Windows 7 Supplicant Configuration - ISE PEAP w Machine Auth

Similar Messages

• Machine +User Auth for windows endpoint autheticating through ISE

  Hi
  Is there any way to use machine + user auth at same time when authenticating Windows machine through ISE.  In Windows native supplicant there is option as
  1) Machine OR user Auth
  2) User Authentication
  3) Machine Authentication
  4) Guest authentication
  I want to give more priveledge access to endpoints where they are joined to AD domain AND the user is logged in using AD credentials.
  Is there any way to achieve this functionality ...

  With windows you do not have the option, however with ISE 1.1.1 and the latest cisco anyconnect nam supplicant (which is free) has a feature called eap chaining, it uses eap-fast to send the authentication sequence just as you want.
  Here is the reference:
  ISE release notes
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp307279
  Anyconnect release notes
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp998871
  Configuration of anyconnect -
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac04namconfig.html#wp1065210
  Tarik Admani
  *Please rate helpful posts*

• Windows client intermittent connection to PEAP WIFI backed off to ISE 1.2 wildcard cert

  I am setting up a topology whwere for the first time I am deplying ISE with a wildcard certificate.  This is on ISE 1.2 patch 6, WLC's running 7.6 and Windows 7 clients in AD.  The ISE policy is just to match on machine auth.
  The setting up of the wildcard cert went ok as guided by the CCO ISE 1.2 deployment/cfg guide.
  When it came to testing the client auth as always I start off with the PEAP settings of Validate server certificate off, just to confirm the WLC and ISE are playing ball.  They were, the auth passed.
  I then tick the Validate server certificate, make sure the CA (Windows AD) is in the Trusted Root Certification Authorities.  Retest and the client passes.
  If I then disconnect the wifi and reconnect, either manually or by doing a reboot, the next authenticaiton fails, but nothing has changed.  ISE reports that my Windows client rejected the server certificate.  Which is odd as it just accepted it.
  If I untick the validate the client passes, if i tick it again it will authenticate fine, once.  The next connection it will fail again with the client rejecting ISE.
  Anyone got any ideas?

  I have had a similar issue consistently with 1.2 on both pathc 5 and 6 (not sure about earlier one). Basically what I am seeing is the client rejecting the Server cert when validate is unticked. Most of the time the client connects just fine a few seconds later but some clients need a reboot to fix it. As a rule I put this down to client issue but not 100% sure some times.

• Inactive Windows 7 supplicant tries to reauthenticate every 4 to 10 minutes in Cisco ISE 1.2.1.899

  Hi,
  We have a dashboard windows 7 supplicant which is being used to monitoring the network activities. There is noone working with this supplicant so it goes inactive.
  What we see in our ISE log, is the supplicant trying to reauthenticate itself every 4 to 10 minutes. It goes on like this the whole day. We dont want this continous behaviour afterall.
  Swith port configuration looks likt this:
  interface FastEthernet0/31
  description 802.1x Poort
  switchport access vlan xxx
  switchport mode access
  switchport nonegotiate
  switchport voice vlan xxx
  no logging event link-status
  priority-queue out
  authentication control-direction in
  authentication host-mode multi-domain
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication timer inactivity 120
  mab
  no snmp trap link-status
  dot1x pae authenticator
  dot1x timeout quiet-period 300
  dot1x timeout tx-period 10
  dot1x timeout supp-timeout 300
  dot1x max-reauth-req 3
  dot1x timeout held-period 300
  dot1x timeout auth-period 3
  no mdix auto
  storm-control broadcast level 10.00
  storm-control multicast level 10.00
  no cdp enable
  spanning-tree portfast
  service-policy input xxxx
  end
  Has anyone got this same issue? Is this an normal behaviour of an Idle'd supplicant? or other issue around ISE/Switch? Are there any switch configuration we missing to get rid off this behaviour?
  ISE Version: 1.2.0.899
  Patch Information: 5,6,8
  Help would be much appreciated

  Hi Jan,
  Thank you for your reply. Indeed those timer values were not covered in the ISE design guide. We have implemented this timer to tweak the standard design. However we have finally discovered the solution for this issue.
  "authentication timer inactivity 120" was the route cause of the issue. So when a workstation goes to idle, ISE tries to re-authenticate after 2 minutes because of this switch port configuration.
  We have tried to expand the timer to 3600 and it worked, issue fixed. But you will have then every one hour the same result (not a big issue).
  And yes, we have deleted all those timer values to keep the configuration simple as possible. Now we don't have the issue anymore.

