Think of Extensible Authentication Protocol (EAP) is an authentication application between Supplicant, Authenticator and Authentication Server.
EAP is always carried by another protocol. EAP is encapsulated with Layer2 frame is called EAPOL which runs LAN between supplicant and authenticator. 802.1X defines this encapsulation.
EAP is encapsulated in RADIUS runs between authenticator and Radius authentication server.
A wired client authenticates to its switch using 802.1x/EAP and MD5 challenge authentication.
01-80-C2-00-00-03 802.1X Port-Based Network Access Control
two-port MAC Relay (TPMR) is a type of bridge that has only two externally-accessible bridge
ports, and supports a subset of the functions of a MAC bridge.
On switch, configure Radius aaa group before issue aaa accounting command, otherwise, accounting may not work.
how sessions are terminated by ISE.
Sessions
without accounting start (Authenticated) removed after 60 minutes,
Sessions
with accounting stop (Terminated) removed after 15 minutes
Sessions
in ‘Started’ state (MNT got accounting start) removed after 120 hours
without Interim update.
Interim RADIUS accounting messages are sent to ISE to notify that the sessions are still intact.
When ISE fails to receive a RADIUS accounting message for a prolonged period for a given endpoint, ISE removes that session from its session table. ISE does not remove the endpoint from the switch, which creates disconnect between the switch and ISE in terms of which sessions are active. This disconnect can also impact when the endpoint access needs to be reevaluated for any reason. By default, ISE flushes out any sessions without Interim RADIUS accounting messages for 5 days for any authenticated sessions. By sending the periodic RADIUS accounting message to the ISE node less than 5 days, the switch ensures that the sessions are maintained on the ISE. The reason for 2 days here is to provide two updates within 5 days in case one of the RADIUS Accounting packets failed to reach the ISE node.
aaa accounting update newinfo periodic 2880
Interim accounting is sent when there is no new info or at periodic 2880 (2 days)
radius-server attribute 6 on-for-login-auth – this command ensures the Service-Type attribute (attribute 6) is sent in authentication packets; this is a requirement for ISE functionality
radius-server attribute 8 in-access-request – another requirement for ISE, this command sends the IP address of a user to the RADIUS server in the access request
radius-server attribute 25 access-request include – this requirement for ISE includes the class attribute in the access-request
NOTE: These commands might seem impossible to remember, but just focus on 6, 8, and 25 and remember to use context sensitive help for the keywords that follow.
radius-server host <Cisco_ISE_IP_address> auth-port 1812 acct-port 1813 key 0 <RADIUS-KEY> – this command provides the IP address of the ISE and the RFC-standard ports
radius-server vsa send accounting – this permits the ISE to recognize and use vendor specific attributes for accounting
radius-server vsa send authentication– this permits the ISE to recognize and use vendor specific attributes for authentication
ip radius source-interface <if_name> – sets the source for RADIUS packets
==========
NPS error message:
Reason The user could not be authenticated using Challenge Handshake Authentication Protocol (CHAP). A reversibly encrypted password does not exist for this user account. To ensure that reversibly encrypted passwords are enabled, check either the domain password policy or the password settings on the user account.
CHAP (and MSCHAP and MSCHAPv2) require that the Radius server can read user passwords.
By default, in Windows AD, user passwords are hashed, so NPS can not
auth users with CHAP, since it doesnt know the users password, because
of the hashing.
You can tell AD to use encryption for passwords, by selecting "Store
password using reversible encryption" in user properties ("Account"
tab), and then resetting the users password. This way, NPS can actually
decrypt and read the users password.
Basically, there are 2 protocols that Radius can use for authentication - PAP and CHAP (and CHAPs MS variants).
CHAP requires that the client and the server both know users password, but communication over the network is NOT cleartext.
PAP can work when user passwords are hashed on the server, but communication over the network IS cleatext.
CHAP
PAP:
PAP password originally is clear text, but in below Radius capture, it is encrypted by radius secret.
What is the difference between an ISE normalized radius attribute vs an ISE radius attribute?
A Normalised RADIUS attribute in ISE is a convenient abstraction that
allows us to use a common attribute in our Policy Set Logic in a
multi-vendor environment. E.g. if you have a mix of Cisco and Aruba
WLC's, then you can either do it the hard way, by checking for the
vendor specific attributes used, e.g. Cisco uses attribute
Called-Station-ID for the SSID, and Aruba uses Aruba-Essid-Name.
Perhaps a bad example, because I am no Aruba guru ;-) - but you get the
point. There are other instances where vendor A signals a MAB Auth
request with Service-Type = "Call-Check" and another vendor uses
Service-Type = "Blah". Cisco ISE has multi-vendor support, and as long
as you set the NAS with the correct Device Vendor Type ("Device
Profile") then ISE does the internal mapping for you. Then you can use
abstractions like Normalised Radius SSID which is vendor agnostic. You
no longer need to care how it works under the hood. Other abstractions are things like the Compound Conditions like
Wireless_8021X and Wired_802.1X - have a look at those in detail and
you can see that each vendor does it slightly differently.
===========Wireless 802.1x=============
Test environment:
AD: fg.local
ISE 3.0
laptop domain PC with wireless NIC
Note:
when wired is connected, machine authentication occurs but wireless associated quickly terminated with some kinds of timeout. User login doesn't generate Access Request. Session on ISE most of time shows Authenticated
When wired is not connected, machine authentication occurs, ISE session Started with pcname, user login generates new Access Request, ISE session Started with username. Shutdown PC, ISE session Started with pcname, wireless session keeps on WLC a short period time, then timeout, ISE session changed to Terminated.
Comments
Post a Comment