11-09-2017 03:51 AM
Hi Team,
We have ISE --> WLC --> LAN Network, I have configuration in cisco switches for Dot1x authentication for wired users, I have created Authentication profile for Wired Dot1x users in ISE, when wired user wants to connect to the network, ISE Authentication policy match and they got network access if they belongs to domain.
I want Dot1x authentication for wireless user so if any wireless user want to connect to "Employee" SSID there request should goes to ISE and if they belongs to domain user then they should gain network access. I've tested below thing but couldn't success,
1. Whenever WLC connect to "employee" SSID default authentication profile matchs in ISE not the one which i've created for Wireless Dot1x user? (Please refer attached screenshot for configuration Authentication policy for wired and wireless in ISE)
2. I've enabled "802.1x Supplicant Credentials" for AP in WLC and assigned Username and password which is created in AD, AP could able to authenticate in using Dot1x authentication policy in ISE, This configuration is necessary to have Dot1x for wireless Users?
3. I've enabled 802.1X option under Layer-2 Security for "Employee" SSID along with Mac Filtering check box enabled and Disable NAC State to "None". Is this setting is required to have WLC 802.1x authentication?
4. I've disabled SSID broadcast option in WLC and manually join to that SSID by creating SSID and selecting 802.1x authentication in Windows-10 client as well but couldn't work.
On above scenario its seem that wireless users not generating traffic based on Dot1x? Your help to understand authentication process in ISE, WLC & Cisco switch would be helpful.
11-09-2017 02:26 PM
1. Since this is just a snippet, I am not sure why this rule doesn't match. It is possible that this is part of a policy set then the overall policy set condition should be satisfied before the Authentication rule you have shown matches. Also, you don't need same condition repeated with 'AND' twice. I would remove one of the Wireless_802.1X condition in the screen shot.
2. The 802.1x Supplicant Credential on AP in WLC is to authenticate the AP itself to the wired network. This is useful if the wired 802.1X is enabled on the switch port and are trying to authenticate the AP via 802.1X instead of MAB. In your case, this setting should have no bearing in terms of wireless user authentication
3. If you are doing 802.1X on the Employee SSID, then you should leave MAC filtering unchecked. Having MAC filtering checked could be the reason your rule is not matching. MAC filtering is mainly needed on a open or PSK SSID.
4. Non-broadcast SSID should work, but until you have successfully authenticated a user, I would leave it broadcasting for the initial testing. Once successfully tested then I would change it to non-broadcasting. This way your troubleshooting is focused on the issues at hand
I see that you created multiple postings for the same issues, so I will remove the other postings. If you have followup questions, feel free to respond to this. Thanks.
11-10-2017 01:57 AM
Hi,
3. If you are doing 802.1X on the Employee SSID, then you should leave MAC filtering unchecked. Having MAC filtering checked could be the reason your rule is not matching. MAC filtering is mainly needed on a open or PSK SSID.
If i removed MAC filtering check box from Employee SSID then no request coming on ISE for authentication. its seems to me that Wireless user trying to authenticate with Mac address to AD and AD doesn't find any entry against End user Mac id in database. For Wireless user authentication do i need to configure WLC connected switch for Radius? what would be the port configuration for WLC connected switch?
Logs when Wireless user trying to authenticate through ISE, I have set default rule as well to valid user based on AD.
-------------------------------------------------------------------------------------------------
11001 | Received RADIUS Access-Request | |
11017 | RADIUS created a new session | |
11027 | Detected Host Lookup UseCase (Service-Type = Call Check (10)) | |
15049 | Evaluating Policy Group | |
15008 | Evaluating Service Selection Policy | |
15048 | Queried PIP - Normalised Radius.RadiusFlowType | |
15006 | Matched Default Rule | |
15041 | Evaluating Identity Policy | |
15006 | Matched Default Rule | |
15013 | Selected Identity Source - FactoryTest-AD | |
24432 | Looking up user in Active Directory - FactoryTest-AD | |
24325 | Resolving identity - 78-0C-B8-34-3E-E2 | |
24313 | Search for matching accounts at join point - factorytest.com | |
24318 | No matching account found in forest - factorytest.com | |
24322 | Identity resolution detected no matching account | |
24352 | Identity resolution failed - ERROR_NO_SUCH_USER | |
24412 | User not found in Active Directory - FactoryTest-AD | |
22056 | Subject not found in the applicable identity store(s) | |
22058 | The advanced option that is configured for an unknown user is used | |
22061 | The 'Reject' advanced option is configured in case of a failed authentication request | |
11003 | Returned RADIUS Access-Reject |
--------------------------------------------------------------
Logs when wired Domain user trying to authenticate using ISE
11001 | Received RADIUS Access-Request | |
11017 | RADIUS created a new session | |
11049 | Settings of RADIUS default network device will be used | |
15049 | Evaluating Policy Group | |
15008 | Evaluating Service Selection Policy | |
15048 | Queried PIP - Normalised Radius.RadiusFlowType | |
15004 | Matched rule - Dot1x-Test | |
11507 | Extracted EAP-Response/Identity | |
12500 | Prepared EAP-Request proposing EAP-TLS with challenge | |
12625 | Valid EAP-Key-Name attribute received | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11049 | Settings of RADIUS default network device will be used | |
12301 | Extracted EAP-Response/NAK requesting to use PEAP instead | |
12300 | Prepared EAP-Request proposing PEAP with challenge | |
12625 | Valid EAP-Key-Name attribute received | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11049 | Settings of RADIUS default network device will be used | |
12302 | Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated | |
12318 | Successfully negotiated PEAP version 0 | |
12800 | Extracted first TLS record; TLS handshake started | |
12805 | Extracted TLS ClientHello message | |
12806 | Prepared TLS ServerHello message | |
12807 | Prepared TLS Certificate message | |
12808 | Prepared TLS ServerKeyExchange message | |
12810 | Prepared TLS ServerDone message | |
12811 | Extracted TLS Certificate message containing client certificate | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11049 | Settings of RADIUS default network device will be used | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11049 | Settings of RADIUS default network device will be used | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12318 | Successfully negotiated PEAP version 0 | |
12812 | Extracted TLS ClientKeyExchange message | |
12813 | Extracted TLS CertificateVerify message | |
12804 | Extracted TLS Finished message | |
12801 | Prepared TLS ChangeCipherSpec message | |
12802 | Prepared TLS Finished message | |
12816 | TLS handshake succeeded | |
12310 | PEAP full handshake finished successfully | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11049 | Settings of RADIUS default network device will be used | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
12313 | PEAP inner method started | |
11521 | Prepared EAP-Request/Identity for inner EAP method | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11049 | Settings of RADIUS default network device will be used | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
11522 | Extracted EAP-Response/Identity for inner EAP method | |
11806 | Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11049 | Settings of RADIUS default network device will be used | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
11808 | Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated | |
15041 | Evaluating Identity Policy | |
15006 | Matched Default Rule | |
15013 | Selected Identity Source - All_AD_Join_Points | |
24430 | Authenticating user against Active Directory - All_AD_Join_Points | |
24325 | Resolving identity - FACTORYTEST\cisco | |
24313 | Search for matching accounts at join point - factorytest.com | |
24315 | Single matching account found in domain - factorytest.com | |
24323 | Identity resolution detected single matching account | |
24343 | RPC Logon request succeeded - cisco@factorytest.com | |
24402 | User authentication against Active Directory succeeded - All_AD_Join_Points | |
22037 | Authentication Passed | |
11824 | EAP-MSCHAP authentication attempt passed | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11049 | Settings of RADIUS default network device will be used | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
11810 | Extracted EAP-Response for inner method containing MSCHAP challenge-response | |
11814 | Inner EAP-MSCHAP authentication succeeded | |
11519 | Prepared EAP-Success for inner EAP method | |
12314 | PEAP inner method finished successfully | |
12305 | Prepared EAP-Request with another PEAP challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11049 | Settings of RADIUS default network device will be used | |
12304 | Extracted EAP-Response containing PEAP challenge-response | |
24423 | ISE has not been able to confirm previous successful machine authentication | |
15036 | Evaluating Authorization Policy | |
15048 | Queried PIP - Network Access.UseCase | |
15048 | Queried PIP - Airespace.Airespace-Wlan-Id | |
15048 | Queried PIP - Network Access.UseCase | |
15048 | Queried PIP - EndPoints.LogicalProfile | |
15048 | Queried PIP - Network Access.AuthenticationStatus | |
15004 | Matched rule - Basic_Authenticated_Access | |
15016 | Selected Authorization Profile - PermitAccess | |
22081 | Max sessions policy passed | |
22080 | New accounting session created in Session cache | |
12306 | PEAP authentication succeeded | |
11503 | Prepared EAP-Success | |
24432 | Looking up user in Active Directory - FactoryTest-AD | |
24355 | LDAP fetch succeeded - factorytest.com | |
24416 | User's Groups retrieval from Active Directory succeeded - FactoryTest-AD | |
11002 | Returned RADIUS Access-Accept |
---------------------
11-10-2017 08:39 AM
Since you mention that WLC not sending requests to ISE when MAC filtering disabled, it seems the WLC not configured properly. Please see How To: Universal Wireless Controller (WLC) Configuration for ISE. Better yet, you may try Cisco ISE Secure Access Wizard (SAW) - Guest, BYOD and Secure Access in Minutes! to configure for secure access.
11-10-2017 12:13 AM
First is the WLC setup properly second you can use SSID as part of condionts to be sure it match correct SSID
Use this guide ISE - Dot1x Policy Configuration it will help u understand
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: