Machine authentication using certificates

Answered Question
Aug 10th, 2012

Hi,

I am facing this error while machine authenticates agaist AD for wireless users. My requirement is users with corporate laptop get privileged vlan and BYOD should get normal vlan.I am using Cisco ISE 1.1.1 and configured authentication policies to diffrenciate clients based on corp asset and BYOD. Authentication policy result is identity sequnce which uses certificate profile and AD. All corp laptops should be authenticated using certificates and then followed by AD user and pass. when I configure XP users to validate server certificate this error comes in ISE log "Authentication failed : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client" and if I disable validate sewrver certificate then this error "Authentication failed : 22049 Binary comparison of certificates failed".

Any help??

Thanks in advance.

I have this problem too.
0 votes
Correct Answer by Tarik Admani about 1 year 8 months ago

Hi,

This is a limitation on the native supplicant, when you enable smart card or certificate authentication for the network connection, then it tries to use this for both machine and user authentication. It does not allow you to use certificate authentication for machine auth, and password authenticaiton for user authentication.

You can use anyconnect network access manager (which is free if you have a cisco wireless network) and not only does it allow you to set which type of authentication you want (certificate for machine and password for user) but it has a new feature out which is called eap chaining. Eap chaining is a powerful option because you can choose the order (machine first then user) when the client connects to the network. No longer do you have to stress about the machine authentication timers and wondering what is the best fit when it comes to users logging in and out of their machines in order to update the machine authentication cache in ISE. However eap chaining uses eap-fast, which is a pac-based authentication framework.

Here is the latest release note about this feature (currently in beta):

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp998871

Tarik Admani
*Please rate helpful posts*

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Tarik Admani Fri, 08/10/2012 - 10:36

Hi,

Does ISE have a signed certificate from the same internal CA as the laptops?

Also when the binary comparison of certificates failed message appears, this usually points to an internal issue where the machine certificates arent being published to the AD user account for these computer objects. There should be a tab that will show the certificate issued to the computer account:

Here is an article that covers the steps on deploying computer certificates and having them pushed to AD -

http://technet.microsoft.com/en-us/library/cc731242%28v=ws.10%29.aspx

thanks,

Tarik Admani
*Please rate helpful posts*

hardiklodhia Sat, 08/11/2012 - 06:35

Hi Tarik,

Thanks for your reply.

Yes,ISE have a sigend certificate from the same internal CA in ISE certificate store. I will ask AD authority to follow the process mentioned in the link and update you.

Thank You,

Tarik Admani Sun, 08/12/2012 - 03:05

Just out of curiosity, did you set the certificate to the eap interface? I am trying to understand why the client is unable to verify the ise's cert.

Sent from Cisco Technical Support iPad App

hardiklodhia Mon, 08/13/2012 - 02:27

Hi Tarik,

I have two CA server certificates installed in ISE. One is Public CA and the other is internal MS CA. I want corp assets to use MS CA and BYOD to use public CA. I have enabled EAP for public CA. So when I enable "Verify server certificate" check on client machine it rejects ISE and EAP does not establish but it works for BYOD. As I can only specify one CA for EAP , I have to disable server verification. Its understood that machine is supplying local MS CA certificate while ISE sends Public CA server certificate and EAP-TLS fails. But after disabling server verification , it gives error for bianry comparison failed. Is it possible to use two different CA for two different authentication rules? other thing is public cer for ISE is assigned by intermediate CA so I have installed intermediate cert chain certificate in ISE certificate store. Do I need to also install public Root CA cert in ISE certificate store? How should the chain be installed?any sequence of uploading CA certs?

Thank You,

Tarik Admani Mon, 08/13/2012 - 09:24

Hi,

You can not assign to interfaces for eap mangement, however why would you use the public CA for eap authentication? Are your external users using dot1x to authenticate to the network?

Thanks,

Tarik Admani
*Please rate helpful posts*

hardiklodhia Mon, 08/13/2012 - 09:40

the requirement: 1:corp asset + AD user/pass=full access ,2: BYOD + AD user/pass= partial access.both using EAP and same ssid. I have configured authentication policy based on this requirement using identity source sequence which has certificate profile (which checks certificate agianst AD) and AD external database for username and pass verification. AD guys have made changes according to microsoft doc but still same error.am I missing something somewhere???

Tarik Admani Mon, 08/13/2012 - 09:53

See if publishing a new certificate for the endpoint then publishes the certificate in AD.

Thanks,

Tarik Admani
*Please rate helpful posts*

hardiklodhia Mon, 08/13/2012 - 10:31

Tried that as well but not working.Surely looks some prob with AD config. But if the certificate profile pass then will it check username and password against AD? Thanks for your support.

Tarik Admani Mon, 08/13/2012 - 10:36

No,

It does a binary comparison of the certifcate that is presented from the client with the certificate that is issued to the same user in AD in order to verify that the cert is correct.

Thanks,

Tarik Admani
*Please rate helpful posts*

hardiklodhia Mon, 08/13/2012 - 10:46

that means machine and user authentication is not dome at the same time. ??? it will check only machine name instead of username in AD database for certificate verification.then how user authentication can be achieved after machine authentication??

Tarik Admani Mon, 08/13/2012 - 10:51

There are two seperate process when it comes to machine and user authentication. If you are using the default windows supplicant, the authenticate attempt for machine authentication is usually attempted, at boot up, or when you log off, or when you log on to the device.

User authentication occurs after you provide the credentials to login to the client.

The supplicant has to send the machine credential and user credential for this to work.

Tarik Admani
*Please rate helpful posts*

aijazbeigh Tue, 09/03/2013 - 01:04

Hi,

I am facing issues with ISE that client have to log off for the machine authentication as we are using PEAP. Just wanted to check if we move to certificate based authentication does this limitation go away as it annoys the users were they have to log off and log on again when they move from wired to wireless.

hardiklodhia Mon, 08/13/2012 - 12:48

Will both work with MS XP default supplicant? any document ... Thanks again for your support.

Sent from Cisco Technical Support Android App

hardiklodhia Tue, 08/14/2012 - 07:40

Hi Tarik, Certificate check is working now. But as I suspected earlier, machine AND user authentication is not working. If i set XP supplicant authmode to use machine only authentication then machine gets authenticated agianst certificate profile and ISE assigns authorisation profile without checking username and password.which is not desirable. If I set XP authmode to " Always perform user authentication when user logs on" then I can see machine authenticates in ISE but after login with AD username and password , connection doesnt come up and XP pops up with" windows cant find user cert" error. How to make user and machine authentication work at the same time? one more thiing I noticed that after machine authentication, EAP is not challenging for username and password. I have enabled MAR in ISE. Am I missing something. Thanks in advance and I will surely rate your posts.

Correct Answer
Tarik Admani Tue, 08/14/2012 - 08:19

Hi,

This is a limitation on the native supplicant, when you enable smart card or certificate authentication for the network connection, then it tries to use this for both machine and user authentication. It does not allow you to use certificate authentication for machine auth, and password authenticaiton for user authentication.

You can use anyconnect network access manager (which is free if you have a cisco wireless network) and not only does it allow you to set which type of authentication you want (certificate for machine and password for user) but it has a new feature out which is called eap chaining. Eap chaining is a powerful option because you can choose the order (machine first then user) when the client connects to the network. No longer do you have to stress about the machine authentication timers and wondering what is the best fit when it comes to users logging in and out of their machines in order to update the machine authentication cache in ISE. However eap chaining uses eap-fast, which is a pac-based authentication framework.

Here is the latest release note about this feature (currently in beta):

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp998871

Tarik Admani
*Please rate helpful posts*

hardiklodhia Wed, 08/15/2012 - 13:21

Hi Tarik, thanks for your support. I will try Anyconnect and hope We can achive machine and user authentication same time before ISE applies authorisation profile/rules.

Thank you.

Sent from Cisco Technical Support Android App

hardiklodhia Tue, 08/28/2012 - 08:49

Hi Tarik,

I have tried using Cisco Anyconnect NAM on Wondows XP for machine and user authentication but EAP-chaining feature is not working as expected. I am facing few challenges. I have configured NAM to use eap-fast for machine and user authentication and ISE is configured with required authorisation rule and profiles/results. when machine boots up it sends machine certificate and gets authenticated against AD and ISE matches the authorisation rule and assigns authZ profile without waiting for user credentials. Now when a user logs on using AD user/pass, authentication fails as the VLAN assigned in AuthZ profile does not have access to AD. ISE should actually check with their external database but Its not. Interestingly, if I login with an AD user which is local to the machine its gets authenticated and gets correct AuthZ profile/access level. If I logoff and login with different user, Windows adapter gets IP address and ISE shows successful authentication /authz profile but NAM agent prompts limited connectivity. Any help??

