Prime 2.0: User Auth Failure Count

Hello
In Prime 2.0, on the Home page> General, you can view dashlets showing various bits of information.
One of those available is User Auth Failure Count and I am trying to establish what this table is showing me and if I can get this information out of Prime in a CSV format for example, in order to do some correlation with RADIUS logs.
I want to establish whether the users being reported as having an auth failure are actually managing to get onto the network eventually, or whether we have an authentication problem we need to tackle.
The only reference in Cisco documentation I have found to date says the following, which is not helpful to me:
"User Auth Failure Count
This dashlet displays a chart which shows user authentication failure count trend over time. "
Does anyone know if this information is exportable somehow?
thanks
Bryn

Hi Scott
I agree with your point that the historical data is available via MSE, but I now come round to my first question, which is how do I get to the data from Prime?
I cannot find a report to run to get the Failed Auth User Count data, although it must be there for the information to be populating the dashlet
I think I will have to try our Cisco contact
thanks
Bryn

Similar Messages

ISE 1.2 EAP Chaining and Windows 8 - Auth failures

Hi All,
I've got a couple sites that appear to have issues with EAP chaining, ISE 1.2 and Anyconnect client on windows 8 enterprise.
Basically the windows 8 machines authenticate intermittently and randomly but largely fail auth.
Often the client will work perfectly for a boot even after a few reboots etc and then might stop working. Other clients won't work at all no mater what settings you configure.
Outer Method - EAP-FASTv2
Inner Method - MSChapV2
ISE 1.2 with Patch 1 (latest)
Windows 8 Enterprise - with patch http://support.microsoft.com/kb/2743127
Anyconnect Client 3.1.0466 (latest)
Machine and User Auth Against AD.
Cert checks disabled for testing.
Clients using same configuration.xml file
Symptom is Anyconnect prompts for username / password instead of using existing credentials. Typing credentials doesn't work.
Logs show failed "anonymous" authentications or client EAP timeouts.
Cheers
Peter.

Hi Peter,
It sounds like the Inner Method is not being negotitated properly so its only reading the Outer Method which by default is set to show "Anonymous" in AnyConnect Profiles.
Is it possible to upload a PDF version or copy paste the output of the failure from ISE's perspective?
Kind Regards,
Vlad

RDP with 802.1x, machine and user auth and dynamic VLAN

Hi,
we have 802.1x implemented with machine and user auth. We also use dynamic VLAN assignment. Our client is AnyConnect 3.1. Operating system is Windows 7. With Windows XP, it works just fine.
When we try to connect to the 802.1x auth desktop with RDP (desktop is machine authenticated, no user is logged in), we are able to authenticate but as soon as VLAN and IP address changes according to user authentication profile, RDP session is terminated. It is not just disconnected but remote user is logged out and AnyConnect reverts 802.1x session back to machine VLAN. We cannot login with RDP and just loop between machine-user-machine authentication.
With this behavior the TermDD message (ID 56) can be seen in system log. Following the response
http://social.technet.microsoft.com/Forums/windows/en-US/b7814ec3-6a49-469c-8773-909c50415942/the-rdp-protocol-component-x224-detected-an-error-in-the-protocol-stream-and-has-disconnected-the
, I was able to get rid of TermDD message but I still loop in machine-user-machine authentication.
The following is TermDD message:
+
System
Provider
[ Name]
TermDD
EventID
56
[ Qualifiers]
49162
Level
2
Task
0
Keywords
0x80000000000000
TimeCreated
[ SystemTime]
2013-06-10T09:25:28.515308700Z
EventRecordID
26643
Channel
System
Computer
XTCSSPWA03.cen.csint.cz
Security
EventData
\Device\Termdd
10.190.64.208
0000040002002C000000000038000AC00000000038000AC000000000000000000000000000000000410200D0
Binary data:
In Words
0000: 00040000 002C0002 00000000 C00A0038
0008: 00000000 C00A0038 00000000 00000000
0010: 00000000 00000000 D0000241
In Bytes
0000: 00 00 04 00 02 00 2C 00    ......,.
0008: 00 00 00 00 38 00 0A C0   ....8..À
0010: 00 00 00 00 38 00 0A C0   ....8..À
0018: 00 00 00 00 00 00 00 00   ........
0020: 00 00 00 00 00 00 00 00   ........
0028: 41 02 00 D0               A..Ð
Also AnyConnect shows that upon successful authentication and DHCP operation, it catches some exception and reverts back from user to machine VLAN:
3876: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-6-INFO_MSG: %[tid=1436][mac=1,6,d4:85:64:b8:43:61]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: Authentication Success
3877: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} canceling existing DHCP work
3878: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ipv4: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} stop
3879: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: CDI_8023_FRAME_IO_ECHO, ifIndex(1), pData(0x0103FA38), dataLen(0) (cimdIo.cpp 2156)
3880: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: echo (cimdIo.cpp 2270)
3881: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} creating a new DHCP work
3882: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: CancelCmd [state: COMPLETE]
3883: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-6-INFO_MSG: %[tid=1436][mac=1,6,d4:85:64:b8:43:61]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: DHCP: Sending DHCP request
3884: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: queueing DHCP work
3885: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ipv4: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} start
3886: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: CDI_8023_FRAME_IO_ECHO, ifIndex(1), pData(0x0103FA3C), dataLen(2) (cimdIo.cpp 2156)
3887: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) data follows ... (cimdIo.cpp 2159)
3888: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3)      08 06                                                .. (cimdIo.cpp 2159)
3889: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: echo (cimdIo.cpp 2270)
3890: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) pEthTypes data follows ... (cimdIo.cpp 2273)
3891: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3)      06 08                                                .. (cimdIo.cpp 2273)
3892: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv6 Connect {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} starting
3893: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: StartCmd [state: COMPLETE]
3894: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) S_ndisIoControl: returning cached xmitLinkSpeed: 100000000 bps (cimdIo.cpp 3558)
3895: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) NDIS OID: ifIndex=1 GET OID_GEN_LINK_SPEED(0x10107) datalen=4, cbRW=4 cbNeeded=0 acErr=0 winErr=0 (cimdIo.cpp 3686)
3898: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Network CS-wired-pass: AccessStateMachine current state = ACCESS_CONNECTED, received adapterState = authenticated
3899: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Network CS-wired-pass: port authentication succeeded
3900: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Network CS-wired-pass: AccessStateMachine new state = ACCESS_CONNECTED
3901: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: received Cancel event [state: COMPLETE]
3902: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: state: COMPLETE -> INIT
3903: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: received Get-Connectivity event [state: INIT]
3904: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: state: INIT -> WAIT_FOR_CONNECTIVITY
3905: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 Connectivity Result: IN_PROGRESS
3906: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: GetConnectiviyCmd [state: WAIT_FOR_CONNECTIVITY]
3907: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv6 Connectivity Result: FAILURE
3908: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: received Check-Connectivity event [state: WAIT_FOR_CONNECTIVITY]
3909: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: (initial) ipCfg: IP:10.190.95.74(255.255.255.248) GW:10.190.64.1
3910: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: TestConnectivityCmd [state: WAIT_FOR_CONNECTIVITY]
3911: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: API (3) event: complete (portWorkList.c 130)
80: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAMSSO-7-DEBUG_MSG: %[tid=1524]: Tx CP Msg: <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ssc="http://www.cisco.com/ssc" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body> <networkStateEvent>   <sequenceNumber>19</sequenceNumber>   <groupName>Local networks</groupName>   <networkName>CS-wired-pass</networkName>   <networkState>AcquiringIpAddress</networkState>   <adapterName>Broadcom NetXtreme Gigabit Ethernet</adapterName>   <serverVerifiedName>ise-2.csint.cz</serverVerifiedName> </networkStateEvent> </SOAP-ENV:Body></SOAP-ENV:Envelope>
3912: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: PORT (3) port: ARP_REQ (portMsg.c 731)
3913: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: NET (3) cdiOsIoctlSet: CDI_8023_FRAME_IO_SEND, ifIndex(1), pData(0x024EEB40), dataLen(64) (cimdIo.cpp 2156)
3914: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: NET (3) data follows ... (cimdIo.cpp 2159)
