AAA Protocol > RADIUS Authentication Detail
RADIUS Audit Session ID :
c0a801e10000007f54ffe828
AAA session ID :
ISE-TDS/215430381/59
Date :
March 11,2015
Generated on March 11, 2015 2:48:43 PM ICT
Actions
Troubleshoot Authentication
View Diagnostic MessagesAudit Network Device Configuration
View Network Device Configuration
View Server Configuration Changes
Authentication Summary
Logged At:
March 11,2015 7:27:32.475 AM
RADIUS Status:
Authentication succeeded
NAS Failure:
Username:
[email protected]
MAC/IP Address:
00:26:82:F1:E6:32
Network Device:
WLC : 192.168.1.225 :
Allowed Protocol:
TDS-PEAP-TLS
Identity Store:
AD1
Authorization Profiles:
TDS-WLAN-PERMIT-ALL
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
[email protected]
State=ReauthSession:c0a801e10000007f54ffe828
Class=CACS:c0a801e10000007f54ffe828:ISE-TDS/215430381/59
Termination-Action=RADIUS-Request
cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-508adc03
MS-MPPE-Send-Key=5a:9a:ca:b0:0b:2a:fe:7d:fc:2f:8f:d8:96:25:50:bb:c8:7d:91:ba:4c:09:63:57:3e:6e:4e:93:5d:5c:b0:5d
MS-MPPE-Recv-Key=24:fa:8d:c3:65:94:d8:29:77:aa:71:93:05:1b:0f:a5:58:f8:a2:9c:d0:0e:80:2d:b6:12:ae:c3:8c:46:22:48
Airespace-Wlan-Id=1
Related Events
Authentication Details
Logged At:
March 11,2015 7:27:32.475 AM
Occurred At:
March 11,2015 7:27:32.474 AM
Server:
ISE-TDS
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
[email protected]
RADIUS Username :
[email protected]
Calling Station ID:
00:26:82:F1:E6:32
Framed IP Address:
Use Case:
Network Device:
WLC
Network Device Groups:
Device Type#All Device Types,Location#All Locations
NAS IP Address:
192.168.1.225
NAS Identifier:
WLC-TDS
NAS Port:
4
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:

Hello,
I am analyzing your question and seeing the ISE logs i can see that the machine credentials was LENOVO-PC. Do you have shure that these credentials has in your Active Directory to validate this machine ? The machine certificate has the correct machine credentials from the domain ? The group mapped in the ISE rule has the machine inside this group ?
Differently from the user authentication that happens with success because the domain credentials can be validate from the Active Directory and get access to the network.

Machine authentication with MAR and ACS - revisited

I'm wondering if anyone else has overcame the issue I'm about to describe.
The scenario:
We are happily using ACS 4.1 to authenticate wireless PEAP clients to an external Windows AD database.
We do have machine authentication via PEAP enabled, but at this time we are not using Machine Access Restrictions as part of the external database authentication configuration.
The clients (we care about) are using the native XP ZWC supplicant and are configured to "authenticate as machine when available".
The passed authentications log does successfully show the machines authenticating.
The challege:
We only want to permit users on our PEAP protected WLAN if the machine they are using has an account in the domain (and they are a Windows XP box - the currents standard corporate image).
In a testing lab, we enable Machine Access Restrictions, with the access mapped to "No Access" if there is no machine auth, or if machine auth fails. If a machine is shut down and boots fresh, or if the logged on user chooses to logoff while on that WLAN - we see the Windows box sends its machine authentication. As I understand it - a windows XP box will only attempt to authenticate as a machine when a user logs off, or upon initial boot.
In our environment (and I'm sure many others) - if a user comes into the office and docks their laptop and is attached to the wired LAN and boots or logs on - the machine maybe authenticating - but it is authenticating directly to the AD as our wired LAN is not using 802.1x or ACS radius.
So the user maybe logged on and working on the network - and then choose to undock which activates the wireless.
The problem then - the machine does NOT attempt to authenticate as a machine and only processes the user credentials - which get passed onto ACS vial the WLC - and when MAR is enabled with the No Access mapping for no machine auth - the user auth obviously fails.
Has anyone seen / over come this ?
Our goal is to enforce that only standard XP imaged machines get on the wireless PEAP network (where the configuration is maintained by GPO).

Here's the only thing I could find on extending the schema (I'm not a schema expert):
http://msdn.microsoft.com/en-us/library/ms676900%28VS.85%29.aspx
If all of your clients are Windows machines, it's easier to stick with PEAP for machine auth, user auth, or both. However, your RADIUS (ACS) server should have a certificate that the clients trust. You can configure the clients to ignore the RADIUS server cert, but then your clients will trust any network that looks/works like yours. Get a cert/certs for your RADIUS server(s).
You can have PEAP and EAP-TLS configured on your ACS server without causing problems for your PEAP clients (be aware that most of my experience is with 4.1/4.2. Earlier versions may not work the same way). Your comment about what you're testing is confusing me. Let's say you have (only) PEAP configured for machine auth on both the client and the ACS server (no user auth is configured on the client, or in ACS). Your client will offer it's machine account AD credentials to the ACS server in order to authenticate to the network. Those credentials will be validated against AD by your ACS server, and then the machine will get an IP address and connect to your network. Once your machine is on the network, and a user tries to log on, then the user's AD credentials will be validated against AD (without any involvement of ACS). You should not need PEAP and EAP-TLS together. Both are used for the same purpose: 802.1X authentication for network access. PEAP only uses AD to validate machine credentials (or user credentials), because you configured your ACS server to use AD as a user database for validating 802.1X credentials. You could just have easily used PEAP on the client side, but told ACS to an LDAP connection to a Linux box with a user/machine database. Validating credentials for network access (802.1X) is not the same thing as authenticating to AD for server/printer/email/whatever access. I wish I could explain this better...

IPSec tunnel mode vs self-encapsulation ESP

Hello
I need to develop some server application which should communicate with thousands of independent external clients through IPSec in tunnel mode.
Configuration of IPSec must be done dynamically from application.
There is a requirement to have the same source/destination IP address in the inner and in outer IP headers, tunnel must start and ends within the server and within each client.
Is there any way to activate IPSec in tunnel mode without tunnel configuration?
In Solaris documents I see that there is possibility to activate self-encapsulation ESP mode.
Is this mode is the same as IPSec in tunnel mode?
If answer is yes, then is it possible to activate this mode system-wide, but not per-socket?
Thanks.

Additionally to some proprietary data connections we need to provide FTP server for clients over these IPSec connections.
Standard Solaris ftp server will be used.
Will IPSec with ESP in transport mode over NAT give us such possibility?
As far as I know FTP encapsulates IP addresses during it's work, so we think that only ESP tunnelling can provide normal working of FTP over NAT.
Is it possible to configure such kind of tunnel in Solaris as described in my first mail?
"There is a requirement to have the same source/destination IP address in the inner and in outer IP headers, tunnel must start and ends within the server and within each client."
Thanks

IPSEC tunnel with NAT and NetMeeting

I have established an IPSEC tunnel with two Cisco 2621 routers. Clients over the Internet are able to dial into the MCU server, which is behind one of the Cisco 2621 routers configured with NAT but the MCU is not able to call the client. The MCU is able to call any server or client on the LAN however it is not able to call anyone passed the router configured with NAT. Could anyone who has experience with NAT and IPSEC help me out?
Thanks,

The following doc should help...
http://www.cisco.com/warp/public/707/ipsecnat.html

Machine authentication over Client IPSEC tunnel

Similar Messages

Maybe you are looking for