View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0045 - ISE 1.1 Wired 802.1X and Machine Authentication with EAP-TLS

Rating: 
0
No votes yet
Difficulty Level: 
3
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0045 - Video Download $7.00
Purchase SEC0045 - Video Download $7.00

The video walks you through configuration of wired 802.1X using EAP-TLS on Cisco ISE. We will look how to configure authentication and authorization policies to support both user and machine authentication, how to restrict network access with DACL, and how to use Machine Access Restriction (MAR) to correlate user and machine sessions to ensure a user can access the network only from a domain (corporate) computer. We will perform testing from both domain and non-domain computers and observe the authentication results.

Topic:
  • Certificate Profile (Common Name)
  • Identity Source Sequence 
  • User and Machine Authentication with EAP-TLS
  • Policy Element Condition
    • Authorization (Compound Condition)
  • Policy Element Result
    • Authentication (Allowed Protocol)
    • Authorization (Downloadable ACL)
    • Authorization (Authorization Profile)
  • Authentication Policy
  • Authorization Policy
Note:
  • EAP-TLS is a certificate-based authentication. 
  • With EAP-TLS, client certificate is required, and the server root certificate needs to be trusted or the certificate validation needs to be exempted on the client supplicant
  • User and machine certificates should not allow to be exported, otherwise the security will be circumvented
  • Machine authentication only happens at the Windows login
  • Account log-off or machine reboot may be required to force machine authentication

19 comments

May i know how to active EAP-TLS protocol
i enable the IEEE802.1x authentication and use EAP(PEAP)
but restart the client machine in the login page ,i see the log messages always show the DenyAccess
I select the Validate Server Certificate box and need to select connect to these Server box?
If select the connect to these Server box, enter the ip address is CA server or ise server?
thank~

On the windows client, you need to choose "Smartcard or other certificate", and unless you already have the root CA certificate installed and trusted, you need to make sure the 'Validate server certificate" is unckecked. You also need to make sure the client certificate has already been installed.


If you find our website helpful, please help support us by sharing our links, recommend website to friends, like our Facebook, Subscribe our YouTube channel, follow us on Twitter

good video. cheers.

Hope you enjoy our videos.


 

If you find our website helpful, please help support us by sharing our links, recommend website to friends, like our Facebook, subscribe our YouTube channel, follow us on Twitter

In your example, you used users "employee1" and "admin1".

However, the authorization breaks when you used both first and last names, eg. "John Doe". The cert CN would be "C = John Doe" in this case. Apparently the AD is not able to identify "John Doe" as a member of Domain Users.

Can you try this out?

On ISE, if you configure Certificate Profile to use CN as username, ISE will look for "John Doe", as a username and not first and lastname, in AD, and unless you have a username "John Doe", authorization will fail since AD will not be able to find that user. Any reason why you use First/Lastname for CN and not the username?


If you find our website helpful, please help support us by sharing our links, recommend website to friends, like our Facebook, subscribe our YouTube channel, follow us on Twitter

I have a Windows Server 2008 CA User and Computer Cert Auto-Enrollment setup in a similar fashion.

If you look closely at the user template, the Subject name format is "Fully distinguished name". You could also opt to use "Common Name". Both will result in the CN = First/Lastname.

I looked into this and I think I know what you mean now. It seems by default CA server uses the user fullname (Fastname Lastname) as CN, and when ISE tries to authorize with AD, AD could not find the user. What you need is to make sure CN correspond to the username and a quick fix, as far as I can see, would be renaming user fullname on the AD to the username. I am not sure it there is a better way of doing this on the AD, especially if you have to deal with large number of user. If you find anything, feel free to share.


If you find our website helpful, please help support us by sharing our links, recommend website to friends, like our Facebook, subscribe our YouTube channel, follow us on Twitter

I may have a fix for this, since I also found this problem.

As per earlier LabMinute videos, ensure the user certificate being auto-enrolled has the following Subject Name settings:
FQDN
Include e-mail name in subject name.
Include:
Email name
UPN
SPN

On the AD user ensure the e-mail field is populated on the General Tab.

On ISE do the following.

External Ident Source - Cert Auth Profile - Add

Name: LAB_CERT_Sub_Alt_Name
Principal User X509 Attrib: Subject Alternative Name

Now click Active Directory - Attributes.
I added the following, but I suspect only the first one is req'd:

userPrincipalName
sAMAccountName
cn

Tie the LAB_CERT_Sub_Alt_Name to an identity source sequence, which is subsequently used in your authentication policies.

When the wireless device submits the username and certificate, ISE will present the "Username" as user@lab.domain.tld, from the certificate, which AD is able to match.

Hope this helps.

Update on my post above.

I noticed this actually broke machine authentication, since AD can't match machine@domain.tld.

The solution to this is to have a separate Cert Auth Profile which checks on X509 Common Name.

Reference this in a separate Ident Source Sequence.

Now duplicate the Auth Compound Condition, Wireless_802.1X and name it Wireless_802.1X_Device. Add the following attribute/pair:
Radius:User-Name Starts with Host

Duplicate above the authentication policy LAB-WLAN-DOT1X rename LAB-WLAN-DOT1X-DEVICE, and reference condition and identity source created above.

I have a work-around for this issue. In the ISE Certificate Authentication Profile, Principal Username X509 Attribute choose : subject Alternative Name.

If you choose the common name, the ISE log showing the common name can not be found in AD.

I've figured an alternative to check for WasMachineAuthenticated and still use certificates.

For corporate devices (using GPO), modify authentication to use a PEAP tunnel (PEAP outer, EAP-TLS inner). For BYOD corporate users, simply use EAP-TLS.

This way we can identify the authentication flow.

So my authz policies look like this:

LAB-WIRED-MACHINE # PEAP Tunnel (see below)
LAB-WIRED-BLACKLIST
LAB-WIRED-USER # corporate user, PEAP Tunnel (see below)
...
LAB-WIRED-BYOD # corporate user with personal device, uses EAP-TLS (see below).

The authz compound condition for LAB-WIRED-MACHINE is this:

Radius:Service-Type EQUALS Framed AND
Radius:NAS-Port-Type EQUALS Ethernet AND
AD1:ExternalGroups EQUALS lab2.domain.co.uk/Users/Domain Computers AND
Network Access:EapTunnel EQUALS PEAP AND
Network Access:EapAuthentication EQUALS EAP-TLS

The authz compound condition for LAB-WIRED-USER is this:

Radius:Service-Type EQUALS Framed AND
Radius:NAS-Port-Type EQUALS Ethernet AND
AD1:ExternalGroups EQUALS lab2.domain.co.uk/Users/Domain Users AND
Network Access:WasMachineAuthenticated EQUALS True AND
Network Access:EapTunnel EQUALS PEAP AND
Network Access:EapAuthentication EQUALS EAP-TLS

The authz compound condition for LAB-WIRED-BYODis this:

AD1:ExternalGroups EQUALS lab2.domain.co.uk/LAB2/BYOD Users AND
DEVICE:Device Type EQUALS All Device Types#Switch AND
Network Access:EapAuthentication EQUALS EAP-TLS

On corporate machines, logging shows machine prior auth using PEAP(EAP-TLS)

Authentication Protocol : PEAP(EAP-TLS)
...
24422 ISE has confirmed previous successful machine authentication for user in Active Directory

And on BYOD machines, logging shows it falls through to LAB-WIRED-BYOD and can be given a different DACL or results, etc.

Authorization Policy Matched Rule: LAB-WIRED-BYOD

Hi,

I have watched your all ISE video and that is really useful. I have completed the Wired 802.1X and Machine Authentication with PEAP and it was successful. I then followed the steps in your video Wired 802.1X and Machine Authentication with EAP-TLS, but I failed:

The testing pc has joined the domain and the dot1x has been enable as your previous lab
The testing pc has already installed the certificate of the root CA and got the computer certificate and user certificate from the root CA.
I have add the Certificate Authentication Profile on ISE and change the sequence to Cert-AD-local
The authorization compound condition is match the domain account, coming from switch and eap authentication=TLS

From the monitor section, I got the message for the machine authentication showing the RADIUS Status:
Authentication failed : 15039 Rejected per authorization profile, ISE chooses the default authorization policy and denies it.

In the detail step, it shows
…..
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
…..
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - AD-ISE // I have already added the Certificate Authentication Profile and changed the sequence, but I don't know why it still uses the AD as DB
24431 Authenticating machine against Active Directory
24470 Machine authentication against Active Directory is successful
22037 Authentication Passed
……
12306 PEAP authentication succeeded
11503 Prepared EAP-Success
Evaluating Authorization Policy
15004 Matched rule
15016 Selected Authorization Profile - DenyAccess
15039 Rejected per authorization profile
11003 Returned RADIUS Access-Reject

It shows the host matches the default rules instead of my customized rules.
When I changed the compound conduction to use the PEAP, it succeeded.

The ISE version is 1.1.4. Could you help identify where the problem may come from?

Thanks a lot for your help!

Eric

Look like you client is coming in a PEAP. Could you double check and make sure the client network profile has EAP-TLS (ie. Smartcard and certificate) chosen instead of PEAP?

Hi i have the same problem. My Supplicant its the any connect with the 8021.x Configuration certificated and EAP-TLS.

I make the any test and has the same problem above

ogged At:

January 9,2014 2:55:18.268 PM
RADIUS Status:
Authentication failed : 15039 Rejected per authorization profile
NAS Failure:

Username:
maiquel mc. consalter
MAC/IP Address:
00:0C:29:D3:9F:CC
Network Device:
SW1 : 192.168.2.247 : FastEthernet0/12
Allowed Protocol:
LM-PEAP-TLS
Identity Store:

Authorization Profiles:

DenyAccess
SGA Security Group:

Authentication Protocol :

EAP-TLSogged At:

January 9,2014 2:55:18.268 PM
Occurred At:

January 9,2014 2:55:18.267 PM
Server:
ise-1
Authentication Method:

dot1x
EAP Authentication Method :

EAP-TLS
EAP Tunnel Method :

Username:
maiquel mc. consalter
RADIUS Username :

maiquel@sise.local
Calling Station ID:
00:0C:29:D3:9F:CC
Framed IP Address:

Use Case:

Network Device:
SW1
Network Device Groups:

Device Type#All Device Types#Switch,Location#All Locations
NAS IP Address:
192.168.2.247
NAS Identifier:

NAS Port:

50012
NAS Port ID:
FastEthernet0/12
NAS Port Type:

Ethernet
Allowed Protocol:
LM-PEAP-TLS
Service Type:

Framed
Identity Store:

Authorization Profiles:

DenyAccess
Active Directory Domain:

Identity Group:

Allowed Protocol Selection Matched Rule:

LM-WIRED-DOT1X-CERT
Identity Policy Matched Rule:

Default
Selected Identity Stores:

Authorization Policy Matched Rule:

Default
SGA Security Group:

AAA Session ID:

ise-1/178648593/324
Audit Session ID:

C0A802F70000004D0402C37E
Tunnel Details:

Cisco-AVPairs:

audit-session-id=C0A802F70000004D0402C37E
Other Attributes:

ConfigVersionId=13,Device Port=1645,DestinationPort=1645,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1500,State=37CPMSessionID=C0A802F70000004D0402C37E;29SessionID=ise-1/178648593/324;,EAP-Key-Name=,CPMSessionID=C0A802F70000004D0402C37E,EndPointMACAddress=00-0C-29-D3-9F-CC,Device Type=Device Type#All Device Types#Switch,Location=Location#All Locations,Device IP Address=192.168.2.247,Called-Station-ID=00:1A:2F:FA:E6:0E

Thanks for your time.

I

Could you explain what you have for the authorization conditions? It s the request came in as EAP-TLS already so that is good. Double check if what you have for the certificate CN is the same as AD username otherwise ISE will fail the AD group lookup (if you use External Group as one of conditions). You can remove one condition at a time until you get a success to troubleshoo which condition gives you trouble.

Hi
I will like to know if machine credential cached is shared from the primary to the secondary ISE ?

If I configure Primary ISE to cache machine credential, then primary ISE go down: normaly user is authenticated on secondary ISE . user will need to restart his computer or log off login on windows again in other to perform machine authentication or secondary ISE will already have machine credential cached from primary ISE in his cache ?

As of version 1.2, machine credential cache is not being shared between PSN. If the primary fails or reset, users will need to go through machine auth.

To do machine authentication with EAP-TLS you need 2 things.
1)Your Certificate Profile should have Binary Certificate Comparison Checked.
2)For Binary Cert Comp to work you need to have your certificate published to the AD. To do this duplicate the computer certificate template and select publish to active directry.

What ISE(or ACS) does is that the thumbrint(SHA1 Hash) of your certificate is compared to the thumbprint published to the AD for binary certificate comparision.Without this the machine auth request is treated as a user auth request and so not added to MAR cache.

Poll

How would you rate Lab Minutes content?