Re: ISE failing user check using TEAP

Chris S · ‎01-26-2024

We have successfully deployed the TEAP policy using Cisco's documentation . The challenge seems to be that the Machine Compliant policy is the only hit we are getting. Never hits the Fully Compliant policy.

Windows supplicant is provisioned as per documentation to use EAP-TLS for both primary and secondary EAP methods.
Both computer and user root cert providers are the same
User certificate is provisioned for "Client Authentication" and located in the Personal->Cert store on the workstation

We are seeing this in the log - any ideas on what to look for?

11627	Starting EAP chaining
	11573	Selected identity type 'User'
	11564	TEAP inner method started
	11521	Prepared EAP-Request/Identity for inner EAP method
	11596	Prepared EAP-Request with another TEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	11595	Extracted EAP-Response containing TEAP challenge-response
	11567	Identity type provided by client is equal to requested
	11522	Extracted EAP-Response/Identity for inner EAP method
	11806	Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
	11596	Prepared EAP-Request with another TEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	11595	Extracted EAP-Response containing TEAP challenge-response
	11515	Supplicant declined inner EAP method selected by Authentication Policy but did not proposed another one; inner EAP negotiation failed
	11520	Prepared EAP-Failure for inner EAP method
	11566	TEAP inner method finished with failure
	22028	Authentication failed and the advanced options are ignored

Rob Ingram · ‎01-26-2024

@Chris S the logs imply there is a problem with the EAP method, is the supplicant configured correctly?

You are using a Posture compliant condition in the rule (this is not a requirement for TEAP), I assume the device has actually passed the posture compliance check without problem?

Chris S · ‎01-26-2024

@Rob Ingram Agree - but I can't see anything setup differently than the recomended settings. If I switch the supplicant to be MSCHAP, it works just fine.

Yes, posture is working ok.

Chris S · ‎01-26-2024

One item to add that i'm working on - when the computer is turned on (no user logged in), it's only using MAB (which fails). Doesn't look like any EAP auths are being done until a login event occurs.

Rob Ingram · ‎01-26-2024

@Chris S wrote:

One item to add that i'm working on - when the computer is turned on (no user logged in), it's only using MAB (which fails). Doesn't look like any EAP auths are being done until a login event occurs.

@Chris S that should not be the case, it should at least authenticate the machine, so it should match your "Machine Compliant" AuthZ rule.

Can you provide a screenshot of your Authentication Policy, CAP and Allowed Protocols please?

And a screenshot of the machine failing MAB.

Chris S · ‎01-26-2024

I'm not sure what CAP is?

Auth Policy:

Allowed Protocols :

Computer MAB Failure:

Rob Ingram · ‎01-26-2024

@Chris S CAP = Certificate Authentication Profile. What is EAP_Chaining and how is it configured?

I would suggest the supplicant is misconfigured, please provide screenshots of how the windows supplicant is configured.

Chris S · ‎01-26-2024

EAP_Chaining uses the certificate auth profile referencing our domain certs then active directory. The cert profile looks in the subject or alternative name attirbute.

Chris S · ‎01-26-2024

@Rob Ingram My apologizes - the MAB issue was due to the wired auto config service not starting. That is now fixed. So the computer will pass the machine cert successfully before login .. but after the user logs in, it still complaining about that error in the first posting.

Aref Alsouqi · ‎01-26-2024

Could you please share ISE certificate authentication profile settings and the identity source sequence "EAP_Chaining" for review?

Chris S · ‎01-26-2024

Chris S · ‎01-26-2024

@Rob Ingram If I change the supplicant to be MSCHAP and the user types their credentials, I hit the "Fully Compliant" policy. With how ISE evaluates, would the policy care between cert based or password based?

Rob Ingram · ‎01-26-2024

@Chris S the authorisation policy rule does not discriminate between authentication protocol, merely whether user and computer succeeded (and posture compliance). So there is some reason why user TEAP with TLS certificate is failing then.

Check the user certificate store and confirm the certificate is valid and using the correct template.

Take a tcpdump on ISE of the user authentication attempt and confirm the user identity being sent and the protocol etc.

Aref Alsouqi · ‎01-26-2024

I would try to change the "Use Identity From" in the certificate authentication profile to be "Certificate Attribute" and select the attribute from the dropdown menu. The attribute you selected should be the one you see on the user certificate, typically it would be the DNS SAN value.

Chris S · ‎01-26-2024

@Aref Alsouqi But wouldn't the "Any subject or Alternative Name.." checkbox cover that? And also - would I have to create two separate profiles - 1 for users and 1 for machines?