I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
Allowed protocol = PEAP & TLS
Condition for computer to be checked in external identity store (AD) = Permit access
Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
ip access-list extended ACL-DEFAULT
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
permit ip any host (AD)
permit icmp any any
permit ip any host (ISE-1)
permit ip any host (ISE-2)
permit udp any host (CUCM-1) eq tftp
permit udp any host (CUCM-2)eq tftp
deny ip any any
Switchport Access vlan 10
switchport mode access
switchport voice vlan 20
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
dot1x pae authenticator
dot1x timeout tx-period 100
One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
Your help will highly appreciated.
Why do you think that it starts MAB?
you can turn on
on the switch then connect the PC. Please copy here the debug and
show authen session int Fa0/x
Please share detailed authentication failure logs for extensive troubleshooting and to find out where its getting stuck.
You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab. If your switch configuration is on auth failure continue to next method, then this makes sense. The question is why is the user failing auth but the machine is passing, could be something in the policy. Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched. Easy way to check is remove that rule from your policy and see if the same thing happens.
I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time. The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining. This is great because you can do two part authentication. EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet. I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy.
Have you tried using EAP-FASTv2 with EAP-TLS inner for the machine auth and EAP-TLS inner for the user auth?
We can get EAP-FASTv2 withEAP-TLS inner for the machine auth and MSCHAPv2 inner for the user auth but we really want to use both machine and user certs.
Do you have any advice on the AnyConnect NAM setup and certificate profile requirements in ISE to achieve this? We've tried using CN and SAN Other but just can't get it working.
Yes I have got EAP-TLS inner for both user and machine auth. You should see if the issue is authentication failure or policy not matched. If your policy is checking against AD groups then you may need to use common name field in the cert. I have found that when using SAN I have problems getting the AD user attributes, but when using common name I can see the group memberships of the user. Make sure you test both user and machine cert separately so you can identify that both will work when using common name. In your Authentication policy you can match on wired 802.1x and use two cert stores, one that checks common name (user should pass this) and another that uses SAN (machine can use this) by making the common name the first one checked your users will always use that one, machines may fail to the one that uses SAN.
Main thing is test certs by themselves to see if they work alone, then you can look at EAP Chaining your certs.
I would say that this is for wireless rather than wired bit it shouldn't really make any difference.
I haven't actually tried using CN for User and SAN for machine by using an Identity Store Sequence that picks up 2 certificate profiles. I'll try that.
Did you need to change anything on the user and machine auth elements of the AnyConnect profile.
I recall there is an unprotected identity set to anonymous and a protected identity that is set to something like [username].
I can't remember but I may have set both the unprotected and protocted to [username] so that I didn't get anonymous logs in ISE. I have a fairly nice ISE lab and a laptop that is a member of the test domain with NAM and NAC, next time i'm in the office I can test this all out. I've always used two part authentication with EAP-FASTv2 as I explain to customers it's extra protection. If your Certs become compramised the the machine can't authenticate and your profile for full access should require both machine and user to pass. If you read the TrustSec 2.1 guide their examples are with machine and user certificates, not two part like I do. The document is pretty good and tells you how the NAM should be configured and also how your ISE policy should or could look. The thing I love about ISE is how creative you can get with it to make this stuff shine.