Contenido
Introducción
Este documento describe cómo configurar ISE y el suplicante de Windows para el encadenamiento de protocolo de autenticación extensible (EAP) con protocolo de autenticación extensible basado en túnel (TEAP).
Prerequisites
Requirements
Cisco recomienda que tenga conocimiento sobre estos temas:
-
ISE
-
Configuración del solicitante de Windows
Componentes Utilizados
La información que contiene este documento se basa en las siguientes versiones de software y hardware.
- Cisco ISE versión 3.0
- Windows 10 build 2004
- Conocimiento del protocolo TEAP
La información que contiene este documento se creó a partir de los dispositivos en un ambiente de laboratorio específico. Todos los dispositivos que se utilizan en este documento se pusieron en funcionamiento con una configuración verificada (predeterminada). Si tiene una red en vivo, asegúrese de entender el posible impacto de cualquier comando.
Antecedentes
TEAP es un método de protocolo de autenticación extensible basado en túnel que establece un túnel seguro y ejecuta otros métodos EAP bajo la protección de ese túnel seguro.
La autenticación del GETE ocurre en dos fases después del intercambio de solicitud/respuesta de identidad EAP inicial.
En la primera fase, el GETE utiliza el intercambio de señales TLS para proporcionar un intercambio de claves autenticado y establecer un túnel protegido. Una vez que se establece el túnel, la segunda fase comienza con el par y el servidor inicia una conversación adicional para establecer las políticas de autenticación y autorización requeridas.
Cisco ISE 2.7 y versiones posteriores admiten el protocolo TEAP. Los objetos tipo-longitud-valor (TLV) se utilizan dentro del túnel para transportar datos relacionados con la autenticación entre el par EAP y el servidor EAP.
Microsoft introdujo la compatibilidad con el GETE en la versión de Windows 10 2004 publicada en MAYO de 2020.
El encadenamiento de EAP permite la autenticación del usuario y la máquina dentro de una sesión EAP/Radius en lugar de dos sesiones independientes.
Anteriormente, para lograr esto, necesitaba el módulo Cisco AnyConnect NAM y usar EAP-FAST en el suplicante de Windows, ya que el suplicante nativo de Windows no lo admitía. Ahora, puede utilizar el suplicante nativo de Windows para realizar el encadenamiento de EAP con ISE 2.7 con el uso de TEAP.
Configurar
Configuración de Cisco ISE
Paso 1. Debe editar los protocolos permitidos para habilitar el encadenamiento de EAP y TEAP.
Desplácese hasta ISE > Policy > Policy Elements > Results > Authentication > Allowed Protocols > Add New . Marque las casillas de verificación del GETE y el encadenamiento EAP.
Paso 2. Cree un perfil de certificado y agréguelo a la secuencia de origen de identidad.
Desplácese hasta ISE > Administration > Identities > identity Source Sequence y seleccione el perfil del certificado.
Paso 3. Debe llamar a esta secuencia en la política de autenticación.
Desplácese hasta ISE > Policy > Policy Sets. Choose the Policy Set for Dot1x > Authentication Policy y seleccione la secuencia de origen de identidad creada en el paso 2.
Paso 4. Ahora necesita modificar la política de autorización en el conjunto de políticas Dot1x.
Desplácese hasta ISE > Policy > Policy Sets . Choose the Policy Set for Dot1x > Authentication Policy .
Debe crear dos reglas. La primera regla verifica que la máquina está autenticada pero el usuario no. La segunda regla verifica que tanto el usuario como el equipo están autenticados.
Esto completa la configuración desde el lado del servidor ISE.
Configuración del suplicante nativo de Windows
Configure la autenticación por cable en este documento.
Desplácese hasta Control Panel > Network and Sharing Center > Change Adapter Settings y haga clic con el botón derecho del ratón LAN Connection > Properties. Haga clic en el Authentication ficha.
Paso 1. Haga clic en Authentication desplegable y elija Microsoft EAP-TEAP.
Paso 2. Haga clic en el Settings junto al GETE.
- Mantener
Enable Identity Privacyhabilitado conanonymouscomo la identidad. - Coloque una marca de verificación junto a los servidores de CA raíz bajo Entidades de certificación raíz de confianza que se utilizan para firmar el certificado para la autenticación EAP en ISE PSN.
Paso 3. En Autenticación de cliente, elija el método EAP para la autenticación a Microsoft: Smart Card or other certificate
Paso 4. Para cada menú desplegable de métodos EAP, haga clic en el Configure botón y modificar según los requisitos y clamer OK.
Paso 5. Haga clic en el Additional Settings situado en la parte inferior.
- Active Especificar modo de autenticación.
- Establezca el menú desplegable en la configuración adecuada.
- Elegir
User or computer authenticationpara que ambos sean autenticados y clamerOK.
Verificación
Puede reiniciar el equipo con Windows 10 o cerrar sesión y, a continuación, iniciar sesión. Siempre que se muestre la pantalla de inicio de sesión de Windows, se activará la autenticación del equipo.
En los registros activos, verá anonymous, host/Administrator (aquí está el nombre del equipo) en el campo identity (identidad). Puede ver anonymous porque configuró suplicante para la privacidad de identidad arriba.
Cuando inicie sesión en el equipo con credenciales, puede ver en los registros en directo Administrator@example.local, host/Administrator. Este es el encadenamiento de EAP, donde la autenticación del usuario y la máquina ocurrió en una sesión de EAP.
Informe de autenticación detallado
En Detalles del registro en directo, las autenticaciones de equipo solo muestran una NACRadiusUsername pero la autenticación de usuario y máquina en cadena muestra dos entradas (una para el usuario y otra para la máquina). También, se ve debajo de la Authentication Details sección, que TEAP (EAP-TLS) se utilizó para la Authentication Protocol. Si utiliza MSCHAPv2 para la autenticación de equipo y usuario, el protocolo de autenticación muestra TEAP (Microsoft: Secured password (EAP-MSCHAP v2)).
Autenticación de máquina
Autenticación de usuario y máquina
Troubleshoot
Debe habilitar estas depuraciones en ISE:
runtime-AAAnsfnsf-sessionActive Directory (para solucionar problemas entre ISE y AD)
En Windows, puede comprobar los registros del Visor de sucesos.
Análisis de Live Log
Autenticación de máquina
11001 Received RADIUS Access-Request 11017 RADIUS created a new session ... ... 11507 Extracted EAP-Response/Identity 12756 Prepared EAP-Request proposing TEAP with challenge ... ... 12758 Extracted EAP-Response containing TEAP challenge-response and accepting TEAP as negotiated 12800 Extracted first TLS record; TLS handshake started 12805 Extracted TLS ClientHello message 12806 Prepared TLS ServerHello message 12807 Prepared TLS Certificate message 12808 Prepared TLS ServerKeyExchange message 12809 Prepared TLS CertificateRequest message ... ... 12811 Extracted TLS Certificate message containing client certificate 12812 Extracted TLS ClientKeyExchange message 12813 Extracted TLS CertificateVerify message 12804 Extracted TLS Finished message 12801 Prepared TLS ChangeCipherSpec message 12802 Prepared TLS Finished message 12816 TLS handshake succeeded ... ... 11559 Client certificate was requested but not received inside the tunnel. Will continue with inner method. 11620 TEAP full handshake finished successfully ... ... 11627 Starting EAP chaining 11573 Selected identity type 'User' 11564 TEAP inner method started 11521 Prepared EAP-Request/Identity for inner EAP method ... ... 11567 Identity type provided by client is equal to requested 11522 Extracted EAP-Response/Identity for inner EAP method 11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge 11596 Prepared EAP-Request with another TEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request ... ... 11515 Supplicant declined inner EAP method selected by Authentication Policy but did not proposed another one; inner EAP negotiation failed 11520 Prepared EAP-Failure for inner EAP method 11566 TEAP inner method finished with failure 22028 Authentication failed and the advanced options are ignored 33517 Sent TEAP Intermediate Result TLV indicating failure 11596 Prepared EAP-Request with another TEAP challenge ... ... 11574 Selected identity type 'Machine' 11564 TEAP inner method started 11521 Prepared EAP-Request/Identity for inner EAP method ... ... 11567 Identity type provided by client is equal to requested 11522 Extracted EAP-Response/Identity for inner EAP method 11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge 11596 Prepared EAP-Request with another TEAP challenge ... ... 12523 Extracted EAP-Response/NAK for inner method requesting to use EAP-TLS instead 12522 Prepared EAP-Request for inner method proposing EAP-TLS with challenge 12625 Valid EAP-Key-Name attribute received 11596 Prepared EAP-Request with another TEAP challenge ... ... 12524 Extracted EAP-Response containing EAP-TLS challenge-response for inner method and accepting EAP-TLS as negotiated 12800 Extracted first TLS record; TLS handshake started 12545 Client requested EAP-TLS session ticket 12546 The EAP-TLS session ticket received from supplicant. Inner EAP-TLS does not support stateless session resume. Performing full authentication 12805 Extracted TLS ClientHello message 12806 Prepared TLS ServerHello message 12807 Prepared TLS Certificate message 12808 Prepared TLS ServerKeyExchange message 12809 Prepared TLS CertificateRequest message 12527 Prepared EAP-Request for inner method with another EAP-TLS challenge ... ... 12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for Users 12811 Extracted TLS Certificate message containing client certificate 12812 Extracted TLS ClientKeyExchange message 12813 Extracted TLS CertificateVerify message 12804 Extracted TLS Finished message 12801 Prepared TLS ChangeCipherSpec message 12802 Prepared TLS Finished message 12816 TLS handshake succeeded 12509 EAP-TLS full handshake finished successfully ... ... 12527 Prepared EAP-Request for inner method with another EAP-TLS challenge 11596 Prepared EAP-Request with another TEAP challenge ... ... 61025 Open secure connection with TLS peer 15041 Evaluating Identity Policy 22072 Selected identity source sequence - forAD1 22070 Identity name is taken from certificate attribute 22037 Authentication Passed 12528 Inner EAP-TLS authentication succeeded 11519 Prepared EAP-Success for inner EAP method 11565 TEAP inner method finished successfully ... ... 33516 Sent TEAP Intermediate Result TLV indicating success 11596 Prepared EAP-Request with another TEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 11595 Extracted EAP-Response containing TEAP challenge-response 11637 Inner method supports EMSK but the client provided only MSK. Allow downgrade as per configuration 11576 TEAP cryptobinding verification passed ... ... 15036 Evaluating Authorization Policy 24209 Looking up Endpoint in Internal Endpoints IDStore - anonymous,host/Administrator 24211 Found Endpoint in Internal Endpoints IDStore 11055 User name change detected for the session. Attributes for the session will be removed from the cache 15048 Queried PIP - Network Access.EapChainingResult 15016 Selected Authorization Profile - PermitAccess 33514 Sent TEAP Result TLV indicating success ... ... 11597 TEAP authentication phase finished successfully 11503 Prepared EAP-Success 11002 Returned RADIUS Access-Accept
Autenticación de usuario y máquina
11001 Received RADIUS Access-Request 11017 RADIUS created a new session ... ... 12756 Prepared EAP-Request proposing TEAP with challenge ... ... 12758 Extracted EAP-Response containing TEAP challenge-response and accepting TEAP as negotiated 12800 Extracted first TLS record; TLS handshake started 12805 Extracted TLS ClientHello message 12806 Prepared TLS ServerHello message 12807 Prepared TLS Certificate message 12808 Prepared TLS ServerKeyExchange message 12809 Prepared TLS CertificateRequest message 11596 Prepared EAP-Request with another TEAP challenge ... ... 12811 Extracted TLS Certificate message containing client certificate 12812 Extracted TLS ClientKeyExchange message 12813 Extracted TLS CertificateVerify message 12804 Extracted TLS Finished message 12801 Prepared TLS ChangeCipherSpec message 12802 Prepared TLS Finished message 12816 TLS handshake succeeded 11559 Client certificate was requested but not received inside the tunnel. Will continue with inner method. 11620 TEAP full handshake finished successfully 11596 Prepared EAP-Request with another TEAP challenge ... ... 11595 Extracted EAP-Response containing TEAP challenge-response 11627 Starting EAP chaining 11573 Selected identity type 'User' 11564 TEAP inner method started 11521 Prepared EAP-Request/Identity for inner EAP method 11596 Prepared EAP-Request with another TEAP challenge ... ... 11567 Identity type provided by client is equal to requested 11522 Extracted EAP-Response/Identity for inner EAP method 11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge 11596 Prepared EAP-Request with another TEAP challenge ... ... 12523 Extracted EAP-Response/NAK for inner method requesting to use EAP-TLS instead 12522 Prepared EAP-Request for inner method proposing EAP-TLS with challenge ... ... 11595 Extracted EAP-Response containing TEAP challenge-response 12524 Extracted EAP-Response containing EAP-TLS challenge-response for inner method and accepting EAP-TLS as negotiated 12800 Extracted first TLS record; TLS handshake started 12545 Client requested EAP-TLS session ticket 12546 The EAP-TLS session ticket received from supplicant. Inner EAP-TLS does not support stateless session resume. Performing full authentication 12805 Extracted TLS ClientHello message 12806 Prepared TLS ServerHello message 12807 Prepared TLS Certificate message 12808 Prepared TLS ServerKeyExchange message 12809 Prepared TLS CertificateRequest message 12527 Prepared EAP-Request for inner method with another EAP-TLS challenge ... ... 12526 Extracted EAP-Response for inner method containing TLS challenge-response 12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for Users 12811 Extracted TLS Certificate message containing client certificate 12812 Extracted TLS ClientKeyExchange message 12813 Extracted TLS CertificateVerify message 12804 Extracted TLS Finished message 12801 Prepared TLS ChangeCipherSpec message 12802 Prepared TLS Finished message 12816 TLS handshake succeeded 12509 EAP-TLS full handshake finished successfully 12527 Prepared EAP-Request for inner method with another EAP-TLS challenge ... ... 12526 Extracted EAP-Response for inner method containing TLS challenge-response 61025 Open secure connection with TLS peer 15041 Evaluating Identity Policy 22072 Selected identity source sequence - forAD1 22070 Identity name is taken from certificate attribute 22037 Authentication Passed 12528 Inner EAP-TLS authentication succeeded 11519 Prepared EAP-Success for inner EAP method 11565 TEAP inner method finished successfully 33516 Sent TEAP Intermediate Result TLV indicating success 11596 Prepared EAP-Request with another TEAP challenge ... ... 11595 Extracted EAP-Response containing TEAP challenge-response 11637 Inner method supports EMSK but the client provided only MSK. Allow downgrade as per configuration 11576 TEAP cryptobinding verification passed 11574 Selected identity type 'Machine' 11564 TEAP inner method started ... ... 11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge 11596 Prepared EAP-Request with another TEAP challenge ... ... 12523 Extracted EAP-Response/NAK for inner method requesting to use EAP-TLS instead 12522 Prepared EAP-Request for inner method proposing EAP-TLS with challenge ... ... 12524 Extracted EAP-Response containing EAP-TLS challenge-response for inner method and accepting EAP-TLS as negotiated 12800 Extracted first TLS record; TLS handshake started 12545 Client requested EAP-TLS session ticket 12546 The EAP-TLS session ticket received from supplicant. Inner EAP-TLS does not support stateless session resume. Performing full authentication 12805 Extracted TLS ClientHello message 12806 Prepared TLS ServerHello message 12807 Prepared TLS Certificate message 12808 Prepared TLS ServerKeyExchange message 12809 Prepared TLS CertificateRequest message 12527 Prepared EAP-Request for inner method with another EAP-TLS challenge ... ... 12526 Extracted EAP-Response for inner method containing TLS challenge-response 12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for Users 12811 Extracted TLS Certificate message containing client certificate 12812 Extracted TLS ClientKeyExchange message 12813 Extracted TLS CertificateVerify message 12804 Extracted TLS Finished message 12801 Prepared TLS ChangeCipherSpec message 12802 Prepared TLS Finished message 12816 TLS handshake succeeded 12509 EAP-TLS full handshake finished successfully 12527 Prepared EAP-Request for inner method with another EAP-TLS challenge 11596 Prepared EAP-Request with another TEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 11595 Extracted EAP-Response containing TEAP challenge-response 12526 Extracted EAP-Response for inner method containing TLS challenge-response 61025 Open secure connection with TLS peer 15041 Evaluating Identity Policy 22072 Selected identity source sequence - forAD1 22070 Identity name is taken from certificate attribute 22037 Authentication Passed 12528 Inner EAP-TLS authentication succeeded 11519 Prepared EAP-Success for inner EAP method 11565 TEAP inner method finished successfully 33516 Sent TEAP Intermediate Result TLV indicating success 11596 Prepared EAP-Request with another TEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 11595 Extracted EAP-Response containing TEAP challenge-response 11637 Inner method supports EMSK but the client provided only MSK. Allow downgrade as per configuration 11576 TEAP cryptobinding verification passed 15036 Evaluating Authorization Policy 24209 Looking up Endpoint in Internal Endpoints IDStore - Administrator@example.local,host/Administrator 24211 Found Endpoint in Internal Endpoints IDStore 11055 User name change detected for the session. Attributes for the session will be removed from the cache 15048 Queried PIP - Network Access.EapChainingResult 15016 Selected Authorization Profile - PermitAccess 33514 Sent TEAP Result TLV indicating success 11596 Prepared EAP-Request with another TEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 11595 Extracted EAP-Response containing TEAP challenge-response 11597 TEAP authentication phase finished successfully 11503 Prepared EAP-Success 11002 Returned RADIUS Access-Accept