cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3120
Views
0
Helpful
4
Replies

Wireless User unable to authenticate by using Dot1x Authentication through Cisco ISE

vishal agavane
Level 1
Level 1

Hi Team,

We have ISE --> WLC --> LAN Network, I have configuration in cisco switches for Dot1x authentication for wired users, I have created Authentication profile for Wired Dot1x users in ISE, when wired user wants to connect to the network, ISE Authentication policy match and they got network access if they belongs to domain.

I want Dot1x authentication for wireless user so if any wireless user want to connect to "Employee" SSID there request should goes to ISE and if they belongs to domain user then they should gain network access. I've tested below thing but couldn't success,

1. Whenever WLC connect to "employee" SSID default authentication profile matchs in ISE not the one which i've created for Wireless Dot1x user? (Please refer attached screenshot for configuration Authentication policy for wired and wireless in ISE)

2. I've enabled "802.1x Supplicant Credentials" for AP in WLC and assigned Username and password which is created in AD, AP could able to authenticate in using Dot1x authentication policy in ISE, This configuration is necessary to have Dot1x for wireless Users?

3. I've enabled 802.1X option under Layer-2 Security for "Employee" SSID along with Mac Filtering check box enabled and Disable NAC State to "None". Is this setting is required to have WLC 802.1x authentication?

4. I've disabled SSID broadcast option in WLC and manually join to that SSID by creating SSID and selecting 802.1x authentication in Windows-10 client as well but couldn't work.

On above scenario its seem that wireless users not generating traffic based on Dot1x? Your help to understand authentication process in ISE, WLC & Cisco switch would be helpful.

4 Replies 4

howon
Cisco Employee
Cisco Employee

1. Since this is just a snippet, I am not sure why this rule doesn't match. It is possible that this is part of a policy set then the overall policy set condition should be satisfied before the Authentication rule you have shown matches. Also, you don't need same condition repeated with 'AND' twice. I would remove one of the Wireless_802.1X condition in the screen shot.

2. The 802.1x Supplicant Credential on AP in WLC is to authenticate the AP itself to the wired network. This is useful if the wired 802.1X is enabled on the switch port and are trying to authenticate the AP via 802.1X instead of MAB. In your case, this setting should have no bearing in terms of wireless user authentication

3. If you are doing 802.1X on the Employee SSID, then you should leave MAC filtering unchecked. Having MAC filtering checked could be the reason your rule is not matching. MAC filtering is mainly needed on a open or PSK SSID.

4. Non-broadcast SSID should work, but until you have successfully authenticated a user, I would leave it broadcasting for the initial testing. Once successfully tested then I would change it to non-broadcasting. This way your troubleshooting is focused on the issues at hand

I see that you created multiple postings for the same issues, so I will remove the other postings. If you have followup questions, feel free to respond to this. Thanks.

Hi,

3. If you are doing 802.1X on the Employee SSID, then you should leave MAC filtering unchecked. Having MAC filtering checked could be the reason your rule is not matching. MAC filtering is mainly needed on a open or PSK SSID.

If i removed MAC filtering check box from Employee SSID then no request coming on ISE for authentication. its seems to me that Wireless user trying to authenticate with Mac address to AD and AD doesn't find any entry against End user Mac id in database. For Wireless user authentication do i need to configure WLC connected switch for Radius? what would be the port configuration for WLC connected switch?

Logs when Wireless user trying to authenticate through ISE, I have set default rule as well to valid user based on AD.

-------------------------------------------------------------------------------------------------

11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11027 Detected Host Lookup UseCase (Service-Type = Call Check (10))
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - Normalised Radius.RadiusFlowType
15006 Matched Default Rule
15041 Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Source - FactoryTest-AD
24432 Looking up user in Active Directory - FactoryTest-AD
24325 Resolving identity - 78-0C-B8-34-3E-E2
24313 Search for matching accounts at join point - factorytest.com
24318 No matching account found in forest - factorytest.com
24322 Identity resolution detected no matching account
24352 Identity resolution failed - ERROR_NO_SUCH_USER
24412 User not found in Active Directory - FactoryTest-AD
22056 Subject not found in the applicable identity store(s)
22058 The advanced option that is configured for an unknown user is used
22061 The 'Reject' advanced option is configured in case of a failed authentication request
11003 Returned RADIUS Access-Reject

--------------------------------------------------------------

Logs when wired Domain user trying to authenticate using ISE

11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11049 Settings of RADIUS default network device will be used
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - Normalised Radius.RadiusFlowType
15004 Matched rule - Dot1x-Test
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11049 Settings of RADIUS default network device will be used
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11049 Settings of RADIUS default network device will be used
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12808 Prepared TLS ServerKeyExchange message
12810 Prepared TLS ServerDone message
12811 Extracted TLS Certificate message containing client certificate
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11049 Settings of RADIUS default network device will be used
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11049 Settings of RADIUS default network device will be used
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11049 Settings of RADIUS default network device will be used
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11049 Settings of RADIUS default network device will be used
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11049 Settings of RADIUS default network device will be used
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
15041 Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Source - All_AD_Join_Points
24430 Authenticating user against Active Directory - All_AD_Join_Points
24325 Resolving identity - FACTORYTEST\cisco
24313 Search for matching accounts at join point - factorytest.com
24315 Single matching account found in domain - factorytest.com
24323 Identity resolution detected single matching account
24343 RPC Logon request succeeded - cisco@factorytest.com
24402 User authentication against Active Directory succeeded - All_AD_Join_Points
22037 Authentication Passed
11824 EAP-MSCHAP authentication attempt passed
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11049 Settings of RADIUS default network device will be used
12304 Extracted EAP-Response containing PEAP challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814 Inner EAP-MSCHAP authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12314 PEAP inner method finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11049 Settings of RADIUS default network device will be used
12304 Extracted EAP-Response containing PEAP challenge-response
24423 ISE has not been able to confirm previous successful machine authentication
15036 Evaluating Authorization Policy
15048 Queried PIP - Network Access.UseCase
15048 Queried PIP - Airespace.Airespace-Wlan-Id
15048 Queried PIP - Network Access.UseCase
15048 Queried PIP - EndPoints.LogicalProfile
15048 Queried PIP - Network Access.AuthenticationStatus
15004 Matched rule - Basic_Authenticated_Access
15016 Selected Authorization Profile - PermitAccess
22081 Max sessions policy passed
22080 New accounting session created in Session cache
12306 PEAP authentication succeeded
11503 Prepared EAP-Success
24432 Looking up user in Active Directory - FactoryTest-AD
24355 LDAP fetch succeeded - factorytest.com
24416 User's Groups retrieval from Active Directory succeeded - FactoryTest-AD
11002

Returned RADIUS Access-Accept

---------------------

Since you mention that WLC not sending requests to ISE when MAC filtering disabled, it seems the WLC not configured properly. Please see How To: Universal Wireless Controller (WLC) Configuration for ISE. Better yet, you may try Cisco ISE Secure Access Wizard (SAW) - Guest, BYOD and Secure Access in Minutes! to configure for secure access.

ognyan.totev
Level 5
Level 5

First is the WLC setup properly second you can use SSID as part of condionts to be sure it match correct SSID

Use this guide ISE - Dot1x Policy Configuration it will help u understand

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: