Cisco ISE - 802.1X EAP-TLS



 ◆ Cisco ISE - 802.1X EAP-TLS - Success !

 ・ Cisco ISE - Operations - Authentication - Details





 ・ Catalyst 2960-X - IOS 15.x - show authentication sessions interface gigabitEthernet 1/0/1

 %AUTHMGR-5-START: Starting 'dot1x' for client (0000.0011.1111) on Interface Gi1/0/1 AuditSessionID C0A000
 %DOT1X-5-SUCCESS: Authentication successful for client (0000.0011.1111) on Interface Gi1/0/1 AuditSessionID C0A000
 %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0000.0011.1111) on
 Interface Gi1/0/1 AuditSessionID C0A000
 %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0000.0011.1111) on Interface Gi1/0/1 AuditSessionID C0A000
 %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
 %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up

 


 ◆ Cisco ISE - 802.1X EAP-TLS - Failed(不正なクライアント証明書提示による結果)

 Cisco ISEでは、クライアントPCから提示されるクライアント証明書をISEで保持するCAのルート証明書を見て、
 その妥当性を確認します。以下のISEでの認証失敗ログは、PCが提示してきたクライアント証明書に問題がある
 場合に発生するログです。以下のログは異なるCAから発行した証明書を使用した時に出力した結果となります。

 ISEへ発行したサーバ証明書とルート証明書を認証局(CA1)から発行し、クライアントPCに発行したクライアント
 証明書とルート証明書を認証局(CA2)から発行して、これらの証明書で認証を行えば、以下のとおり失敗します。

 11001 Received RADIUS Access-Request
 11017 RADIUS created a new session
 15049 Evaluating Policy Group
 15008 Evaluating Service Selection Policy
 15048 Queried PIP
 15048 Queried PIP
 15004 Matched rule
 15048 Queried PIP
 15048 Queried PIP
 15004 Matched rule
 11507 Extracted EAP-Response/Identity
 12500 Prepared EAP-Request proposing EAP-TLS with challenge
 12625 Valid EAP-Key-Name attribute received
 11006 Returned RADIUS Access-Challenge
 11001 Received RADIUS Access-Request
 11018 RADIUS is re-using an existing session
 12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
 12800 Extracted first TLS record; TLS handshake started
 12805 Extracted TLS ClientHello message
 12806 Prepared TLS ServerHello message
 12807 Prepared TLS Certificate message
 12809 Prepared TLS CertificateRequest message
 12505 Prepared EAP-Request with another EAP-TLS challenge
 11006 Returned RADIUS Access-Challenge
 11001 Received RADIUS Access-Request
 11018 RADIUS is re-using an existing session
 12504 Extracted EAP-Response containing EAP-TLS challenge-response
 12505 Prepared EAP-Request with another EAP-TLS challenge
 11006 Returned RADIUS Access-Challenge
 11001 Received RADIUS Access-Request
 11018 RADIUS is re-using an existing session
 12504 Extracted EAP-Response containing EAP-TLS challenge-response
 12505 Prepared EAP-Request with another EAP-TLS challenge
 11006 Returned RADIUS Access-Challenge
 11001 Received RADIUS Access-Request
 11018 RADIUS is re-using an existing session
 12504 Extracted EAP-Response containing EAP-TLS challenge-response
 12815 Extracted TLS Alert message
 12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate
 12507 EAP-TLS authentication failed
 11504 Prepared EAP-Failure
 11003 Returned RADIUS Access-Reject
 5434 Endpoint conducted several failed authentications of the same scenario

 上のISEの認証失敗ログは、5434 Endpoint conducted several failed authentications of the same scenario
 のEventのStpes情報です。


 Switchステータスは以下のようになります。認証(Authentication)が失敗した場合は認可(Authorization)
 も連動して失敗します。この時点でLEDはオレンジのままで通信不可状態です。
 ※ authentication openの設定がある場合にはLEDはグリーン状態になります。

 %AUTHMGR-5-START: Starting 'dot1x' for client (0000.0011.1111) on Interface Gi1/0/1 AuditSessionID C0A000
 %DOT1X-5-FAIL:
Authentication failed for client (0000.0011.1111) on Interface Gi1/0/1 AuditSessionID C0A000
 %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0000.0011.1111) on Interface Gi1/0/1
 AuditSessionID C0A000
 %AUTHMGR-5-FAIL:
Authorization failed or unapplied for client (0000.0011.1111) on Interface Gi1/0/1 AuditSessionID C0A000
 %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
 %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up


 # show authentication sessions interface gigabitEthernet 1/0/1

 Interface: GigabitEthernet1/0/1
 MAC Address: 0000.0011.1111
 IP Address: Unknown
 User-Name: host/cool2.infraeye.com
 Status: Authz Failed
 Domain: DATA
 Oper host mode: single-host
 Oper control dir: both
 Session timeout: N/A
 Idle timeout: N/A
 Common Session ID: C0A000
 Acct Session ID: 0x000000A1
 Handle: 0xCE000099

 Runnable methods list:
 Method State
 dot1x Authc Failed
 mab Not run



Cisco ISE

ネットワークエンジニアとして

Copyright (C) 2002-2019 ネットワークエンジニアとして All Rights Reserved.