Security

Reply
Guest Blogger
Posts: 89
Registered: ‎11-16-2011

IAP-103 EAP-TLS Auth Failure with Cisco ISE

I have an IAP-103. I am trying to configure an SSID that allows devices to authenticate to a Cisco ISE server. On my end I believe that I have configured everything properly. The ISE administrators believe that there is a change that I can make to the IAP-103 configuration. Currently, the only EAP that is allowed is EAP-TLS. For devices connected to the IAP-103 the ISE server is showing the following authentication failure:

 

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

15049 Evaluating Policy Group

15008 Evaluating Service Selection Policy

15048 Queried PIP

15048 Queried PIP

15004 Matched rule

15006 Matched Default Rule

11507 Extracted EAP-Responsibility/Identity

11509 Allowed Protocols does not allow any EAP protocols

11504 Prepared EAP-Failure

11003 Returned RADIUS Access-Reject

 

When wired devices connected to a Cisco server attempt to authenticate, the ISE server shows the following successful authentication:

 

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

15049 Evaluating Policy Group

15008 Evaluating Service Selection Policy

15048 Queried PIP

15048 Queried PIP

15004 Matched rule

15006 Matched Default Rule

11507 Extracted EAP-Responsibility/Identity

12500 Prepared EAP-Request proposing EAP-TLS with challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

 

To authenticate to an ISE sever using EAP-TLS, is there anything that I must configure on an IAP-103 that is different then authenticating to a ClearPass sever?

Guru Elite
Posts: 7,852
Registered: ‎09-08-2010

Re: IAP-103 EAP-TLS Auth Failure with Cisco ISE

If termination is not enabled, the controller is EAP agnostic. It simply forwards the authentication request.

 

Generally that error is a supplicant configuration or driver issue.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Guest Blogger
Posts: 89
Registered: ‎11-16-2011

Re: IAP-103 EAP-TLS Auth Failure with Cisco ISE

Thanks. I will try that.
Guest Blogger
Posts: 89
Registered: ‎11-16-2011

Re: IAP-103 EAP-TLS Auth Failure with Cisco ISE

There was a change in the steps shown on the Cisco ISE sever. However, authentication still failed. Enabling termination resulted in the ISE server responding with an "MS-CHAP v2 is not allowed message. In addition to "Termination" there must be something else that I should change.

 

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

15049 Evaluating Policy Group

15008 Evaluating Service Selection Policy

15048 Queried PIP

15048 Queried PIP

15004 Matched rule

15006 Matched Default Rule

15047 MS-CHAP v2 is not allowed

11003 Returned RADIUS Access-Reject

Guru Elite
Posts: 7,852
Registered: ‎09-08-2010

Re: IAP-103 EAP-TLS Auth Failure with Cisco ISE

You should leave termination disabled.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Guest Blogger
Posts: 89
Registered: ‎11-16-2011

Re: IAP-103 EAP-TLS Auth Failure with Cisco ISE

Ok. I'll disable "Termination." Any ideas on how I can get the IAP-103 to make a EAP-TLS authentication request?...

Guru Elite
Posts: 7,852
Registered: ‎09-08-2010

Re: IAP-103 EAP-TLS Auth Failure with Cisco ISE

Are you seeing this across multiple clients? That error is usually a configuration issue on the client.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Guru Elite
Posts: 19,987
Registered: ‎03-29-2007

Re: IAP-103 EAP-TLS Auth Failure with Cisco ISE

KeepItMobile,

 

Iike TC says, the client determines what EAP type is requested and the IAP (the NAD) just tunnels the request.  The client and ISE server settings are that ones that needs to match.  Do you have any screenshots of the client configuration?

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Guest Blogger
Posts: 89
Registered: ‎11-16-2011

Re: IAP-103 EAP-TLS Auth Failure with Cisco ISE

I will verify. I am in one location, the test engineer (with the client) is in another location, and the ISE administrators are in another location. Typically, I have more visibility and control into the entire environment, but this is a special case. Thanks for help thus far.

Guest Blogger
Posts: 89
Registered: ‎11-16-2011

Re: IAP-103 EAP-TLS Auth Failure with Cisco ISE

According to the engineer with the client, a pre-loaded certificate exists on the laptop. This same laptop with a pre-loaded certificate successfully authenticates (with EAP-TLS) on his curent wireless network. If the IAP-103 is just passing the request I imagine that there is something regarding the current access point/controller that is different from the configuration within the IAP-103. By the way, I reached out to Aruba TAC as well. The engineer provided the following:

 

 

For EAP-TLS to work cert validation happens both on server and on client. Below logs indicate Radius Reject which is from the server. May I know where is the EAP termination is that on IAP or on Server ?

 

If the termination on IAP; we need to confirm the CERT is applied to the SSID and profile to make sure client gets validated properly from IAP and if the EAP-termination is on Server side; this could be the issue with the server itself in terms on cert validate from server and client side. Need to check on policy been hit on server, group policy, try different auth protocol, security/server logs, pcap on failure scenario both on client and server to understand where is the drop.

 

11507 Extracted EAP-Responsibility/Identity

11509 Allowed Protocols does not allow any EAP protocols

11504 Prepared EAP-Failure

11003 Returned RADIUS Access-Reject

 

Unfortunately, the ISE expert is unavailable this week. Most likely, I will get a response by Tuesday of next week. I will keep you guys posted. Thanks for  your help.

Search Airheads
Showing results for 
Search instead for 
Did you mean: