Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
750
Views
0
Helpful
4
Replies

Cisco ise 1.3 - web Deployment configuration with anyconnect NAM on wired client

Augustgood
Level 1
Level 1

‎09-24-2015 04:10 AM - edited ‎03-10-2019 11:05 PM

Hi all, 

This is my environment, Virtualized Cisco ise 1.3 (with all pacth 4) , switch 3750x serie, windows 7 client (virtualized).

 

How can I configure the network parameters of a client windows 7 with Cisco AnyConnect  NAM and ise?

 

For this configuration I followed the guide below, applying it for wired networks:

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118714-configure-ise-00.html

These are the results obtained:


- The client (unknown) connected to the network, is redirected to the portal Ise,
- On this portal you can start checking the client.

- The client is installed with the client AnyConnect profiles NAM (locally created on my computer).

- After restarting the client, authentication client happens but anyconect do not configure the IP address on the network interface card.

 

How can i solve this problem ?

 

Labels:
0 Helpful
4 Replies 4

Jason van den Berg
Level 1
Level 1

‎09-29-2015 02:44 AM

Hi,

 

Could you provide the successful authentication results for this device? You will find this under operations>authentications when you click on the authentication details report.

 

Regards,

Jason

0 Helpful

Augustgood
Level 1
Level 1
In response to Jason van den Berg

‎09-29-2015 08:54 AM

I noticed a different result with client virtualized by VMware , I think that the problem is some incompatibility with vmware .
 
This log required .
 
11001 Received RADIUS Access-Request
  11017 RADIUS created a new session
  15049 Evaluating Policy Group
  15008 Evaluating Service Selection Policy
  15048 Queried PIP - Radius.Service-Type
  15048 Queried PIP - Radius.NAS-Port-Type
  15048 Queried PIP - DEVICE.Device Type
  15006 Matched Default Rule
  11507 Extracted EAP-Response/Identity
  12500 Prepared EAP-Request proposing EAP-TLS with challenge
  12625 Valid EAP-Key-Name attribute received
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12301 Extracted EAP-Response/NAK requesting to use PEAP instead
  12300 Prepared EAP-Request proposing PEAP with challenge
  12625 Valid EAP-Key-Name attribute received
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
  12319 Successfully negotiated PEAP version 1
  12800 Extracted first TLS record; TLS handshake started
  12805 Extracted TLS ClientHello message
  12806 Prepared TLS ServerHello message
  12807 Prepared TLS Certificate message
  12810 Prepared TLS ServerDone message
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12319 Successfully negotiated PEAP version 1
  12812 Extracted TLS ClientKeyExchange message
  12804 Extracted TLS Finished message
  12801 Prepared TLS ChangeCipherSpec message
  12802 Prepared TLS Finished message
  12816 TLS handshake succeeded
  12310 PEAP full handshake finished successfully
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12313 PEAP inner method started
  11521 Prepared EAP-Request/Identity for inner EAP method
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  11522 Extracted EAP-Response/Identity for inner EAP method
  11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
  15041 Evaluating Identity Policy
  15006 Matched Default Rule
  22072 Selected identity source sequence - WIRED_SEQ
  15013 Selected Identity Source - ADTP2
  24430 Authenticating user against Active Directory - ADTP2
  24325 Resolving identity - a.pippo
  24313 Search for matching accounts at join point - tp2.it
  24319 Single matching account found in forest - tp2.it
  24323 Identity resolution detected single matching account
  24343 RPC Logon request succeeded - a.pippo@tp2.it
  24402 User authentication against Active Directory succeeded - ADTP2
  22037 Authentication Passed
  11824 EAP-MSCHAP authentication attempt passed
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
  11814 Inner EAP-MSCHAP authentication succeeded
  11519 Prepared EAP-Success for inner EAP method
  12314 PEAP inner method finished successfully
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  24433 Looking up machine in Active Directory - ADTP2
  24326 Searching subject object by UPN - TESTWIRED$@tp2.it
  24327 Subject object found in a cache
  24329 Subject cache entry expired
  24330 Lookup SID By Name request succeeded
  24332 Lookup Object By SID request succeeded
  24336 Subject object cached
  24351 Account validation succeeded
  24439 Machine Attributes retrieval from Active Directory succeeded - ADTP2
  24422 ISE has confirmed previous successful machine authentication for user in Active Directory
  15036 Evaluating Authorization Policy
  11055 User name change detected for the session. Attributes for the session will be removed from the cache
  24432 Looking up user in Active Directory - ADTP2
  24355 LDAP fetch succeeded - tp2.it
  24416 User's Groups retrieval from Active Directory succeeded - ADTP2
  24355 LDAP fetch succeeded - tp2.it
  24420 User's Attributes retrieval from Active Directory succeeded - ADTP2
  15048 Queried PIP - ADTP2.ExternalGroups
  15048 Queried PIP - Network Access.EapAuthentication
  15048 Queried PIP - Session.PostureStatus
  15004 Matched rule - WIRED-EAP-PEAP-USER-UNKNOWN
  15016 Selected Authorization Profile - UNKNOWN-USERS
  11022 Added the dACL specified in the Authorization Profile
  12306 PEAP authentication succeeded
  11503 Prepared EAP-Success
  11002 Returned RADIUS Access-Accept 
 
this is a print screen on anyconnect
Preview file
298 KB
0 Helpful

Jason van den Berg
Level 1
Level 1
In response to Augustgood

‎09-30-2015 01:53 AM

Hi,

 

Just to confirm, the correct authz rule meant to be hit by a successful authentication is "WIRED-EAP-PEAP-USER-UNKNOWN"? If it is can you provide the configuration for "UNKNOWN-USERS" and include the dacl. With regards to the switch can you provide the port configuration as well as the log for when you plug in your device?

 

Regards,

Jason

 

 

0 Helpful

mukka
Level 1
Level 1
In response to Jason van den Berg

‎11-19-2015 02:19 PM

Hi all,

I have a similar issue. I have a new deployment with eap_chaining_tls. Anyconnection is configured for machine and user authentication:

eap_tunnel = eap_fast  and   eap_authentication = eap_tls

If I have the certificates, all is working fine.

But, If don´t have certificate yet, I would like to authentication via MAB to remediation.

This anyconnect profile is not working properly without the certificates.

During the tests, my "user" gets the correct "MAB authentication policy" and "MAB autorization policy". 

I can see on ISE  (operation > authentication > log details):

        Authentication is working fine for mac address xx:xx:xx:xx:xx

But in the authorization has a strange behavior:

        User name change detected for the session. Attributes for the session will be

        removed from the cache

        Looking up user in Active Directory - AD

(*Note, I am using just internal endpoints for MAB authentication)

        ......

        Resolving identity xx-xx-xx-xx-xx

          ....

         Identity resolution failed - erro_no_such_address

         .......

At the end of this process, The corret authorization profile is selected

But, Anyconnect returns "limited or no conectivity"

Do you have any idea about it ?

thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents