802.1x Radius ISE

-




Match SSID methods:

1. Radius:Called-Station-ID  Ends_with xxxx   [match *(xxxx)$]
    Radius:Called-Station-ID  Contains xxxx    [match .*(xxxx).*]
2. Normalised Radius·SSID contains (or ends_with) xxxx
3. Airespace > Airespace-Wlan-Id equels xxx


EAP

Think of Extensible Authentication Protocol (EAP) is an authentication application between Supplicant, Authenticator and Authentication Server.

EAP is always carried by another protocol.
EAP is encapsulated with Layer2 frame is called EAPOL which runs LAN between supplicant and authenticator. 802.1X defines this encapsulation.

EAP is encapsulated in RADIUS runs between authenticator and Radius authentication server. 



A wired client authenticates to its switch using 802.1x/EAP and MD5 challenge authentication.

01-80-C2-00-00-03 802.1X Port-Based Network Access Control
two-port MAC Relay (TPMR) is a type of bridge that has only two externally-accessible bridge
ports, and supports a subset of the functions of a MAC bridge. 
















https://networklessons.com/cisco/ccnp-encor-350-401/eapol-extensible-authentication-protocol-over-lan

http://www.netprojnetworks.com/802-1x-eap-peap/



SG300 doesn't send Service-Type in Radius request. 

















Radius CoA


https://www.portnox.com/blog/radius-change-of-authorization/




















==========Accounting=========

1. Accounting Start














2. Accounting Interim Update



















3. Accounting Stop

































Note:
On switch, configure Radius aaa group before issue aaa accounting command, otherwise, accounting may not work.

how sessions are terminated by ISE.

Sessions without accounting start (Authenticated) removed after 60 minutes,

 Sessions with accounting stop (Terminated) removed after 15 minutes

 Sessions in ‘Started’ state (MNT got accounting start) removed after 120 hours without Interim update.

Interim RADIUS accounting messages are sent to ISE to notify that the sessions are still intact.
When ISE fails to receive a RADIUS accounting message for a prolonged period for a given endpoint, ISE removes that session from its session table. ISE does not remove the endpoint from the switch, which creates disconnect between the switch and ISE in terms of which sessions are active. This disconnect can also impact when the endpoint access needs to be reevaluated for any reason. By default, ISE flushes out any sessions without Interim RADIUS accounting messages for 5 days for any authenticated sessions. By sending the periodic RADIUS accounting message to the ISE node less than 5 days, the switch ensures that the sessions are maintained on the ISE. The reason for 2 days here is to provide two updates within 5 days in case one of the RADIUS Accounting packets failed to reach the ISE node.

aaa accounting update newinfo periodic 2880
Interim accounting is sent when there is no new info or at periodic 2880 (2 days)



=============================

Understanding RADIUS

https://www.cisco.com/c/en/us/td/docs/net_mgmt/access_registrar/1-7/concepts/guide/radius.html


Configure AnyConnect Secure Mobility Client using One-Time Password (OTP) for Two-factor Authentication on an ASA

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/213931-configure-anyconnect-secure-mobility-cli.html



What is 802.1X? How Does it Work?


https://www.securew2.com/solutions/802-1x#:~:text=IEEE%20802.1X%2C%20an%20IEEE,server%20called%20a%20RADIUS%20Server.




  • radius-server attribute 6 on-for-login-auth – this command ensures the Service-Type attribute (attribute 6) is sent in authentication packets; this is a requirement for ISE functionality
  • radius-server attribute 8 in-access-request  – another requirement for ISE, this command sends the IP address of a user to the RADIUS server in the access request
  • radius-server attribute 25 access-request include  – this requirement for ISE includes the class attribute in the access-request

NOTE: These commands might seem impossible to remember, but just focus on 6, 8, and 25 and remember to use context sensitive help for the keywords that follow.

  • radius-server host <Cisco_ISE_IP_address> auth-port 1812 acct-port 1813 key 0 <RADIUS-KEY> – this command provides the IP address of the ISE and the RFC-standard ports
  • radius-server vsa send accounting – this permits the ISE to recognize and use vendor specific attributes for accounting
  • radius-server vsa send authentication – this permits the ISE to recognize and use vendor specific attributes for authentication
  • ip radius source-interface <if_name> – sets the source for RADIUS packets


==========

NPS error message:

Reason The user could not be authenticated using Challenge Handshake Authentication Protocol (CHAP). A reversibly encrypted password does not exist for this user account. To ensure that reversibly encrypted passwords are enabled, check either the domain password policy or the password settings on the user account. 


CHAP (and MSCHAP and MSCHAPv2) require that the Radius server can read user passwords.
By default, in Windows AD, user passwords are hashed, so NPS can not auth users with CHAP, since it doesnt know the users password, because of the hashing.

You can tell AD to use encryption for passwords, by selecting "Store password using reversible encryption" in user properties ("Account" tab), and then resetting the users password. This way, NPS can actually decrypt and read the users password.

Basically, there are 2 protocols that Radius can use for authentication - PAP and CHAP (and CHAPs MS variants).
CHAP requires that the client and the server both know users password, but communication over the network is NOT cleartext.
PAP can work when user passwords are hashed on the server, but communication over the network IS cleatext.


CHAP






















PAP:
PAP password originally is clear text,  but in below Radius capture, it is encrypted by radius secret. 























What is the difference between an ISE normalized radius attribute vs an ISE radius attribute?


A Normalised RADIUS attribute in ISE is a convenient abstraction that allows us to use a common attribute in our Policy Set Logic in a multi-vendor environment. E.g. if you have a mix of Cisco and Aruba WLC's, then you can either do it the hard way, by checking for the vendor specific attributes used, e.g. Cisco uses attribute Called-Station-ID for the SSID, and Aruba uses Aruba-Essid-Name.  Perhaps a bad example, because I am no Aruba guru ;-) - but you get the point. There are other instances where vendor A signals a MAB Auth request with Service-Type = "Call-Check" and another vendor uses Service-Type = "Blah".  Cisco ISE has multi-vendor support, and as long as you set the NAS with the correct Device Vendor Type ("Device Profile") then ISE does the internal mapping for you. Then you can use abstractions like Normalised Radius SSID which is vendor agnostic. You no longer need to care how it works under the hood.
Other abstractions are things like the Compound Conditions like Wireless_8021X and Wired_802.1X - have a look at those in detail and you can see that each vendor does it slightly differently.



===========Wireless 802.1x=============

Test environment:
AD: fg.local
ISE 3.0
laptop domain PC with wireless NIC


Note:
when wired is connected, machine authentication occurs but wireless associated quickly terminated  with  some kinds of timeout. User login doesn't generate Access Request. Session on ISE most of time shows Authenticated

When wired is not connected, machine authentication occurs, ISE session Started with pcname, user login generates new Access Request, ISE session Started with username.
Shutdown PC, ISE session Started with pcname, wireless session keeps on WLC a short period time, then timeout, ISE session changed to Terminated.

Comments

Post a Comment

Popular posts from this blog

Firepower FMC and FTD troubleshooting

-
 1. Display real time log on FMC or FTD: pigtail for example: pigtail | grep 192.168.2.20                      pigtail | grep sftunnel 2. Restart communication channel manage_procs.pl run it from  the sensor only, run it from FMC will reset all sensors' channel. This scripts are nice to be used when the FMC and FTD have communication problems like heartbeats are not received, policy deployment is failing or events are not received > expert ************************************************************** NOTICE - Shell access will be deprecated in future releases          and will be replaced with a separate expert mode CLI. ************************************************************** admin@FTD:~$ sudo su Password: root@FTD:/home/admin# manage_procs.pl ****************  Configuration Utility  **************  1   Reconfigure Correlator  2   Reconfigure and flush Correlator  3    Restart Comm. channel  4   Update routes  5   Reset all routes  6   Validate Network  0   Exit *****
Read more

ASA IKEv1 VPN troubleshooting Steps and Tips

-
  1. Phase I proposal mismatch  Run show crypto isakmp sa  Initiator: MM_WAIT_MSG2 Responder: No info  Most likely this is phase1 proposal mismatch, verify IKEv1 policy, other symptoms:   Initiator log: Information Exchange processing failed All configured IKE versions failed to establish the tunnel Initiator debug: Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Responder log: Error processing payload: Payload ID Responder debug:  All SA proposals found unacceptable 2. IKE version mismatch:  Run  show crypto isakmp sa  no info at both initiator and responder Initiator log: Removing peer from correlator table failed, no match! Reason: User Requested  All configured IKE versions failed to establish the tunnel Initiator debug: Oakley begin quick mode PHASE 1 COMPLETED IKE Initiator sending 1st QM pkt Removing peer from correlator table failed, no match! Session is being torn down. Reason: User Requested Responder log: Tunnel Rejected: Conflicting protocols specified
Read more

Firepower 2100/1100 FTD/ASA initial setup, reimage, upgrade.

-
  Chassis FXOS and FTD share same management IP (default 192.168.45.45) Chassis FXOS (192.168.45.45) and ASA ()use different management IP although on same physical interface. SSH to FXOS/FTD are on FTD CLI prompt, go to FXOS using the  connect fxos  command Console to Chassis is on FXOS CLI prompt, go to FTD using the  connect ftd  command The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS).  If you run ASA on Firepower 2100, ASA can be in the following modes: Appliance mode (the default after ASA 9.13)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI. See the  FXOS troubleshooting guide  for more information. Firepower Chassis Manager is not supported . ciscoasa# connect fxos [admin] Connecting to fxos. Connected
Read more