Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
776
Views
0
Helpful
0
Replies

Cisco AP - as dot1x client -eap md5/eap-mschapv2

davy.timmermans
Level 4
Level 4

‎05-25-2016 03:46 AM - edited ‎03-10-2019 11:48 PM

ISE 2.0 

WLC: 8.1.131

Is the following normal behavior?

dot1x enabled on 2700i ap, ap connected to port configured with dot1x 

  1.  step 1

event PAC Provisioned

authC: ok --> success

authZ: ok

authZ result: <>

result access reject

eap-fast, eap-mschapv2 innermethod

Cisco Identity Services Engine

11001 Received RADIUS Access-Request
  11017 RADIUS created a new session
  15049 Evaluating Policy Group
  15008 Evaluating Service Selection Policy
  15048 Queried PIP - Normalised Radius.RadiusFlowType
  15048 Queried PIP - Radius.NAS-Port-Type
  15048 Queried PIP - Radius.Service-Type
  15004 Matched rule - Wired dot1x
  11507 Extracted EAP-Response/Identity
  12100 Prepared EAP-Request proposing EAP-FAST with challenge
  12625 Valid EAP-Key-Name attribute received
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12102 Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated
  12800 Extracted first TLS record; TLS handshake started
  12805 Extracted TLS ClientHello message
  12806 Prepared TLS ServerHello message
  12808 Prepared TLS ServerKeyExchange message
  12810 Prepared TLS ServerDone message
  12105 Prepared EAP-Request with another EAP-FAST challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12104 Extracted EAP-Response containing EAP-FAST challenge-response
  12812 Extracted TLS ClientKeyExchange message
  12813 Extracted TLS CertificateVerify message
  12804 Extracted TLS Finished message
  12801 Prepared TLS ChangeCipherSpec message
  12802 Prepared TLS Finished message
  12816 TLS handshake succeeded
  12131 EAP-FAST built anonymous tunnel for purpose of PAC provisioning
  12105 Prepared EAP-Request with another EAP-FAST challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12104 Extracted EAP-Response containing EAP-FAST challenge-response
  12125 EAP-FAST inner method started
  11521 Prepared EAP-Request/Identity for inner EAP method
  12105 Prepared EAP-Request with another EAP-FAST challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12104 Extracted EAP-Response containing EAP-FAST challenge-response
  11522 Extracted EAP-Response/Identity for inner EAP method
  11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
  12105 Prepared EAP-Request with another EAP-FAST challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12104 Extracted EAP-Response containing EAP-FAST challenge-response
  11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
  15041 Evaluating Identity Policy
  15048 Queried PIP - Radius.User-Name
  15006 Matched Default Rule
  15013 Selected Identity Source - <AD>
  24430 Authenticating user against Active Directory - <AD>
  24325 Resolving identity - <user>
  24313 Search for matching accounts at join point - <AD>
  24319 Single matching account found in forest - <AD>
  24323 Identity resolution detected single matching account
  24343 RPC Logon request succeeded - user@<AD>
  24402 User authentication against Active Directory succeeded - <AD>
  22037 Authentication Passed
  11824 EAP-MSCHAP authentication attempt passed
  12105 Prepared EAP-Request with another EAP-FAST challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12104 Extracted EAP-Response containing EAP-FAST challenge-response
  11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
  11814 Inner EAP-MSCHAP authentication succeeded
  11519 Prepared EAP-Success for inner EAP method
  12128 EAP-FAST inner method finished successfully
  12966 Sent EAP Intermediate Result TLV indicating success
  12105 Prepared EAP-Request with another EAP-FAST challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12104 Extracted EAP-Response containing EAP-FAST challenge-response
  12126 EAP-FAST cryptobinding verification passed
  12200 Approved EAP-FAST client Tunnel PAC request
  24423 ISE has not been able to confirm previous successful machine authentication
  15036 Evaluating Authorization Policy
  15048 Queried PIP - Radius.NAS-Port-Type
  15048 Queried PIP - DEVICE.Device Type
  24432 Looking up user in Active Directory - <AD>
  24355 LDAP fetch succeeded - <AD>
  24416 User's Groups retrieval from Active Directory succeeded -<AD>
  15048 Queried PIP - <AD>.ExternalGroups
  15048 Queried PIP - Radius.Called-Station-ID
  15048 Queried PIP - CERTIFICATE.Issuer - Organization
  15048 Queried PIP - EndPoints.EndPointPolicy
  15004 Matched rule - AP
  15016 Selected Authorization Profile -
  12964 Sent EAP Result TLV indicating success
  12169 Successfully finished EAP-FAST tunnel PAC provisioning/update
  12105 Prepared EAP-Request with another EAP-FAST challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12104 Extracted EAP-Response containing EAP-FAST challenge-response
  11401 Prepared RADIUS Access-Reject after the successful in-band PAC provisioning
  11504 Prepared EAP-Failure
  11003 Returned RADIUS Access-Reject