• ISE 1.2, Supplicant configured for 802.1x but need to MAB

  I posted this yesterday but deleted the thread thinking I had fixed the issue - alas I was wrong. In summary I have a scenario where I am doing wired 802.1x and also wired MAB/CWA. The issue is that a certain number of external/BYOD hosts have supplicants configured for 802.1x at their "home" organisations which for obvious reasons can't authenticate on this network. The idea is that MAB and CWA become a fallback but these hosts in question don't efficiently fail to MAB.
  If the host has validate server certificates enabled (and doesn't have our root selected) then 802.1x fails and goes to MAB as per the tx timers etc. Hosts that don't validate certificates essentially fail authentication, abandon the EAP session and start new... this process seems to continue for a very long time.
  Does anyone have any similoar experiences and if so can you provide some info? I am looking into tweaking 802.1x port timers to make this fail quicker/better but am not confident this will fix the issue.
  Thanks in advance

  Maybe the held-period and quite-period parameters would help.  I would not change the TX period to anything shorter than 10 seconds.  Every cisco doc that I have ever seen has said this same recomendation and I can tell you from experience you will have devices at times that will authenticate via MAB when you dont want them to if you decrease lower than 10 seconds. 
  Read this doc for best pratices including the timers listed below.  
  I hope this link works.  http://d2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKSEC-3698.pdf
  If not goto www.ciscolive365.com (signup if you havn't already) and search for
  "BRKSEC-3698 - Advanced ISE and Secure Access Deployment (2014 Milan) - 2 Hours"
  Change the dot1x hold, quiet, and ratelimit-period to 300. 
  held-period seconds
  Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt). The range is from 1 to 65535. The default is 60.
  quiet-period seconds
  Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state)
  following a failed authentication exchange before trying to reauthenticate the client. For all platforms except the Cisco 7600 series Switch, the range is from 1 to 65535. The default is 120.
  ratelimit-period seconds
  Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs that send EAP-START packets that result in the wasting of switch processing power). The authenticator ignores EAPOL-Start packets from clients that have successfully authenticated For the rate-limit period duration. The range is from 1 to 65535. By default, rate limiting is disabled.

• Cisco ISE - EAP-TLS - Machine / User Authentication - Multiple Certificate Authentication Profiles (CAP)

  Hello,
  I'm trying to do machine and user authentication using EAP-TLS and digital certificates.  Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
  In ISE, I can define multiple Certificate Authentication Profiles (CAP).  For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
  Problem is how do you specify ISE to check both in the Authentication Policy?  The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.  
  Any way to resolve this?
  Thanks,
  Steve

  You need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
  an example (uses user/pass though, but same concept)
  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

• Wired Dot1x and forcing machine auth on windows

  I've got wired dot1x authentication working ok. the ACS server backs off to a windows domain so machine level authentication works fine. However I can't see a way of forcing windows to only ever do machine authentication. Has anyone else looked at this? I could enable the option on the ACS server to require a previous machine auth before it accepts a user auth but it can only cache this for a limited amount of time. The only way to get a machine auth is for there not to be a user logged on at the time. If we accept user auth then any user can bring their own machine onto the network but we this is what we want to stop and only allow bank standard (i.e. domain members) machines on the network.
  cheers
  Mike

  Right, you need AuthMode = 2.
  If onlky allowing domain memebers onto the network is the primary goal, then you may also want to consider:
  * The Machine Access Restriction feature on ACS (what you referred to before as a cache, but does help for mitigation of this threat).
  * Denying dial-in permisssions on user accounts (but this may break other things you may be using for remote access).
  Example: If someone brought in there PC from home with virtually any supplicant on it, they're on the network as long as their NT credentials check out (whether machine-auth fails or not, b/c remember they can configure their own supplicant).

• 802.1x Windows XP Supplicant

  Hello,
  I have been recently trying to get the built in Windows XP supplicant to function in the following way: using EAPOL-MSCHAPv2 with Username/Password/Domain credentials at the Windows login screen. No certificates, just a pre-shared key between the RADIUS server and the applicant switch. It does not seem to work though... does anyone have experience configuring 802.1x in a similar fashion?
  Your input would be immensely appreciated, thank you!
  Steve

  A few questions regarding your setup:
  1. Need AAA configuration for the switch
  2. Have you established that requests from XP client is getting to the ACS?
  3. What is the failure reason in ACS logs?
  With this information, further guidance can be provided.

• Is LDAP or AD as a external identity store recommended in ISE implementation for machine authentication

  Hi Experts,
  I have question about External identity store integration in ISE . I had chance to go through the cisco doc for ISE configuration especially for external identity store .
  there are two ways to configure external identity store.
  1) AD
  2) LDAP
  Which one is actually recommended ? technically which one would be convinient to configure to set-up machine authentication. do we have any limitation in terms of functionality in either of one ?

  Hi Leo,
  its not duplicate post , I have created one more post where you have linked that is for client policy enforcement . I want to understand how certificates will be pushed to client.
  This post is to understand the LDAP & AD intergration with ISE .
  I have requirement where client is asking to intergrate machine database using LDAP.
  I am quite new for LDAP intergration that is the reason I have created this discussion.

• ISE- PEAP- LDAP

  Hello All,
  In ISE we tried adding active directory but it failed (ISE & AD Integration). Still there was another option in ISE like LDAP and we added the identity stores.
  Now with the below security feature,a client can get authentication through LDAP.
  L2 Security-WPA2
  Encryption-AES
  Auth method-PEAP(EAP-MSCHAP V2)
  When i tried connecting i am getting error like "Current Identity store does not support this type" in the ISE.
  LDAP in ISE has to replaced with the active directory...?
  Any quick help will be appreciated

  IMO Cisco ISE does very poor integration with LDAP while it supports Active Directory very well. This is a big shortage on ISE as in our environment LDAP is more widely used than our Active Directory.
  Basically, you can not use EAP kind authentication on supplicant while your ISE uses LDAP as external identity store. Cisco officially says it only support EAP-GTC and PAP with LDAP. EAP-TLS has nothing to do with LDAP at authentication stage as the supplicant and ISE itself need to trust each other.
  We also spent a lot of time on central administrator authentication with LDAP with ISE local authorisation as we do not have the group attributes in our LDAP ISE wants for the administrators, and it turns out that ISE simply does not support it.

• Windows AD SSO Configuration using Vintela

  Hi All
  We are doing a BOE XIR3.1 deployment with 4 machines, Weblogic 9.2 as the Application server, and oracle DB as the CMS and Audit Database, we plan to do the CMS clustering too.
  BO1 used as CMS1 machine
  BO2 used as CMS2 machine
  BO3 used as BO clustering
  WL used as the Weblogic machine for the Web-tier part.
  We also plan to have the Windows AD SSO configuration done, as discussed we will be having 3 SIA node, SIA1 on the BO1 machine SIA2 on the BO2 (CMS cluster machine) and SIA3 on the BO3 machine (here all server components will be installed except the CMS and the u2018Web Appl container serveru2019).
  During the SSO configuration, should the SIA1, SIA2 and the SIA3 be run under the server account?
  Ie. In the properties of SIA, under the u2018Log on asu2019 section, will be using the DOMAIN\<service account>. Does this need to be done for all 3 SIAu2019s u2026. SIA1, SIA2 and SIA3 ?
  - Thanks
  Ranjit

  It only needs to be done where there is a CMS (per your scenario SIA1 & 2).
  [Section 1|https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0f6ac3c-b3ac-2b10-1b95-c9bd46194977] of my doc details planning your service account(s)
  Regards,
  Tim

• A alert for compute is being investigated. Configuration changes to Virtual Machines (IaaS), such as adding or removing a disk or an endpoint may cause reboots.

  I receive the following alert from Windows Azure; Any clue what does this mean?
  Time: 3/26/2014 7:37:33 PM
  TITLE : compute : Advisory
  SUBSCRIPTION ID: Not Available
  DESCRIPTION: A alert for compute is being investigated. Configuration changes to Virtual Machines (IaaS), such as adding or removing a disk or an endpoint may cause reboots.

  This issue correlates with an issue you might see at the Windows Azure Service Dashboard:http://www.windowsazure.com/en-us/support/service-dashboard/
  See below a paste from that page from the period of your alert. Friendly Azure is piping you courtesy notification vai your event log!
  Compute : Advisory [East US, North Central US, South Central US, West US]
  26 Mar 2014  1:29 AM UTC
  A alert for compute is being investigated. Configuration changes to Virtual Machines (IaaS), such as adding or removing a disk or an endpoint may cause reboots.
  John Joyner MVP-SC-CDM

• Supplicant sent malformed PEAP message - bad record MAC

   Hi all,
     A specific kind of endpont, a device called Raspberry PI, is unable to connect or keep connected to our wireless network and the message generated by ISE is : Supplicant sent malformed PEAP message - bad record MAC 
     the WLAN accepts AES end TKIP and both have been tested.
   I got some logs from WLC. Hope someone out there could help me. 
  *dot1xMsgTask: Aug 27 20:26:40.673: 00:e7:a6:56:86:8c dot1x - moving mobile 00:e7:a6:56:86:8c into Connecting state
  *dot1xMsgTask: Aug 27 20:26:40.673: 00:e7:a6:56:86:8c Sending EAP-Request/Identity to mobile 00:e7:a6:56:86:8c (EAP Id 1)
  *Dot1x_NW_MsgTask_4: Aug 27 20:26:40.699: 00:e7:a6:56:86:8c Received EAPOL EAPPKT from mobile 00:e7:a6:56:86:8c
  *Dot1x_NW_MsgTask_4: Aug 27 20:26:40.699: 00:e7:a6:56:86:8c Received Identity Response (count=1) from mobile 00:e7:a6:56:86:8c
  *Dot1x_NW_MsgTask_4: Aug 27 20:26:40.699: 00:e7:a6:56:86:8c EAP State update from Connecting to Authenticating for mobile 00:e7:a6:56:86:8c
  *Dot1x_NW_MsgTask_4: Aug 27 20:26:40.699: 00:e7:a6:56:86:8c dot1x - moving mobile 00:e7:a6:56:86:8c into Authenticating state
  *Dot1x_NW_MsgTask_4: Aug 27 20:26:40.699: 00:e7:a6:56:86:8c Entering Backend Auth Response state for mobile 00:e7:a6:56:86:8c
  *Dot1x_NW_MsgTask_4: Aug 27 20:26:40.700: 00:e7:a6:56:86:8c Received EAPOL EAPPKT from mobile 00:e7:a6:56:86:8c
  *Dot1x_NW_MsgTask_4: Aug 27 20:26:40.700: 00:e7:a6:56:86:8c Received Duplicate EAP Response Identity packet with eapid=1 from mobile 00:e7:a6:56:86:8c
  *Dot1x_NW_MsgTask_4: Aug 27 20:26:40.702: 00:e7:a6:56:86:8c Received EAPOL EAPPKT from mobile 00:e7:a6:56:86:8c
  *Dot1x_NW_MsgTask_4: Aug 27 20:26:40.702: 00:e7:a6:56:86:8c Received Duplicate EAP Response Identity packet with eapid=1 from mobile 00:e7:a6:56:86:8c
  *Dot1x_NW_MsgTask_4: Aug 27 20:26:40.726: 00:e7:a6:56:86:8c Processing Access-Reject for mobile 00:e7:a6:56:86:8c
  *Dot1x_NW_MsgTask_4: Aug 27 20:26:40.726: 00:e7:a6:56:86:8c Removing PMK cache due to EAP-Failure for mobile 00:e7:a6:56:86:8c (EAP Id -1)
  *Dot1x_NW_MsgTask_4: Aug 27 20:26:40.726: 00:e7:a6:56:86:8c Sending EAP-Failure to mobile 00:e7:a6:56:86:8c (EAP Id -1)
  *Dot1x_NW_MsgTask_4: Aug 27 20:26:40.726: 00:e7:a6:56:86:8c Entering Backend Auth Failure state (id=-1) for mobile 00:e7:a6:56:86:8c
  *Dot1x_NW_MsgTask_4: Aug 27 20:26:40.726: 00:e7:a6:56:86:8c Setting quiet timer for 5 seconds for mobile 00:e7:a6:56:86:8c

  Hi,
  Thank you for your response!
  Do you mean that there's something wrong with some version of the 'iaik_ssl.jar' ?
  How do I determine which version we're running and what version is 'the older' version of the iaik_ssl.jar ?
  Regards

• WIndows 7 64-bit system printing to a Windows 2000 server configured as a print server

  Is there any way to configure a new Windows 7 64-bit computer to use a Windows 2000 server configured as a print server ?
  The printer that I would like to connect to is an HP 4240n LaserJet. I appears that there is only a 64-bit Universal Print Driver available. The server currently uses HP 32-bit PCL5e or PCL6 drivers for all other connected computers. Connection is through a Hewlett-Packard Network Port, using DLC/LLC transport for the embedded 4240n print server.  
  Installing  the HP 64-bit UPD to the WIndows 7 64-bit system, and then attempting to redirect the local port to the Win2k network print server has not worked.
  Thanks for any advice.

  Hi:
  See if this works...
  Run msconfig.
  In the System Configuration screen, Boot tab, Advanced Options, if there is a check mark in the box next to Maximum memory. Remove that checkmark and save your changes.
  Reboot and hopefully Windows recognises all the Ram ( minus the reserved ) after restarting.
  Please give that a try, and post back and let us know if that frees up some system memory for you.
  Paul

• How to use airport time capsule on a dell portable pc with windows 7 taking in consideration that Time machine doesn't run with Windows ?

  how to use airport time capsule on a dell portable pc with windows 7 taking in consideration that time machine doesn't run with Windows ?

  TM does not work like that.
  If you want files to use later.. do not use TM.
  Or do not use TM to the same location. Plug a USB drive into the computer and use that as the target for the permanent backup.
  Read some details of how TM works so you understand what it will do.
  http://pondini.org/TM/Works.html
  Use a clone or different software for a permanent backup.
  http://pondini.org/TM/Clones.html
  How to use TC
  http://pondini.org/TM/Time_Capsule.html
  This is helpful.. particularly Q3.
  Why you don't want to use TM.
  Q20 here. http://pondini.org/TM/FAQ.html