Security

last person joined: 6 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

IAP-103 EAP-TLS Auth Failure with Cisco ISE

  • 1.  IAP-103 EAP-TLS Auth Failure with Cisco ISE

    Posted Jun 15, 2015 10:17 AM

    I have an IAP-103. I am trying to configure an SSID that allows devices to authenticate to a Cisco ISE server. On my end I believe that I have configured everything properly. The ISE administrators believe that there is a change that I can make to the IAP-103 configuration. Currently, the only EAP that is allowed is EAP-TLS. For devices connected to the IAP-103 the ISE server is showing the following authentication failure:

     

    11001 Received RADIUS Access-Request

    11017 RADIUS created a new session

    15049 Evaluating Policy Group

    15008 Evaluating Service Selection Policy

    15048 Queried PIP

    15048 Queried PIP

    15004 Matched rule

    15006 Matched Default Rule

    11507 Extracted EAP-Responsibility/Identity

    11509 Allowed Protocols does not allow any EAP protocols

    11504 Prepared EAP-Failure

    11003 Returned RADIUS Access-Reject

     

    When wired devices connected to a Cisco server attempt to authenticate, the ISE server shows the following successful authentication:

     

    11001 Received RADIUS Access-Request

    11017 RADIUS created a new session

    15049 Evaluating Policy Group

    15008 Evaluating Service Selection Policy

    15048 Queried PIP

    15048 Queried PIP

    15004 Matched rule

    15006 Matched Default Rule

    11507 Extracted EAP-Responsibility/Identity

    12500 Prepared EAP-Request proposing EAP-TLS with challenge

    11006 Returned RADIUS Access-Challenge

    11001 Received RADIUS Access-Request

     

    To authenticate to an ISE sever using EAP-TLS, is there anything that I must configure on an IAP-103 that is different then authenticating to a ClearPass sever?



  • 2.  RE: IAP-103 EAP-TLS Auth Failure with Cisco ISE

    Posted Jun 15, 2015 10:19 AM

    If termination is not enabled, the controller is EAP agnostic. It simply forwards the authentication request.

     

    Generally that error is a supplicant configuration or driver issue.



  • 3.  RE: IAP-103 EAP-TLS Auth Failure with Cisco ISE

    Posted Jun 15, 2015 04:08 PM

    There was a change in the steps shown on the Cisco ISE sever. However, authentication still failed. Enabling termination resulted in the ISE server responding with an "MS-CHAP v2 is not allowed message. In addition to "Termination" there must be something else that I should change.

     

    11001 Received RADIUS Access-Request

    11017 RADIUS created a new session

    15049 Evaluating Policy Group

    15008 Evaluating Service Selection Policy

    15048 Queried PIP

    15048 Queried PIP

    15004 Matched rule

    15006 Matched Default Rule

    15047 MS-CHAP v2 is not allowed

    11003 Returned RADIUS Access-Reject



  • 4.  RE: IAP-103 EAP-TLS Auth Failure with Cisco ISE

    Posted Jun 15, 2015 04:09 PM

    You should leave termination disabled.



  • 5.  RE: IAP-103 EAP-TLS Auth Failure with Cisco ISE

    Posted Jun 15, 2015 04:14 PM

    Ok. I'll disable "Termination." Any ideas on how I can get the IAP-103 to make a EAP-TLS authentication request?...



  • 6.  RE: IAP-103 EAP-TLS Auth Failure with Cisco ISE

    Posted Jun 15, 2015 04:17 PM

    Are you seeing this across multiple clients? That error is usually a configuration issue on the client.



  • 7.  RE: IAP-103 EAP-TLS Auth Failure with Cisco ISE

    Posted Jun 15, 2015 04:29 PM

    I will verify. I am in one location, the test engineer (with the client) is in another location, and the ISE administrators are in another location. Typically, I have more visibility and control into the entire environment, but this is a special case. Thanks for help thus far.



  • 8.  RE: IAP-103 EAP-TLS Auth Failure with Cisco ISE

    Posted Jun 16, 2015 12:42 PM

    According to the engineer with the client, a pre-loaded certificate exists on the laptop. This same laptop with a pre-loaded certificate successfully authenticates (with EAP-TLS) on his curent wireless network. If the IAP-103 is just passing the request I imagine that there is something regarding the current access point/controller that is different from the configuration within the IAP-103. By the way, I reached out to Aruba TAC as well. The engineer provided the following:

     

     

    For EAP-TLS to work cert validation happens both on server and on client. Below logs indicate Radius Reject which is from the server. May I know where is the EAP termination is that on IAP or on Server ?

     

    If the termination on IAP; we need to confirm the CERT is applied to the SSID and profile to make sure client gets validated properly from IAP and if the EAP-termination is on Server side; this could be the issue with the server itself in terms on cert validate from server and client side. Need to check on policy been hit on server, group policy, try different auth protocol, security/server logs, pcap on failure scenario both on client and server to understand where is the drop.

     

    11507 Extracted EAP-Responsibility/Identity

    11509 Allowed Protocols does not allow any EAP protocols

    11504 Prepared EAP-Failure

    11003 Returned RADIUS Access-Reject

     

    Unfortunately, the ISE expert is unavailable this week. Most likely, I will get a response by Tuesday of next week. I will keep you guys posted. Thanks for  your help.



  • 9.  RE: IAP-103 EAP-TLS Auth Failure with Cisco ISE

    Posted Jun 16, 2015 03:16 PM

    It is quite possible that the ISE server might require a vendor specific attribute that is present on the previous infrastructure, but does not exist in the Aruba infrastructure.  They might want to make the "service" as bare-bones as possible on the ISE side so that only the minimum necessary to authenticate an EAP-TLS client is configured.



  • 10.  RE: IAP-103 EAP-TLS Auth Failure with Cisco ISE

    Posted Jun 16, 2015 03:21 PM

    That is a good point. A few years ago I recall having to add a vendor-specific attribute to a CPPM server when configuring a FortiGate 60C as a supplicant. I will forward that to the other engineers as well. Thanks.



  • 11.  RE: IAP-103 EAP-TLS Auth Failure with Cisco ISE

    Posted Jun 15, 2015 04:27 PM

    KeepItMobile,

     

    Iike TC says, the client determines what EAP type is requested and the IAP (the NAD) just tunnels the request.  The client and ISE server settings are that ones that needs to match.  Do you have any screenshots of the client configuration?

     



  • 12.  RE: IAP-103 EAP-TLS Auth Failure with Cisco ISE

    Posted Jun 15, 2015 11:06 AM
    Thanks. I will try that.