Next step2

event authentication succeeded

authC: ok --> success

authZ: ok

authZ result: ok

result access accept

Cisco Identity Services Engine

11001 Received RADIUS Access-Request
  11017 RADIUS created a new session
  15049 Evaluating Policy Group
  15008 Evaluating Service Selection Policy
  15048 Queried PIP - Normalised Radius.RadiusFlowType
  15048 Queried PIP - Radius.NAS-Port-Type
  15048 Queried PIP - Radius.Service-Type
  15004 Matched rule - Wired dot1x
  11507 Extracted EAP-Response/Identity
  12100 Prepared EAP-Request proposing EAP-FAST with challenge
  12625 Valid EAP-Key-Name attribute received
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12102 Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated
  12800 Extracted first TLS record; TLS handshake started
  12175 Received Tunnel PAC
  12805 Extracted TLS ClientHello message
  12806 Prepared TLS ServerHello message
  12801 Prepared TLS ChangeCipherSpec message
  12802 Prepared TLS Finished message
  12105 Prepared EAP-Request with another EAP-FAST challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12104 Extracted EAP-Response containing EAP-FAST challenge-response
  12804 Extracted TLS Finished message
  12816 TLS handshake succeeded
  12132 EAP-FAST built PAC-based tunnel for purpose of authentication
  12125 EAP-FAST inner method started
  11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
  12105 Prepared EAP-Request with another EAP-FAST challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12104 Extracted EAP-Response containing EAP-FAST challenge-response
  11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
  15041 Evaluating Identity Policy
  15048 Queried PIP - Radius.User-Name
  15006 Matched Default Rule
  15013 Selected Identity Source - <AD>
  24430 Authenticating user against Active Directory -<AD>
  24325 Resolving identity - <user>
  24313 Search for matching accounts at join point - <AD>
  24319 Single matching account found in forest - <AD>
  24323 Identity resolution detected single matching account
  24343 RPC Logon request succeeded - user@<AD>
  24402 User authentication against Active Directory succeeded - <AD>
  22037 Authentication Passed
  11824 EAP-MSCHAP authentication attempt passed
  12105 Prepared EAP-Request with another EAP-FAST challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12104 Extracted EAP-Response containing EAP-FAST challenge-response
  11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
  11814 Inner EAP-MSCHAP authentication succeeded
  11519 Prepared EAP-Success for inner EAP method
  12128 EAP-FAST inner method finished successfully
  12964 Sent EAP Result TLV indicating success
  12105 Prepared EAP-Request with another EAP-FAST challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12104 Extracted EAP-Response containing EAP-FAST challenge-response
  12126 EAP-FAST cryptobinding verification passed
  12106 EAP-FAST authentication phase finished successfully
  11503 Prepared EAP-Success
  24423 ISE has not been able to confirm previous successful machine authentication
  15036 Evaluating Authorization Policy
  15048 Queried PIP - Radius.NAS-Port-Type
  15048 Queried PIP - DEVICE.Device Type
  24432 Looking up user in Active Directory - <AD>
  24355 LDAP fetch succeeded - <AD>
  24416 User's Groups retrieval from Active Directory succeeded -<AD>
  15048 Queried PIP - <AD>.ExternalGroups
  15048 Queried PIP - Radius.Called-Station-ID
  15048 Queried PIP - CERTIFICATE.Issuer - Organization
  15048 Queried PIP - DEVICE.Location
  15004 Matched rule - AP
  15016 Selected Authorization Profile - AP
  11002 Returned RADIUS Access-Accept

Immediately after access accept - session terminate, re-authentication with eap-md5 as inner method which isn't supported by AD --> authZ fail

step 3 -30000


Steps

  11001 Received RADIUS Access-Request
  11017 RADIUS created a new session
  15049 Evaluating Policy Group
  15008 Evaluating Service Selection Policy
  15048 Queried PIP - Normalised Radius.RadiusFlowType
  15048 Queried PIP - Radius.NAS-Port-Type
  15048 Queried PIP - Radius.Service-Type
  15004 Matched rule - Wired dot1x
  11507 Extracted EAP-Response/Identity
  12100 Prepared EAP-Request proposing EAP-FAST with challenge
  12625 Valid EAP-Key-Name attribute received
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12001 Extracted EAP-Response/NAK requesting to use EAP-MD5 instead
  12000 Prepared EAP-Request proposing EAP-MD5 with challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12002 Extracted EAP-Response containing EAP-MD5 challenge-response and accepting EAP-MD5 as negotiated
  15041 Evaluating Identity Policy
  15048 Queried PIP - Radius.User-Name
  15006 Matched Default Rule
  15013 Selected Identity Source - <AD>
  22043 Current Identity Store does not support the authentication method; Skipping it - <AD>
  22064 Authentication method is not supported by any applicable identity store(s)
  22058 The advanced option that is configured for an unknown user is used
  22061 The 'Reject' advanced option is configured in case of a failed authentication request
  12006 EAP-MD5 authentication failed
  11504 Prepared EAP-Failure
  11003 Returned RADIUS Access-Reject

2 people had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents