I have an IAP-103. I am trying to configure an SSID that allows devices to authenticate to a Cisco ISE server. On my end I believe that I have configured everything properly. The ISE administrators believe that there is a change that I can make to the IAP-103 configuration. Currently, the only EAP that is allowed is EAP-TLS. For devices connected to the IAP-103 the ISE server is showing the following authentication failure:
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP
15004 Matched rule
15006 Matched Default Rule
11507 Extracted EAP-Responsibility/Identity
11509 Allowed Protocols does not allow any EAP protocols
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
When wired devices connected to a Cisco server attempt to authenticate, the ISE server shows the following successful authentication:
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
To authenticate to an ISE sever using EAP-TLS, is there anything that I must configure on an IAP-103 that is different then authenticating to a ClearPass sever?
If termination is not enabled, the controller is EAP agnostic. It simply forwards the authentication request.
Generally that error is a supplicant configuration or driver issue.
There was a change in the steps shown on the Cisco ISE sever. However, authentication still failed. Enabling termination resulted in the ISE server responding with an "MS-CHAP v2 is not allowed message. In addition to "Termination" there must be something else that I should change.
15047 MS-CHAP v2 is not allowed
You should leave termination disabled.
Ok. I'll disable "Termination." Any ideas on how I can get the IAP-103 to make a EAP-TLS authentication request?...
Are you seeing this across multiple clients? That error is usually a configuration issue on the client.
I will verify. I am in one location, the test engineer (with the client) is in another location, and the ISE administrators are in another location. Typically, I have more visibility and control into the entire environment, but this is a special case. Thanks for help thus far.
According to the engineer with the client, a pre-loaded certificate exists on the laptop. This same laptop with a pre-loaded certificate successfully authenticates (with EAP-TLS) on his curent wireless network. If the IAP-103 is just passing the request I imagine that there is something regarding the current access point/controller that is different from the configuration within the IAP-103. By the way, I reached out to Aruba TAC as well. The engineer provided the following:
For EAP-TLS to work cert validation happens both on server and on client. Below logs indicate Radius Reject which is from the server. May I know where is the EAP termination is that on IAP or on Server ?
If the termination on IAP; we need to confirm the CERT is applied to the SSID and profile to make sure client gets validated properly from IAP and if the EAP-termination is on Server side; this could be the issue with the server itself in terms on cert validate from server and client side. Need to check on policy been hit on server, group policy, try different auth protocol, security/server logs, pcap on failure scenario both on client and server to understand where is the drop.
Unfortunately, the ISE expert is unavailable this week. Most likely, I will get a response by Tuesday of next week. I will keep you guys posted. Thanks for your help.
It is quite possible that the ISE server might require a vendor specific attribute that is present on the previous infrastructure, but does not exist in the Aruba infrastructure. They might want to make the "service" as bare-bones as possible on the ISE side so that only the minimum necessary to authenticate an EAP-TLS client is configured.
That is a good point. A few years ago I recall having to add a vendor-specific attribute to a CPPM server when configuring a FortiGate 60C as a supplicant. I will forward that to the other engineers as well. Thanks.
Iike TC says, the client determines what EAP type is requested and the IAP (the NAD) just tunnels the request. The client and ISE server settings are that ones that needs to match. Do you have any screenshots of the client configuration?
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.