3915: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: NET (3)      00 00 00 00 FF FF FF FF FF FF D4 85 64 B8 43 61     ........ ....d.Ca      08 06 00 01 08 00 06 04 00 01 D4 85 64 B8 43 61     ........ ....d.Ca      0A BE 5F 4A 00 00 00 00 00 00 0A BE 40 01 00 00     .._J.... ....@...      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ........ ........ (cimdIo.cpp 2159)
3941: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: echo (cimdIo.cpp 2270)
3942: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 Connectivity Result: SUCCESS
3943: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv6 Connectivity Result: FAILURE
3944: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ACE: adapter SM current: state(STATE_AUTHENTICATED), event(EVENT_IP_CONNECTIVITY)
3945: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ACE: adapter SM state change: STATE_AUTHENTICATED -> STATE_CONNECTED
3946: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: handleEventAndDoStateTransitionAction action : ACTION_IP_CONNECTIVITY
3947: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) S_ndisIoControl: returning cached xmitLinkSpeed: 100000000 bps (cimdIo.cpp 3558)
3948: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) NDIS OID: ifIndex=1 GET OID_GEN_LINK_SPEED(0x10107) datalen=4, cbRW=4 cbNeeded=0 acErr=0 winErr=0 (cimdIo.cpp 3686)
1: XTCSSPWA03: 6 10 2013 11:24:54.007 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {25CBB996-92ED-457E-B28C-4774084BD562} LogLevel=0xF
2: XTCSSPWA03: 6 10 2013 11:24:54.007 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
3: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({25CBB996-92ED-457E-B28C-4774084BD562}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
4: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000001FC050) instantiated for CLSID:{25CBB996-92ED-457E-B28C-4774084BD562}
5: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {3DD6BEC0-8193-4FFE-AE25-E08E39EA4063} LogLevel=0xF
6: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
7: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({3DD6BEC0-8193-4FFE-AE25-E08E39EA4063}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
8: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000001FC850) instantiated for CLSID:{3DD6BEC0-8193-4FFE-AE25-E08E39EA4063}
9: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {503739D0-4C5E-4CFD-B3BA-D881334F0DF2} LogLevel=0xF
10: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\System32\VaultCredProvider.dll.
11: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({503739D0-4C5E-4CFD-B3BA-D881334F0DF2}): Attempting to load Dir=C:\windows\System32, FileName=VaultCredProvider.dll
12: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003A30B0) instantiated for CLSID:{503739D0-4C5E-4CFD-B3BA-D881334F0DF2}
13: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {6F45DC1E-5384-457A-BC13-2CD81B0D28ED} LogLevel=0xF
14: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
15: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({6F45DC1E-5384-457A-BC13-2CD81B0D28ED}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
16: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003AF710) instantiated for CLSID:{6F45DC1E-5384-457A-BC13-2CD81B0D28ED}
17: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {8BF9A910-A8FF-457F-999F-A5CA10B4A885} LogLevel=0xF
18: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved SmartcardCredentialProvider.dll.
19: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({8BF9A910-A8FF-457F-999F-A5CA10B4A885}): Attempting to load Dir=, FileName=SmartcardCredentialProvider.dll
20: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003B7D70) instantiated for CLSID:{8BF9A910-A8FF-457F-999F-A5CA10B4A885}
21: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {94596C7E-3744-41CE-893E-BBF09122F76A} LogLevel=0xF
22: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved SmartcardCredentialProvider.dll.
23: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({94596C7E-3744-41CE-893E-BBF09122F76A}): Attempting to load Dir=, FileName=SmartcardCredentialProvider.dll
24: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003C03D0) instantiated for CLSID:{94596C7E-3744-41CE-893E-BBF09122F76A}
25: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {AC3AC249-E820-4343-A65B-377AC634DC09} LogLevel=0xF
26: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\System32\BioCredProv.dll.
27: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({AC3AC249-E820-4343-A65B-377AC634DC09}): Attempting to load Dir=C:\windows\System32, FileName=BioCredProv.dll
28: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003CABC0) instantiated for CLSID:{AC3AC249-E820-4343-A65B-377AC634DC09}
29: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {B12744B8-5BB7-463A-B85E-BB7627E73002} LogLevel=0xF
30: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CClassFactory(00000000001FFF00) CreateInstance calling CoCreateInstance on MS password cred prov
31: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {6F45DC1E-5384-457A-BC13-2CD81B0D28ED} LogLevel=0xF
32: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
33: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({6F45DC1E-5384-457A-BC13-2CD81B0D28ED}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
34: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003D3220) instantiated for CLSID:{6F45DC1E-5384-457A-BC13-2CD81B0D28ED}
35: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003DB880) instantiated for CLSID:{B12744B8-5BB7-463A-B85E-BB7627E73002}
36: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {E74E57B0-6C6D-44D5-9CDA-FB2DF5ED7435} LogLevel=0xF
37: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\certCredProvider.dll.
38: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({E74E57B0-6C6D-44D5-9CDA-FB2DF5ED7435}): Attempting to load Dir=C:\windows\system32, FileName=certCredProvider.dll
39: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003E3EE0) instantiated for CLSID:{E74E57B0-6C6D-44D5-9CDA-FB2DF5ED7435}
3963: XTCSSPWA03: 6 10 2013 11:24:59.247 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\os\win\osAsync_win.c:233: => SL_STATUS_NO_CONNECTION
3964: XTCSSPWA03: 6 10 2013 11:24:59.247 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\ipc\win\ipcPipeBase_win.c:102: => SL_STATUS_NO_CONNECTION
3965: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\ipc\win\ipcPipeBase_win.c:194: => SL_STATUS_NO_CONNECTION
3966: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\ipc\ipcFuncs.c:105: => SL_STATUS_NO_CONNECTION
3967: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: CAUGHT: NoConnectionException
3968: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: CoreLib:TRACE: context=acnam, thread join, ThreadImpl.cpp:58, m00585050, err=0(OS_OK), thread_id=2460
3969: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: CoreLib:TRACE: context=acnam, thread join, ThreadImpl.cpp:58, m00585838, err=0(OS_OK), thread_id=3692
89: XTCSSPWA03: 6 10 2013 11:25:06.367 -0100: %NAMSSO-7-DEBUG_MSG: %[tid=1228]: ServiceControlHandlerEx:WTS_SESSION_LOGOFF, Session ID: 1
If we do not change VLAN from machine to user, it works just fine.
Have anybody seen this problem? Have anybody fixed it?
Thanx, Martin

Hi,
unfortunately not.
I have gone through extensive troubleshooting from Microsoft and Cisco sides twice and the result is:
1) AnyConnect performs EAPol logoff when it detects RDP session termination. So it goes from user to machine authentication
2) Windows 7 performs RDP session termination when IP address changes due to the change of VLAN (from machine VLAN to user VLAN)
Cisco claims that AnyConnect behavior is correct and Microsoft claims that they do not want to change this behavior (reset of RDP session).
I can imagine that Cisco can detect whether RDP session was terminated due to the IP address change or not and do not revert back to machine authentication in such a case.
In fact there was nobody at Cisco that was willing to listen to me or accept this like something that needs a fix. The only thing you can do is to enable "Extend connection beyond logoff". AnyConnect does not send EAPol logoff if it detects RDP session termination and you can establish another RDP session which does not fail and you stay connected with RDP.
Martin

ISE - Periodic Dynamic Auth Failures

I am running into an issue where I get a handful of Dynamic Auth Failure errors in ISE. In the results it's showing a CoANAK and the error cause is 200. In the steps it's showing:
11204 Received reauthenticate request
11220 Prepared the reauthenticate request
11100 RADIUS-Client about to send request
11101 RADIUS-Client received response
Which shows successful communications between ISE and the NAD. When I look at the logs for Radius Authentication for one of the hosts I see it pass MAB with one session ID then Dynamic Auth CoA Fail then pass dot1x with a different session ID.
I was reading up on the Dynamic Auth RFC (http://tools.ietf.org/html/rfc5176) and in Section 3.5 it states:
"Values 200-299 represent successful completion, so that these values may only be sent within CoA-ACK or Disconnect-ACK packets and MUST NOT be sent within a CoA-NAK or Disconnect-NAK packet."
Am I missing something here? Is anyone else having this issue?

All Cisco Phones. Switches are 4510's running 03.02.03
Here's a sample port config:
interface GigabitEthernetX/X/X
switchport access vlan XX
switchport mode access
switchport voice vlan XX
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree guard root
service-policy input AutoQoS-Police-CiscoPhone
end
No I don't see multiple session id's for the same user. We are using EAP-TLS and cert auth.
Server keys are good. I've debugged a couple of these. Only thing I could find was the session ID is different between mab and dot1x.

