Cisco ISE

EAP-TLS with a Broken Private Key

When going through a standard EAP-TLS deployment recently, a seemingly new problem reared its head. We had tested it out and validated EAP-TLS on a couple of laptops using the Microsoft Native Supplicant. All of the ISE policies were good to go, and everything was working as expected. Then came along a new laptop. This one had other plans. We plug it in and get to authenticatin’. Troubleshooting Well, it didn’t seem to want to send many 802.

Posted

#Cisco ISE #Troubleshooting

Allowing Mobile App Stores through a WLC Redirect ACL

Cisco ISE provides the ability to redirect users through an MDM workflow to assist in the on-boarding of mobile devices. Using integration of MDMs like MobileIron or AirWatch, you can allow registered and compliant devices onto your network, while automatically facilitating MDM enrollment for other devices. While the authorization policy for these workflows is relatively straightforward, the specification of traffic flows for redirection to the MDM portal can be somewhat challenging.

Posted

#Cisco ISE #Troubleshooting

Cisco ISE and Client Certificate Chain with Any Purpose EKU

I recently came across quite an interesting issue during a Cisco ISE implementation using EAP-TLS. This was using EAP-FAST to perform EAP Chaining using the Cisco AnyConnect NAM module; however, the inner method was EAP-TLS and that’s where the problem resided. My authentication was failing due to “unsupported certificate in client certificate chain.” Ultimately, the problem was that the certificate the client was authenticating with was sending its certificate chain along with its authentication request.

Posted

#Cisco ISE #Troubleshooting

Failed Machine Authentication with AnyConnect NAM on Windows 8+

Starting with Windows 8, Microsoft changed a default security setting that only allows third party software to access the machine’s domain password in an encrypted format. This results in a third party supplicant sending an encrypted password string to the domain that then compares it against an unencrypted password string. The authentication then fails with the error “Machine authentication against Active Directory failed due to wrong password.” If you look in the authentication steps, you will see the 24344 RPC Logon request failed - STATUS_WRONG_PASSWORD, ERROR_INVALID_PASSWORD,pclthp10156.

Posted

#Cisco ISE #Troubleshooting