Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3522
Views
5
Helpful
6
Replies

Finding out root cause for ISE 802.1x failure ?

Go to solution
rfreytag
Level 1
Level 1

‎07-10-2014 01:04 PM - edited ‎02-21-2020 05:14 AM

 

I am trying to get  a MacBook up on our internal Wifi.

For that, I create an XML file using IPhone Configuration Utility. Pretty straightforward. You tell it what SSID, PEAP, certs to use, then I import that file into the MacBook.

Bottom line is it never matches my ISE rules, so I get the default Deny.

This is the first attempt to get a Mac on this network. Windows machines are set up and working fine on the internal Wifi.

I confirmed with the AD administrator that this machine name is in their system. As you can see, it authenticates to AD.

So it appears that it 802.1x is failing. How do I find out *exactly* why? I cannot tell if it is a cert issue, or something else.

Any suggestions on finding the root cause?

 

Thanks!

 

From ISE, for my Mac's MAC address:

[snip]

11001 : Received RADIUS Access-Request
  
11018 : RADIUS is re-using an existing session
  
12302 : Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
  
12319 : Successfully negotiated PEAP version 1
  
12800 : Extracted first TLS record; TLS handshake started
  
12805 : Extracted TLS ClientHello message
  
12806 : Prepared TLS ServerHello message
  
12807 : Prepared TLS Certificate message
  
12810 : Prepared TLS ServerDone message
  
12305 : Prepared EAP-Request with another PEAP challenge
  
11006 : Returned RADIUS Access-Challenge
  
11001 : Received RADIUS Access-Request
  
11018 : RADIUS is re-using an existing session
  
12304 : Extracted EAP-Response containing PEAP challenge-response
  
12305 : Prepared EAP-Request with another PEAP challenge
  
11006 : Returned RADIUS Access-Challenge
  
11001 : Received RADIUS Access-Request
  
11018 : RADIUS is re-using an existing session
  
12304 : Extracted EAP-Response containing PEAP challenge-response
  
12305 : Prepared EAP-Request with another PEAP challenge
  
11006 : Returned RADIUS Access-Challenge
  
11001 : Received RADIUS Access-Request
  
11018 : RADIUS is re-using an existing session
  
12304 : Extracted EAP-Response containing PEAP challenge-response
  
12305 : Prepared EAP-Request with another PEAP challenge
  
11006 : Returned RADIUS Access-Challenge
  
11001 : Received RADIUS Access-Request
  
11018 : RADIUS is re-using an existing session
  
12304 : Extracted EAP-Response containing PEAP challenge-response
  
12305 : Prepared EAP-Request with another PEAP challenge
  
11006 : Returned RADIUS Access-Challenge
  
11001 : Received RADIUS Access-Request
  
11018 : RADIUS is re-using an existing session
  
12304 : Extracted EAP-Response containing PEAP challenge-response
  
12305 : Prepared EAP-Request with another PEAP challenge
  
11006 : Returned RADIUS Access-Challenge
  
11001 : Received RADIUS Access-Request
  
11018 : RADIUS is re-using an existing session
  
12304 : Extracted EAP-Response containing PEAP challenge-response
  
12319 : Successfully negotiated PEAP version 1
  
12812 : Extracted TLS ClientKeyExchange message
  
12804 : Extracted TLS Finished message
  
12801 : Prepared TLS ChangeCipherSpec message
  
12802 : Prepared TLS Finished message
  
12816 : TLS handshake succeeded
  
12310 : PEAP full handshake finished successfully
  
12305 : Prepared EAP-Request with another PEAP challenge
  
11006 : Returned RADIUS Access-Challenge
  
11001 : Received RADIUS Access-Request
  
11018 : RADIUS is re-using an existing session
  
12304 : Extracted EAP-Response containing PEAP challenge-response
  
12313 : PEAP inner method started
  
11521 : Prepared EAP-Request/Identity for inner EAP method
  
12305 : Prepared EAP-Request with another PEAP challenge
  
11006 : Returned RADIUS Access-Challenge
  
11001 : Received RADIUS Access-Request
  
11018 : RADIUS is re-using an existing session
  
12304 : Extracted EAP-Response containing PEAP challenge-response
  
11522 : Extracted EAP-Response/Identity for inner EAP method
  
11806 : Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
  
12305 : Prepared EAP-Request with another PEAP challenge
  
11006 : Returned RADIUS Access-Challenge
  
11001 : Received RADIUS Access-Request
  
11018 : RADIUS is re-using an existing session
  
12304 : Extracted EAP-Response containing PEAP challenge-response
  
11808 : Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
  
15041 : Evaluating Identity Policy
  
15006 : Matched Default Rule
  
15013 : Selected Identity Source - AD-myconame
  
24430 : Authenticating user against Active Directory
  
24402 : User authentication against Active Directory succeeded
  
22037 : Authentication Passed
  
11824 : EAP-MSCHAP authentication attempt passed
  
12305 : Prepared EAP-Request with another PEAP challenge
  
11006 : Returned RADIUS Access-Challenge
  
11001 : Received RADIUS Access-Request
  
11018 : RADIUS is re-using an existing session
  
12304 : Extracted EAP-Response containing PEAP challenge-response
  
11810 : Extracted EAP-Response for inner method containing MSCHAP challenge-response
  
11814 : Inner EAP-MSCHAP authentication succeeded
  
11519 : Prepared EAP-Success for inner EAP method
  
12314 : PEAP inner method finished successfully
  
12305 : Prepared EAP-Request with another PEAP challenge
  
11006 : Returned RADIUS Access-Challenge
  
11001 : Received RADIUS Access-Request
  
11018 : RADIUS is re-using an existing session
  
12304 : Extracted EAP-Response containing PEAP challenge-response
  
24423 : ISE has not been able to confirm previous successful machine authentication for user in Active Directory
  
15036 : Evaluating Authorization Policy
  
24432 : Looking up user in Active Directory - myfirstname.mylastname
  
24416 : User's Groups retrieval from Active Directory succeeded
  
15048 : Queried PIP
  
15048 : Queried PIP
  
15048 : Queried PIP
  
15048 : Queried PIP
  
15048 : Queried PIP
  
15004 : Matched rule - Default
  
15016 : Selected Authorization Profile - DenyAccess
  
15039 : Rejected per authorization profile
  
12306 : PEAP authentication succeeded
  
11503 : Prepared EAP-Success
  
11003 : Returned RADIUS Access-Reject
 

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to rfreytag

‎08-18-2014 12:46 PM

Thanks for taking the time to come back and share the solution to the problem (+5 from me). Can you also share the bug ID that you were hitting?

Also, you should mark the thread as "Answered" if your issue is resolved :)

View solution in original post

0 Helpful
6 Replies 6

Go to solution
mohanak
Cisco Employee
Cisco Employee

‎07-17-2014 03:47 AM

24423  ISE has not been able to confirm previous successful machine authentication for user in Active Directory.

 

If you manually register the device, using the my devices portal, then you can get the user on.

It would look like its trying to authenticate their machine in the directory, which would fail since their device won't be in the directory.

0 Helpful

Go to solution
Saurav Lodh
Level 7
Level 7
In response to mohanak

‎07-31-2014 11:33 PM

Adding a System profile--recommended method for adding an 802.1X System profile

If you will be using TLS authentication, before doing anything else you will need to install a user or system certificate/private key pair as appropriate. We recommend that this is done by your System Administrator.

  1. Connect to the network and use the Directory Utility to make sure you're bound to an applicable Server such as Open Directory (OD), or Active Directory (AD) needed for your network homes and authentication.
    This will normally be done over a wired ethernet Network connection.
    For Open Directory you may not have to bind as Mac OS X supports Anonymous binding, and the OD information can be sent via DHCP. This means you can create the connection and log in with an OD account, providing the 802.1X authentication succeeds first and the DHCP server is configured to send the OD server data.
  2. Choose Apple > System Preferences > Network.
  3. From the Location pop-up menu select Edit Locations.
  4. Click Add (+) at the bottom of the Locations, and create a new Location and name it to remind you of what this Location is for, then click Done.
  5. Select the appropriate network service to set up, such as Ethernet or AirPort from the network connection services list, and then click Advanced.
  6. Click the 802.1X tab.
  7. Click Add (+) at the bottom of the profiles list, and choose Add System Profile. (If you wish, rename the Untitled profile to something else.)
  8. Enter the User Name and Password
  9. Choose a network from the Wireless Network pop-up menu. If you are setting up a 'wireless' 802.1X connection and your wireless network name (SSID) is hidden, you will need to manually type it in exactly. It is case sensitive.
  10. Select and configure the appropriate EAP Authentication types for your network. The default is PEAP and TTLS.
  11. Click OK to save the profile.
  12. Click Apply to save the 802.1X configuration.
  13. You may be prompted to trust a certificate from the server if it was issued from a non-trusted CA, in which case you will see a new entry added in Login keychain.
  14. You'll be asked for your admin password so you can set the required level of trust on that certificate.
  15. If you want to be able rejoin the network after waking from sleep you also have to ensure the network is checked in the Preferred Network list (or the Remember networks option is checked).
     
0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎07-22-2014 09:49 AM

Can you post a screen shot of your authorization rules?

0 Helpful

Go to solution
Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎08-01-2014 09:21 AM

check if you are hitting correct authorization rule, check if "ACCESS_REJECT " attribute is selected.The authorization profile with the ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate authorization policy rule-results
 

0 Helpful

Go to solution
rfreytag
Level 1
Level 1

‎08-18-2014 12:46 PM

Thanks everyone for your suggestions.

It turns out there were a couple of issues.

 

1) I was using the wrong client to configure the MacBook supplicant. IPhone Configuration Utility did not work. Then another one was tried - I think it was Apple configurator. The one that worked was Mac Server (according to our Mac guy)

2) I was unknowingly hitting a bug on Cisco wireless LAN controller. I had to upgrade from 7.6.120.0 to 7.6.120.1    I only found out about this by performing a debug. I had to get the 7.6.120.1 file from the TAC Engineer. It is not available for download otherwise. 
The symptoms was that periodically no one could connect to one of the several SSID's on our WLC. However the other SSID's were fine; people were able to connect. However it cleared itself up - people would be able to connect again to all SSID, and then it start all over. There didn't seem to be a pattern.

Details of the bug are :

 

Error Message    %APF-1-USER_ADD_FAILED: Unable to create username [chars] for 
mobile[hex]:[hex]:[hex]:[hex]:[hex]:[hex]  

Explanation    Could not create the associated username entry for a mobile due to internal error.

Recommended Action    Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the issue using the tools and utilities provided at http://www.cisco.com/tac. With some messages, these tools and utilities will supply clarifying information. Search for resolved software issues using the Bug Toolkit at http://tools.cisco.com/Support/BugToolKit/ . If you still require assistance, open a case with the Technical Assistance Center via the Internet at http://tools.cisco.com/ServiceRequestTool/create/launch.do, or contact your Cisco technical support representative and provide the representative with the information you have gathered.

 

This is resolved.

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to rfreytag

‎08-18-2014 12:46 PM

Thanks for taking the time to come back and share the solution to the problem (+5 from me). Can you also share the bug ID that you were hitting?

Also, you should mark the thread as "Answered" if your issue is resolved :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card