AUTH FAILURE.problem

I use the following command to install OC4J 10g standalone but got error
how to fix it?
I haven't installed J2SE SDK as i discover jdevstudio have it
i configure global environment variable in right click my computer
as JAVA_HOME = C:\jdevstudio10133\jdk\bin\
cmd still do not have java command, when i use the full link following
i do not know username or password , then i read some blog use oc4jadmin
to set password , but failed, how to install it?
C:\OC4J10g\j2ee\home>C:\jdevstudio10133\jdk\bin\java -jar jazn.jar -activateAdmi
n adminpassword
AbstractLoginModule username: oc4jadmin
AbstractLoginModule password:
2008年6月26日下午07:06:07 oracle.security.jazn.spi.xml.XMLRealmUser authenticate
information: User(jazn.com/oc4jadmin) is deactivated. AUTH FAILURE.
2008年6月26日下午07:06:07 oracle.security.jazn.login.module.RealmLoginModule au
thenticate
Serious: [RealmLoginModule] authentication failed
Authentication Failed

i configure global environment variable in right
click my computer
as JAVA_HOME = C:\jdevstudio10133\jdk\bin\
JAVA_HOME should be one level up before "bin"
BTW I think you posted this on the wrong forum .

Reset failure count after?

In DS 5.2 there are three parameters for account (password) lockout:
lockout account after n login failures
reset failure count after n minutes
lockout duration n minutes
I do not fully understand the "reset failure count" parameter and how it affects the other two. Should it be under or over the lockout duration or does that matter? For example, If my lockout failure is 12 and duration is 12 hours, what should the reset be? Whats the best practice too? In general what do people set these at? Thanks.

The main objective of the parameter is to avoid brute-force attacks without affecting normal users that during a more or less long period, sometimes type their passwords incorrectly. This is specially relevant when the lockout is permanent.
I will try to explain the parameter with an example. Imagine you have set the following configuration:
Lockout account after 5 login failures
Reset failuer count after 10 minutes
Lockout duration Forever
A user tries to bind
01/01/2006 13:21:04 (bad)
01/01/2006 13:21:06 (bad)
01/01/2006 13:21:07 (bad)
01/01/2006 13:21:12 (bad)
01/01/2006 13:21:24 (bad)
01/01/2006 13:21:42 (bad)
The first five attemps will result in an invalid password error code, but the sixth will result in an account lockout. The user won't be able to bind succesfully until administrative actions are taken, even if providing the correct password.
Nevertheless, if user tries to bind at
01/01/2006 13:21:04 (bad)
01/01/2006 13:21:06 (bad)
01/01/2006 13:21:07 (bad)
01/01/2006 13:21:12 (bad)
01/01/2006 13:21:24 (bad)
02/01/2006 13:21:42 (bad)
02/01/2006 13:21:43 (ok)
this last attemp will result in a success code. As more than 10 minutes have passed since 5 and 6 attemps (a full day), the counter has been reseted and the account hasn't been locked out.

DirectoryService reports mysterious auth failures

My console log is full of log messages like ones included below. I would love to know where they come from, so I can fix whatever is wrong.
I don't think that there is someone trying to break in, as I don't see corresponding failed ssh connections, or any errors in the afp / smb logs. I do see some break in attempts over ssh, but they don't correspond to the events / names reported for these errors in the console. The user names below also only match local users, and if this had been break in attempts, I wouldn't expect them to know the exact names of all my users. I also don't think that this problem is caused by the connecting LAN clients, as I also see the error for the admin & root accounts.
To me it seems that some local service / facility is not configured correctly, but I'm at loss as to how to track this down.
I'm running Mac OS X Server 10.4.3, and have the following things enabled:
ssh, ard, afp, smb, httpd+webdav (for iCal sharing).
===============================================
Nov 22 15:21:33 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: mikael.
Nov 22 15:26:10 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: root.
Nov 22 17:38:59 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: root.
Nov 22 17:45:19 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: admin.
Nov 22 17:48:04 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: joar.
Nov 22 17:50:15 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: david.
Nov 22 17:52:27 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: johan.
Nov 22 17:54:38 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: fredrika.
Nov 22 17:56:50 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: tove.
Nov 22 17:59:02 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: mikael.
Nov 22 18:53:47 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: admin.
Nov 22 18:53:47 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: joar.
Nov 22 22:34:15 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: mikael.
Nov 22 23:33:35 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: root.
Nov 22 23:41:23 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: admin.
Nov 22 23:44:28 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: joar.
Nov 22 23:47:36 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: david.
Nov 22 23:50:32 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: johan.
Nov 22 23:52:32 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: fredrika.
Nov 22 23:54:32 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: tove.
Nov 22 23:56:36 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: mikael.
Mac OS X (10.4.3)

Hi,
I've seen this as well and I think the cause is someone trying to use either Server Admin or Server Monitor without the correct credentials on that server.
I haven't verified this, but I had a colleague reenter the username and password in both of these programs on his machine and the messages went away on the server.
Hope that helps.
Kevin Anderson
Fairbanks School District
Fairbanks, Alaska
20 in iMac G5 Mac OS X (10.4.3) Many, many Xserves

Go URL - User Authentication Failure

Hi,
I am trying to use a 'Go URL' in web application and I see some issue with authentication mechanism.
I was able to login and view the dashboard whenever the username used in the 'Go URL' is from the console. But if the user who is from Active directory is used in the 'Go URL' link, then I get the login page saying 'Invalid username or password'. When I check the log file, it says ' [53012] User Authentication Failure'.
Also the AD user can login from the login page, but not thru 'Go-URL' link.
Can anyone let me know whether I am missing any step?
Thanks

969211 wrote:
I was able to login and view the dashboard whenever the username used in the 'Go URL' is from the console. But if the user who is from Active directory is used in the 'Go URL' link, then I get the login page saying 'Invalid username or password'. When I check the log file, it says ' [53012] User Authentication Failure'.
Also the AD user can login from the login page, but not thru 'Go-URL' link.
Can anyone let me know whether I am missing any step?Check the usage of Go URL first : http://docs.oracle.com/cd/E21043_01/bi.1111/e16364/apiwebintegrate.htm
If you dont user NQUser and NQPassword then they will be prompted for a password. you need to http://<hostname.domain>:9704/analytics/saw.dll?Dashboard&PortalPath=<your GO URLpath>*&NQuser=USERNAME&NQPassword=PASSWORD*
You should not access if URL without logging in.
Also on different note:
Rupesh Shelar wrote:
Make sure your BISYSTEM password
Go to weblogic console, http://IP address:7001/console
Home >Summary of Security Realms > myrealm > Users and Groups > BISystemUser
And then go to your EM (http://IP address:7001/em)
expand weblogic domain > bifoundation_domain > Security > Credentials > oracle.bi.system ? system.user
Just retype a new password then Restart BI All Services then test it.How is BISystemUser even related to Go URL .or this issue .?
Hope this helps.
Let me know the updates. Mark if it answers!
Thanks,
SVS

Win 7 client with machine and user auth stuck in 802.1x_REQD

Hi everybody
we have a WLC 5508 with 7.2.110.0 and an ACS 5.3 and do the following:
- Win 7 client gets a GPO object with the wlan configuration for "Machine and User authentication" with PEAP
- On ACS 5.3 I configured correctly the authentication and authorization for first machine authentication and then user authentication ("Was machine authenticated = true)
- First when machine authentication happens, the client is configured into a quarantine VLAN, where it is only allowed to communicate with the domain controllers
- When the user authenication happens, the client is moved into the productive client vlan with no restrictions.
Everything works fine, except that after the user loggs in, it takes about 3 minutes until the client answers the EAP Identity Request and loggs in, see attached screenshot or the screenshot below:
In the client status on WLC i can see that the client is stuck in the 802.1x_REQD state for these 3 minutes, until suddenly it authenticates (but then very often, about 5 times - see screenshot).
We tried the following to find the problem spot. but we were not able to locate the problem:
- Configure the machine and user authentication into the same vlan all the time
- ONLY user authentication on the client
- Played with the Win 7 settings (timers, and so on)
- When we manually configured the WLAN profile on the Win 7 client and saved it, the Win 7 client connected to the SSID without any problems and without any delay (about 5 seconds after the save)
Did someone ever had the same issue?
Thanks a lot and best regards
Dominic

Hi Amjad
very good point on this, thanks a lot. In this case, I did not even think about the client firmware side, thought that I should be the WLC or the client settings, but not the driver. We will give a shot on this next week, maybe this will help us to solve the problem.
It is normal to have the clietn in 802.1x_REQD if it is not yet authenticated and that is the expected state to be at in your situation untlil the client fully authenticates.
Absolutely correct that the client is associated and in the 802.1x_REQD state as long as the authenticator did not get the EAP identity Response, but that the client takes such a long time to answer is not normal ;-)
- What is the supplicant that is used on the windows machines? default WLAN supplicant? or you use some commercial supplicants?
WZC.
- what is the result when testing with user auth only?
The same, it takes such a long time.
- what ist he result when testing with machine auth only?
Machine authentication works as expected, fast and as soon as the client is booted, the client gets authenticated.
Regards and have a nice weekend
Dominic

802.1x Machine and User Auth Vlan assignments

I have machine and user auth working between Win2K PC and ACS 3.3 but not sure how to best use the Vlan assignment feature. I use Vlans for different departments and if I assign a vlan in ACS to a machine when it authenticates but the user is assigned to a different Vlan, I don't get a renewed IP.
Here is how it's working now:
1. Machine authenticates to ACS and assigned to a Vlan
2. User logs in and if they are assigned to the same Vlan as the machine, works fine. If assigned to another vlan, the switchport does get changed but the PC still has an IP from the initial Vlan it was assigned to. Releasing and renewing doesn't work but I really don't expect it to.
So, I figure the solution to this is just not set a per user vlan and only set it per machine. But, the group mapping in ACS looked like a great way to assign Vlans based on a user's Active Directory group but it doesn't appear to recognize the different computer OU's we have. So I can assign vlan's based on user groups but not computer groups. As machines are added to ACS, I could change them to an ACS group with the Vlan set but this would be a lot more work than an automated method like unknown user policy.
So, how are others assigning machines to vlans in large multi-vlan networks using ACS and 802.1x?

By default users and computers belong to different global groups. "Domain Users" vs. "Domain Cmpouters" for example.
As for your example, it seems like you have a misbehaving supplicant, and authentication is attempting and then timing out and starting over .. that never actually gets to fail, so the auth-fail stuff won't help.
Note: A good way to troubleshoot this is to notice it in action via show command:
Here's an example of what you should see on a switch port.
AuthSM State = State of the 802.1X Authenticator PAE state machine
VALUES:
AUTHENTICATED -- Auth Succeeded
AUTHENTICATING -- Auth is attempting
CONNECTING -- Dot1x is up and configured and trying to locate a supplicant.
HELD -- Auth probably failed.
BendSM State = State of the 802.1X back-end authentication state machine
VALUES:
IDLE -- Nothing is happening.
REQUEST -- Switch sent some EAP data to AAA, and is waiting to get something back.
RESPONSE -- AAA sent the switch back some data, and the switch in turn asked the supplicant for more data.
NOTE: You should rarely see the RESPONSE state above. If you see it for more than a second or so i nthe middle of an auth attempt, that's a smoking gun that you might have a mis-behaving supplicant, b/c it shouldn't take that long to send an EAPOL frame. The switch will eventually time out, and start auth over.
Hope this helps,

User auth fails using 802.1x (EAP-TLS)

I'm currently testing 802.1x machine and user authentication using EAP-TLS. Right now I'm testing them separately, and machine auth works great, but user auth doesn't.
Here's what I'm using:
Smart Cards ->
Built-in Microsoft XP supplicant ->
Catalyst 4006 Switch ->
Cisco Secure ACS 3.3 ->
Microsoft Active Directory
After I log in using the smart card, an EAPOL message from the computer is sent to the switch, and the switch replies asking for the computer to identify itself, but the computer does nothing. The switch continues asking and finally gives up because of no response. The ACS server logs no traffic from the supplicant.
Is this a supplicant issue? Using PEAP MSCHAPv2 with secured passwords works fine, but not with certificates.

I found my answer. The problem was with the Microsoft supplicant. It wasn't prompting me to type in the PIN to unlock the smart card, so it couldn't read the certificate and thus the EAP process was timing out.
In order for the Windows supplicant to prompt the user for the smart card PIN, the "Show icon in notification area when connected" checkbox in the Local Area Connection properties windows must be checked. They may want to think about renaming that box... :-)

System wide auth failure

How do I log into my administrative account via terminal and then use the password command to change my password to fix a system wide auth failure?

HI,
I'm not sure how to do this using Terminal, but you can change the admin password using your instal disk.
To reset the administrator password using the Mac OS X Install disc:
Insert the Mac OS X Install disc and restart the computer.
When you hear the startup tone, press and hold down the C key until you see the spinning gear.
When the Language Chooser appears, select your language and click Continue.
In the Installer, choose Utilities > Reset Password.
Follow the onscreen instructions to change the password.
Be sure to change your login keychain password in Keychain Access to match your new account password so your keychain is unlocked when you log in.
I did find this thread re: Using Terminal to change the admin password.
http://forums.macosxhints.com/archive/index.php/t-6906.html
Carolyn

ACE show serverfarm - failure counter does not incremented on Probe-Failure event

Hi,
Despite of probe-failure the failure counter is not incremented. Is there any correlation between the configured probe and the failure counter?
(Custom script probe is used for this serverfarm)
# sh serverfarm xxxxxSt
serverfarm     : xxxxxSt, type: HOST
total rservers : 2
                                                ----------connections-----------
       real                  weight state        current    total      failures
   ---+---------------------+------+------------+----------+----------+---------
   rserver: xxxxx6
       10.222.0.90:8000      8      OPERATIONAL 13         157        0
   rserver: xxxxx7
       10.222.0.92:8000      8      PROBE-FAILED 0          0          0
Thanks,
Attila

Hi Attila,
The Connection Failure counter under show serverfarm is for Loadbalanced Connections which are failing.
If Probes are failing, this counter will not increment.
The Connection failure counter can increment for various reasons some of them are,
- Server not responding to the SYN packet sent by ACE for Loadbalanced connection
- Server sending Reset to the SYN packet sent by ACE for Loadbalanced connection
To check on stats for Probe, you can run "show probe detail" command.
Hope this helps,
Best Regards,
Rahul

Machine +User Auth for windows endpoint autheticating through ISE

Hi
Is there any way to use machine + user auth at same time when authenticating Windows machine through ISE. In Windows native supplicant there is option as
1) Machine OR user Auth
2) User Authentication
3) Machine Authentication
4) Guest authentication
I want to give more priveledge access to endpoints where they are joined to AD domain AND the user is logged in using AD credentials.
Is there any way to achieve this functionality ...

With windows you do not have the option, however with ISE 1.1.1 and the latest cisco anyconnect nam supplicant (which is free) has a feature called eap chaining, it uses eap-fast to send the authentication sequence just as you want.
Here is the reference:
ISE release notes
http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp307279
Anyconnect release notes
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp998871
Configuration of anyconnect -
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac04namconfig.html#wp1065210
Tarik Admani
*Please rate helpful posts*

Dot1x machine auth before user auth required

We are looking at setting up dot1x in our libraries however I have been asked to see if there is a way to force a switch port to require machine auth before user auth. The reason for this is a problem we have that users will disconnect the ethernet cable from the library computer and plug it into theirs. If they have an AD account, they could in theory authenticate on this port. We want to discourage them from disconnecting these ports as we then don't know the computer has been unplugged and then it is no longer on the network and doesn't get updates/ghosted.
Also, would it maybe be better to just allow a specific group of user accounts to connect to these jacks, and if so what would be the best way? Location settings on the port?
We are using ISE 1.2 to do authentication for these switches.

Hi Zach-
There are several different ways to prevent non-domain computers from gaining access to the network. I will try to list a few of them starting with the easiest and least expensive/labor intensive methods:
1. Do only Machine-based authentication. This eliminates the user from having to enter credentials and ISE will simply query AD for valid computer domain membership.
2. Use EAP-Chaining. This is the only method that truly gives you user+machine authenticaiton. However, it does require that you push the Cisco Any-Connect client to all endpoints
3. Deploy PKI and use EAP-TLS authentication with Digital Certificates. With this method only domain computers/users can get a certificate and ISE can still query AD for user or machine AD membership
4. Perform Posture and check for something that is domain specific. For instance, a fake registry key or file that is being created when a machine joins to the domain. With this method ISE can still ask for User authentication but also require posture check. You can then set the policy that if posture fails but user auth succeeds then the user will only get guest access.
I hope this helps.
Thank you for rating!

Prime 2.0: User Auth Failure Count

Similar Messages

Maybe you are looking for