Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Identity Service Engine (ISE) with subject matter expert Nicolas Darchis.
Cisco Identity Service Engine is a security policy management and control platform that automates and simplifies access control and security compliance for wired, wireless, and VPN connectivity. It is primarily used to provide secure access and guest access, support BYOD initiatives, and enforce usage policies in conjunction with Cisco TrustSec.
Nicolas Darchis is a wireless and authentication, authorization, and accounting expert for the Technical Assistance Center at Cisco Europe. He has been troubleshooting wireless networks, wireless management tools, and security products, including Cisco Secure Access Control Server, since 2007. He also focuses on filing technical and documentation bugs. Darchis holds a bachelor's degree in computer networking from the Haute Ecole Rennequin Sualem and a master's degree in computer science from the University of Liege. He also holds CCIE Wireless certification (no. 25344).
Remember to use the rating system to let Nicolas know if you have received an adequate response.
Because of the volume expected during this event, our expert might not be able to answer every question. Remember that you can continue the conversation in the Security community under subcommunity AAA, Identity, and NAC shortly after the event. This event lasts through June 20, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
Can we install several certificates on ISE ? How do we accommodate the guest portal and the admin portal different requirements from a certificate perspective?
This is a classic question. I will try to explain all the possibilities...
First of all, you can only install 2 different certificates on an ISE node. One for HTTPS and one for EAP (the same cert can be used for both also).
This means that it is the same certificate that will be used for sponsor portal, guest portal and admin GUI. That looks like a problem but isn't one.
In the settings for the sponsor portal, you can give it a different URL (something like sponsor.company.domain for example). You do not need a different certificate for that, you can simply add a "SAN" (Subject Alternative Name) in your HTTPS certificate that will contain the Sponsor portal URL. Therefore the same certificate is valid for the admin GUI/URL and also for the Sponsor URL you configured !
Important note : By RFC standard, the CN of the HTTPS certificate must be ISE FQDN, nothing else. ISE FQDN must also appear in one of the SAN fields. But then you can add more SAN fields for Sponsor URL and so on ...
The only concern remaining would be for the guest portal, which you cannot give a different URL. Well, if that is a concern, you could technically issue one kind of certificate on the admin ISE node (issued by your enterprise CA, using your company domain) and then on the PSN, the HTTPS cert is issued by a different CA (in another domain, that guests can see for example) and there ISE FQDN is something the guests can relate to. There is no real admin GUI on a PSN so this is not a problem.
As long as the admin node and the PSN node trust each other certificate or issuing CA in their store, they will be able to join each other in a distributed deployment.
Note : Playing with certificates should always be done on a node being in standalone mode, BEFORE it joins a deployment.
I'm installing ISE for use with 802.1x wired Microsoft windows 8 clients connecting to 3560 switches running 12.2.55SE9. We are using eap-tls machine and user certs. ISE is v1.2 patch 7.
I have a few questions you can perhaps help me with:
1. When a user logs in to a laptop for the first time their certificate is delivered using GPO. This means that the first time a user logs in their profile does not have a user cert and can not be authenticated. I was looking at machine access restriction (MAR) as a solution to this but couldn't get it to work. There is some talk online about MAR not working with EAP-TLS machine certs. Can you confirm to me whether MAR will work with EAP_TLS?
2. The cisco live presentations on the ISE say that the Radius Acct-Session-Time attribute is collected by the ISE but it is not in the drop-down list. Is there a way to use this attribute in profiling rules?
3. I am seeing some incosistent behaviour from windows 8 clients. They seem to stop responding to 802.1x requests and the process times out and tries MAB instead. Once restarted the windows 8 clients work correctly again. Do you have a list of windows 8 bugs and bugfixes at all which might impact this process?
Thanks very much for any info
1. So the idea would be that if all laptops have a good machine certificate store all the time, you could give some access after machine authentication so that laptops could get their GPOs and then they can do user authentication without any problem. You technically do not need MAR. You simply do machine and user authentication. Machine authentication will be done as soon as laptop booted in "CTRL-ALT-DEL" login page. If successful, it is a domain laptop and you can safely place an ACL on the port that only gives access to AD servers so that users can log in through the domain.
Then users can do their user authentication once they log in to windows.
I suggest you take a look at the following : http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html#anc7
In a nutshell, adding MAR to the previous paragraph simply means that when users do their user authentication, you enforece that a machine authentication must have happened in the X hours before (x being configurable but not infinite). This means that everyone will HAVE TO reboot their laptops every day or every second day as machine authentication is only done on boot time or on logging off.
A good alternative is EAP-chaining with Anyconnect.
I never heard of a MAR problem with EAP-TLS. EAP-TLS machine auth is a classic and MAR is simply ISE keeping a mac address list of machines who authenticated successfully in the last X hours.
2. Indeed, it is present in the radius system dictionnary but not configurable. It makes sense that you cannot use it for auth or AuthZ rules as it is accounting. I personally do not see what use it could have in profiling as it is an attribute having a value usually at the end of the session (or during with interim-updates) and that is probably why developers did not include it in the drop-down list. If you have a good business case to use it, the best is to explain that case to your cisco account team who can push it as a feature in upcoming releases.
3. I do not have such a list and did not particularly face many problems that I can remember with windows 8 clients.
1. GPOs update user settings so they can not run until after the user has logged in so your solution is not technically feasible. The process is like this:
Client laptop boots up and is authenticated to the network by the machine certificate.
User logs in.
GPO starts running and sends a request for new user cert if cert is not present.
Dot1x tries to reauthenticate with user cert which will fail as gpo has not had time to deliver new user cert if this is a first time login.
My thought was that MAR could allow the machine to remain authenticated for an hour which would give the GPOs time to deliver the user cert. What happens when MAR time restriction runs out? Does the switch try and re-authenticate the port? At that point the user cert could be used so this could work.
Can you confirm that EAP-TLS works with MAR please? It seems easy to setup but it did not work when I tried it. Is there a way I can debug/troubleshoot this process?
2. OK thanks
MAR is not exactly that. MAR is a cache on ISE where ISE remembers that a given mac address has machine authenticated before.
What you could do is have an authorization rule that permits access on a machine authentication (i.e. username starting with host/) and gives access to AD servers only.
Another rules that says if a user authentication fails, but the computer "wasmachineauthenticated==true", then we still permit access and give access to AD servers only.
On a user authentication succeeding, you give full access.
This way you don't really need regular reboots or have timeouts of any sorts.
Indeed, my bad. The username in EAP-TLS will typically be the CN field of the certificate but that can be changed by the TLS profile in ISE.
However, the logic stays the same. Except that to determine if it's a user or computer authentication, you can check if the user belongs to "domain computers" AD group. If it does, it's a valid machine authentication :-)
Your first statement seemed to imply that the "wasmachineauthenticated" attribute would not be set to true in case of EAP-TLS machine authentication. I actually could not find clues supporting that theory nor could I find clues saying it would work. I am not sure if that attribute relies on the presence of "host/" in the username or not. That is worth testing
In any case, EAP-chaining with anyconnect is much more noble
I think that with EAP-TLS it requires certificate binary comparison to be enabled in order for ISE to write the client mac address in the MAR cache.
Thank you for covering this topic. My question is how are licenses counted? How do I make sense out of the number of base or advanced licenses consumed?
Licenses are consumed as soon as a device authenticates. So if your ISE is profiling whole subnets, that will not really matter until those devices actually authenticates.
If an unknown device authenticate with 802.1x, it consumes a base license. If a device with profiled information authenticates, then it consumes an advanced (or Plus) license.
The best way is still the control at the source. Having Anyconnect deployed on domain laptops with a profile configured so that they can only join certain SSIDs.
Otherwise, you can also use profiling. Relying on mac address to prevent attackers is not secure. But if it's to prevent employee to simply pick a wrong SSID, it works. However, the trick is to create a profiling rule that will identify correctly your domain laptops. The safest way would be to add mac addresses manually to a group. Automatic ways can use the hostname of the PC sent in DHCP request to categorize it as part of the domain.
You need only to play with profiling in case you have other mac addresses in the ISE db too. In a simpler setup, you can simply say that if the mac is known by ISE, it's an employee and he can connect to employee SSID only, but if mac is unknown (or known but belongs to "Registered Device" group, which means it went through BYOD), it goes to BYOD SSID only.
Hi Nicolas I have some ongoing issue that I hope you can help me with.
The ISE env. are running on 22.214.171.1245 which I know less than optimal.
First of all I'm working on a setup,where wired as well as wireless clients looses lan connectivity as if they/the system are loosing their validation credentials (which means that they are redirected to the web portal).
It occurs both when the clients are starting up in the morning, as well as during the day - but it's not consistent.
The wired clients use a combination of domain pc and certificate validation, whereas the wifi clients uses domain pc and eap-tls.
Untill now I haven't been able to find any reasons for the validation loss in the log server - it just sort of initialize a webauthentication.
My second question is regarding Apple "smart device" authentication on the ISP guest portal. I'm aware of that it's a broadly discussed topic, and I know of the Captive-bypass solution.
Is this really the only way to solve the CNA issue ?. If so what is the consequence for other smart devices ?.
My final question is regarding wifi clients that when being connected to a wired network looses connective with the following log entry:
"Identity policy result is configured for password based authentication methods but received certificate based authentication request".
I have just seen this message today, and I'm wondering whether it would solve the issue if I added certificate authentication as a secondary option, with eap-tls as the primary ?.
If so what new issues would that raise (if any)
I hope just some of it made sense .
1) It is not "ISE loses the credentials and asks for web portal again". Once a user is authenticated, it is authenticated as long as it stays connected. Possibilities are :
-You are returning a session timeout (attribute radius 27) in the authz profile of the user. Therefore user has to reauthenticate after X seconds. But you would see a pattern, then.
-Over wireless, many clients are not capable of doing fast roaming (smartphones is the biggest example) and will therefore reauthenticate with dot1x everytime they roam. A small coverage hole would be enough for the cached credentials to disappear and web portal to show up again
-Over wired, this cannot really occur but the idea is that it's probably the switch resetting the connection and contacting ISE again. The idea to troubleshoot this is to monitor the access device (WLC/switch) and check if the port goes up/down, if the MAB session gets reset or something and why.
2) The captive bypass issue is that Apple devices will probe apple.com website to check if there is internet connectivity. If they can reach it, then fine, if they sense that they are redirected, they open a small window pop up with the login portal. The problem (and I still cannot understand why) is that this is not Safari, it's some nameless feature-less browser that doesn't work properly.
By enabling the captive bypass feature, the WLC intercepts the requests to the Apple testpage and replies with HTTP OK. The apple device then thinks "ok I have internet connectivity" and it's up to the user to bring up a real browser to login to the portal page.
It therefore does not affect non-Apple device to have the feature enabled.
The problem is that in IOS 7.x, Apple decided to not just use Apple.com anymore but a whole list of testpages on different websites.
3) "whether it would solve the issue if I added certificate authentication as a secondary option, with eap-tls as the primary"
=> This is disturbing because EAP-TLS is a certificate authentication method. But ISE message seems to imply that the user is hitting an authnetication rule that only provides PEAP or EAP-FAST with mschap or something similar ...
If you have the windows default supplicant you have close to no control on what the client will submit. I can imagine that moving from wired to wireless, the laptop would sometimes try to send password instead of certificate and/or vice-versa. Anyconnect with fixed network profiles would solve the problem elegantly.
I cannot comment on your auth policies as I do not know them :-)
We´ve seen the following error during our guest login:
“Your session has expired. Please login again". The error in ISE is show up as Guest authentication failed: 86017: Session cache entry missing.”
After you disassociate the user on WLC, users are able to authenticate normally.
That can be many different things.
However, legitimate scenarios are if the client hits another ISE portal than the ISE he authenticated with.
Typically people would configure their CWA authorization result with a static ip/hostname instead of the default automatic setting and then you cannot be sure that the portal the client is redirected to is the ISE the client authenticated with. By having the automatic redirection URL pointing to the FQDN of the ISE the client authenticated with, this problem does not happen.
The same can then also occur in case of load balancers.
Another case is if you force the discovery host of the nac agent, then the same problem will happen for posture. Posture will only work if it automatically discovers the ISE that authenticated its radius session.
Weirder cases can happen if there is some radius mess. For example, if you have a central webauth scenario with a foreign-anchor WLC scenario and both controllers are configured for accounting, then they will both send a different session id in their accounting packets and the client session might be terminated as soon as it started. Workaround there is to only enable accounting on one WLC or to turn it off completely.
those are common gotchas. Like I said, it can be more complex and less legitimate, but that would need severe TAC troubleshooting to pinpoint further
" Weirder cases can happen if there is some radius mess. For example, if you have a central webauth scenario with a foreign-anchor WLC scenario and both controllers are configured for accounting, then they will both send a different session id in their accounting packets and the client session might be terminated as soon as it started. Workaround there is to only enable accounting on one WLC or to turn it off completely."
My scenario may fall in this case. How can I troubleshoot it in order to make sure?
Thanks in advanced!!