Tarik Admani Tue, 08/28/2012 - 09:17

Hi [answers are inline]

I  have tried using Cisco Anyconnect NAM on Wondows XP for machine and  user authentication but EAP-chaining feature is not working as expected.  I am facing few challenges. I have configured NAM to use eap-fast for  machine and user authentication and ISE is configured with required  authorisation rule and profiles/results. when machine boots up it sends  machine certificate and gets authenticated against AD and ISE matches  the authorisation rule and assigns authZ profile without waiting for  user credentials.

This is expected for machine authentication, since the client hasnt logged in machine authentication will succeed so the computer has connectivity to the domain.

Now when a user logs on using AD user/pass,  authentication fails as the VLAN assigned in AuthZ profile does not have  access to AD. ISE should actually check with their external database  but Its not.

Do you see the authentication report in ISE? Keep in mind that you are authenticating with a client that has never logged into the workstation before. I am sure you are looking for the feature which starts the NAM process before the user logs in. Try checking this option here:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac04namconfig.html#wp1074333

Note the section below:

Before  User Logon—Connect to the network before the user logs on. The user  logon types that are supported include user account (Kerberos)  authentication, loading of user GPOs, and GPO-based logon script  execution.

If you choose Before User Logon, you also get to set Time to Wait Before Allowing a User to Logon:

Time to Wait Before Allowing User to Logon—Specifies the maximum (worst  case) number of seconds to wait for the Network Access Manager to make a  complete network connection. If a network connection cannot be  established within this time, the Windows logon process continues with  user log on. The default is 5 seconds.

Note If the Network Access Manager is configured to manage wireless connections, set Time to wait before allowing user to logon to 30 seconds or more because of the additional time it may take to  establish a wireless connection. You must also account for the time  required to obtain an IP address via DHCP. If two or more network  profiles are configured, you may want to increase the value to cover two  or more connection attempts.


You will have to enable this setting to allow the supplicant to connect to the network using the credentials you provide, the reason for this is you are trying to authenticate a user that has never logged into this workstation before. Please make changes to the configuration.xml file, and then select the repair option on the anyconnect client and test again.

Interestingly, if I login with an AD user which is local to  the machine its gets authenticated and gets correct AuthZ  profile/access level. If I logoff and login with different user, Windows  adapter gets IP address and ISE shows successful authentication /authz  profile but NAM agent prompts limited connectivity. Any help??

Please make the changes above and see if the error message goes away.

Thanks,

Tarik Admani
*Please rate helpful posts*

hardiklodhia Tue, 08/28/2012 - 09:59

Thanks for your help Tarik,

I have changed the NAM profile as you suggested but still only one user can login successfully. When I login with diffrent user it still not working. However, ISE authentication logs shows successfull with correct Authz profile. NAM still throws same error "limited connectivity".

Thanks in advance.

Tarik Admani Tue, 08/28/2012 - 17:55

Is user connected to the network and can it access the domain controllers after machine authentication succeeds? Also do you have the nac agent installed on this device as well? Are you changing vlans after user authentication?

Thanks,

Tarik Admani
*Please rate helpful posts*

hardiklodhia Wed, 08/29/2012 - 08:09

Hi Tarik,

Is user connected to the network and can it access the domain controllers after machine authentication succeeds? YES, The assigned VLAN can reach DCs.

Also do you have the nac agent installed on this device as well?(Anyconnect with NAM)

Are you changing vlans after user authentication? I wanted to but its not working.

Thanks,

adil.pasha1@ge.com Fri, 09/14/2012 - 17:59

Hi guys,

I have pretty simple use cases here.

1. Company owned laptop/desktop with CA assigned certificate and valid user-id/password - ISE should allow the connection to the network.

2. Any personal device with no company issued CA certificate - ISE should allow the connection to guest network.

I have spent a couple of months trying to make this work. We do not and cannot use Microsoft device authentication. We just want to authenticate the machine based on the certificate and a user with valid ID / password should be tied together. Pretty simple. I have not found any ISE document which shows this simple use case. I have tested AC 3.1 for EAP Chaining but it does not work.

Any help will be appreciated very much.

Tarik Admani Fri, 09/14/2012 - 22:42

Adil,

There is a bug on the eap chaining which is not working at the moment, but instead of using eap chaining go ahead and use the anyconnect to set the credential for machine using certs and user using peap credentials and see if this resolves your issue.

You are correct and your use case is very simple can you post a screenshot of your authorization policies so I can take a look?

Thanks,

Tarik Admani
*Please rate helpful posts*

Actions

Login or Register to take actions

This Discussion

Posted August 10, 2012 at 9:24 AM
Stats:
Replies:24 Avg. Rating:5
Views:5691 Votes:0
Shares:0

Related Content

Discussions Leaderboard