Security

I have an IAP-103. I am trying to configure an SSID that allows devices to authenticate to a Cisco ISE server. On my end I believe that I have configured everything properly. The ISE administrators believe that there is a change that I can make to the IAP-103 configuration. Currently, the only EAP that is allowed is EAP-TLS. For devices connected to the IAP-103 the ISE server is showing the following authentication failure:

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

15049 Evaluating Policy Group

15008 Evaluating Service Selection Policy

15048 Queried PIP

15048 Queried PIP

15004 Matched rule

15006 Matched Default Rule

11507 Extracted EAP-Responsibility/Identity

11509 Allowed Protocols does not allow any EAP protocols

11504 Prepared EAP-Failure

11003 Returned RADIUS Access-Reject

When wired devices connected to a Cisco server attempt to authenticate, the ISE server shows the following successful authentication:

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

15049 Evaluating Policy Group

15008 Evaluating Service Selection Policy

15048 Queried PIP

15048 Queried PIP

15004 Matched rule

15006 Matched Default Rule

11507 Extracted EAP-Responsibility/Identity

12500 Prepared EAP-Request proposing EAP-TLS with challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

To authenticate to an ISE sever using EAP-TLS, is there anything that I must configure on an IAP-103 that is different then authenticating to a ClearPass sever?

If termination is not enabled, the controller is EAP agnostic. It simply forwards the authentication request.

Generally that error is a supplicant configuration or driver issue.

There was a change in the steps shown on the Cisco ISE sever. However, authentication still failed. Enabling termination resulted in the ISE server responding with an "MS-CHAP v2 is not allowed message. In addition to "Termination" there must be something else that I should change.

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

15049 Evaluating Policy Group

15008 Evaluating Service Selection Policy

15048 Queried PIP

15048 Queried PIP

15004 Matched rule

15006 Matched Default Rule

15047 MS-CHAP v2 is not allowed

11003 Returned RADIUS Access-Reject

You should leave termination disabled.

Ok. I'll disable "Termination." Any ideas on how I can get the IAP-103 to make a EAP-TLS authentication request?...

Are you seeing this across multiple clients? That error is usually a configuration issue on the client.

I will verify. I am in one location, the test engineer (with the client) is in another location, and the ISE administrators are in another location. Typically, I have more visibility and control into the entire environment, but this is a special case. Thanks for help thus far.

According to the engineer with the client, a pre-loaded certificate exists on the laptop. This same laptop with a pre-loaded certificate successfully authenticates (with EAP-TLS) on his curent wireless network. If the IAP-103 is just passing the request I imagine that there is something regarding the current access point/controller that is different from the configuration within the IAP-103. By the way, I reached out to Aruba TAC as well. The engineer provided the following:

For EAP-TLS to work cert validation happens both on server and on client. Below logs indicate Radius Reject which is from the server. May I know where is the EAP termination is that on IAP or on Server ?

If the termination on IAP; we need to confirm the CERT is applied to the SSID and profile to make sure client gets validated properly from IAP and if the EAP-termination is on Server side; this could be the issue with the server itself in terms on cert validate from server and client side. Need to check on policy been hit on server, group policy, try different auth protocol, security/server logs, pcap on failure scenario both on client and server to understand where is the drop.

11507 Extracted EAP-Responsibility/Identity

11509 Allowed Protocols does not allow any EAP protocols

11504 Prepared EAP-Failure

11003 Returned RADIUS Access-Reject

Unfortunately, the ISE expert is unavailable this week. Most likely, I will get a response by Tuesday of next week. I will keep you guys posted. Thanks for  your help.

It is quite possible that the ISE server might require a vendor specific attribute that is present on the previous infrastructure, but does not exist in the Aruba infrastructure.  They might want to make the "service" as bare-bones as possible on the ISE side so that only the minimum necessary to authenticate an EAP-TLS client is configured.

That is a good point. A few years ago I recall having to add a vendor-specific attribute to a CPPM server when configuring a FortiGate 60C as a supplicant. I will forward that to the other engineers as well. Thanks.

KeepItMobile,

Iike TC says, the client determines what EAP type is requested and the IAP (the NAD) just tunnels the request.  The client and ISE server settings are that ones that needs to match.  Do you have any screenshots of the client configuration?