与TEAP的EAP链接
目录
简介
本文档介绍如何使用基于隧道的可扩展身份验证协议(TEAP)为可扩展身份验证协议(EAP)链配置ISE和Windows请求方。
先决条件
要求
Cisco 建议您了解以下主题:
-
ISE
-
Windows请求方的配置
使用的组件
本文档中的信息基于以下软件和硬件版本:
- 思科ISE版本3.0
- Windows 10版本2004
- TEAP协议知识
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
背景信息
TEAP是基于隧道的可扩展身份验证协议方法,用于建立安全隧道并在该安全隧道的保护下执行其他EAP方法。
TEAP身份验证在初始EAP身份请求/响应交换后分两个阶段进行。
在第一阶段,TEAP使用TLS握手来提供经过身份验证的密钥交换并建立受保护的隧道。隧道建立后,第二阶段从对等体开始,服务器进行进一步的会话以建立所需的身份验证和授权策略。
Cisco ISE 2.7及更高版本支持TEAP协议。 类型长度值(TLV)对象在隧道内用于在EAP对等体和EAP服务器之间传输身份验证相关数据。
Microsoft在2020年5月发布的Windows 10 2004版本中引入了对TEAP的支持。
EAP链接允许在一个EAP/Radius会话内进行用户和计算机身份验证,而不是两个单独的会话。
以前,要实现此目的,您需要使用Cisco AnyConnect NAM模块,并在Windows请求方上使用EAP-FAST,因为本地Windows请求方不支持此功能。现在,您可以使用Windows原生Supplicant客户端通过TEAP执行与ISE 2.7的EAP链接。
配置
思科ISE配置
步骤1:您需要编辑Allowed Protocols以启用TEAP和EAP链接。
导航至 ISE > Policy > Policy Elements > Results > Authentication > Allowed Protocols > Add New .选中TEAP和EAP链接复选框。
第二步:创建证书配置文件并将其添加到身份源序列。
导航至 ISE > Administration > Identities > identity Source Sequence 并选择证书配置文件。
第三步:您需要在身份验证策略中调用此序列。
导航至 ISE > Policy > Policy Sets. Choose the Policy Set for Dot1x > Authentication Policy 并选择在第2步中创建的身份源序列。
第四步:现在,您需要修改Dot1x Policy Set下的授权策略。
导航至 ISE > Policy > Policy Sets . Choose the Policy Set for Dot1x > Authentication Policy .
您需要创建两个规则。第一条 规则检查计算机是否已进行身份验证,但用户未进行身份验证。第二条 规则用于验证用户和计算机是否都已通过身份验证。
从ISE服务器端完成配置。
Windows原生Supplicant客户端配置
配置本文档中的有线身份验证设置。
导航至 Control Panel > Network and Sharing Center > Change Adapter Settings 并右键单击 LAN Connection > Properties.单击 Authentication 选项卡。
步骤1:点击 Authentication 下拉菜单并选择 Microsoft EAP-TEAP.
第二步: 单击 Settings 按钮。
- 保留
Enable Identity Privacy启用anonymous作为身份。 - 在用于签署ISE PSN上EAP身份验证证书的受信任根证书颁发机构(Trusted Root Certification Authorities)下的根CA服务器旁边打勾。
第三步:在Client Authentication下,选择Microsoft身份验证的EAP方法: Smart Card or other certificate
第四步:对于每个EAP方法下拉列表,点击 Configure 按钮并根据需要修改c单击 OK.
第五步:单击 Additional Settings 按钮。
- 启用指定身份验证模式。
- 将下拉菜单设置为适当的设置。
- 选择
User or computer authentication以便两者都经过验证,且单击OK.
验证
您可以重新启动Windows 10计算机,也可以先注销,然后再登录。只要显示Windows登录屏幕,就会触发计算机身份验证。
在实时日志中,您会在身份字段中看到匿名主机/管理员(这是计算机名称)。您看到anonymous,因为您已在上方配置了身份隐私的请求方。
当您使用凭证登录到PC时,您可以在实时日志Administrator@example.local中看到主机/管理员。这是EAP链,其中用户和机器身份验证都在一个EAP会话中发生。
详细的身份验证报告
在Live Log Details中,计算机身份验证只显示一个 NACRadiusUsername 条目,但链接用户和计算机身份验证显示两个条目(一个用于用户,另一个用于计算机)。此外,您还会看到 Authentication Details 部分, TEAP (EAP-TLS) 用于 Authentication Protocol.如果使用 MSCHAPv2 对于机器和用户身份验证,身份验证协议显示 TEAP (Microsoft: Secured password (EAP-MSCHAP v2)).
计算机身份验证
用户和机器身份验证
故障排除
您需要在ISE上启用以下调试:
runtime-AAAnsfnsf-sessionActive Directory(排除ISE和AD之间的故障)
在Windows上,您可以检查事件查看器日志。
实时日志分析
计算机身份验证
11001 Received RADIUS Access-Request 11017 RADIUS created a new session ... ... 11507 Extracted EAP-Response/Identity 12756 Prepared EAP-Request proposing TEAP with challenge ... ... 12758 Extracted EAP-Response containing TEAP challenge-response and accepting TEAP as negotiated 12800 Extracted first TLS record; TLS handshake started 12805 Extracted TLS ClientHello message 12806 Prepared TLS ServerHello message 12807 Prepared TLS Certificate message 12808 Prepared TLS ServerKeyExchange message 12809 Prepared TLS CertificateRequest message ... ... 12811 Extracted TLS Certificate message containing client certificate 12812 Extracted TLS ClientKeyExchange message 12813 Extracted TLS CertificateVerify message 12804 Extracted TLS Finished message 12801 Prepared TLS ChangeCipherSpec message 12802 Prepared TLS Finished message 12816 TLS handshake succeeded ... ... 11559 Client certificate was requested but not received inside the tunnel. Will continue with inner method. 11620 TEAP full handshake finished successfully ... ... 11627 Starting EAP chaining 11573 Selected identity type 'User' 11564 TEAP inner method started 11521 Prepared EAP-Request/Identity for inner EAP method ... ... 11567 Identity type provided by client is equal to requested 11522 Extracted EAP-Response/Identity for inner EAP method 11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge 11596 Prepared EAP-Request with another TEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request ... ... 11515 Supplicant declined inner EAP method selected by Authentication Policy but did not proposed another one; inner EAP negotiation failed 11520 Prepared EAP-Failure for inner EAP method 11566 TEAP inner method finished with failure 22028 Authentication failed and the advanced options are ignored 33517 Sent TEAP Intermediate Result TLV indicating failure 11596 Prepared EAP-Request with another TEAP challenge ... ... 11574 Selected identity type 'Machine' 11564 TEAP inner method started 11521 Prepared EAP-Request/Identity for inner EAP method ... ... 11567 Identity type provided by client is equal to requested 11522 Extracted EAP-Response/Identity for inner EAP method 11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge 11596 Prepared EAP-Request with another TEAP challenge ... ... 12523 Extracted EAP-Response/NAK for inner method requesting to use EAP-TLS instead 12522 Prepared EAP-Request for inner method proposing EAP-TLS with challenge 12625 Valid EAP-Key-Name attribute received 11596 Prepared EAP-Request with another TEAP challenge ... ... 12524 Extracted EAP-Response containing EAP-TLS challenge-response for inner method and accepting EAP-TLS as negotiated 12800 Extracted first TLS record; TLS handshake started 12545 Client requested EAP-TLS session ticket 12546 The EAP-TLS session ticket received from supplicant. Inner EAP-TLS does not support stateless session resume. Performing full authentication 12805 Extracted TLS ClientHello message 12806 Prepared TLS ServerHello message 12807 Prepared TLS Certificate message 12808 Prepared TLS ServerKeyExchange message 12809 Prepared TLS CertificateRequest message 12527 Prepared EAP-Request for inner method with another EAP-TLS challenge ... ... 12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for Users 12811 Extracted TLS Certificate message containing client certificate 12812 Extracted TLS ClientKeyExchange message 12813 Extracted TLS CertificateVerify message 12804 Extracted TLS Finished message 12801 Prepared TLS ChangeCipherSpec message 12802 Prepared TLS Finished message 12816 TLS handshake succeeded 12509 EAP-TLS full handshake finished successfully ... ... 12527 Prepared EAP-Request for inner method with another EAP-TLS challenge 11596 Prepared EAP-Request with another TEAP challenge ... ... 61025 Open secure connection with TLS peer 15041 Evaluating Identity Policy 22072 Selected identity source sequence - forAD1 22070 Identity name is taken from certificate attribute 22037 Authentication Passed 12528 Inner EAP-TLS authentication succeeded 11519 Prepared EAP-Success for inner EAP method 11565 TEAP inner method finished successfully ... ... 33516 Sent TEAP Intermediate Result TLV indicating success 11596 Prepared EAP-Request with another TEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 11595 Extracted EAP-Response containing TEAP challenge-response 11637 Inner method supports EMSK but the client provided only MSK. Allow downgrade as per configuration 11576 TEAP cryptobinding verification passed ... ... 15036 Evaluating Authorization Policy 24209 Looking up Endpoint in Internal Endpoints IDStore - anonymous,host/Administrator 24211 Found Endpoint in Internal Endpoints IDStore 11055 User name change detected for the session. Attributes for the session will be removed from the cache 15048 Queried PIP - Network Access.EapChainingResult 15016 Selected Authorization Profile - PermitAccess 33514 Sent TEAP Result TLV indicating success ... ... 11597 TEAP authentication phase finished successfully 11503 Prepared EAP-Success 11002 Returned RADIUS Access-Accept
用户和机器身份验证
11001 Received RADIUS Access-Request 11017 RADIUS created a new session ... ... 12756 Prepared EAP-Request proposing TEAP with challenge ... ... 12758 Extracted EAP-Response containing TEAP challenge-response and accepting TEAP as negotiated 12800 Extracted first TLS record; TLS handshake started 12805 Extracted TLS ClientHello message 12806 Prepared TLS ServerHello message 12807 Prepared TLS Certificate message 12808 Prepared TLS ServerKeyExchange message 12809 Prepared TLS CertificateRequest message 11596 Prepared EAP-Request with another TEAP challenge ... ... 12811 Extracted TLS Certificate message containing client certificate 12812 Extracted TLS ClientKeyExchange message 12813 Extracted TLS CertificateVerify message 12804 Extracted TLS Finished message 12801 Prepared TLS ChangeCipherSpec message 12802 Prepared TLS Finished message 12816 TLS handshake succeeded 11559 Client certificate was requested but not received inside the tunnel. Will continue with inner method. 11620 TEAP full handshake finished successfully 11596 Prepared EAP-Request with another TEAP challenge ... ... 11595 Extracted EAP-Response containing TEAP challenge-response 11627 Starting EAP chaining 11573 Selected identity type 'User' 11564 TEAP inner method started 11521 Prepared EAP-Request/Identity for inner EAP method 11596 Prepared EAP-Request with another TEAP challenge ... ... 11567 Identity type provided by client is equal to requested 11522 Extracted EAP-Response/Identity for inner EAP method 11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge 11596 Prepared EAP-Request with another TEAP challenge ... ... 12523 Extracted EAP-Response/NAK for inner method requesting to use EAP-TLS instead 12522 Prepared EAP-Request for inner method proposing EAP-TLS with challenge ... ... 11595 Extracted EAP-Response containing TEAP challenge-response 12524 Extracted EAP-Response containing EAP-TLS challenge-response for inner method and accepting EAP-TLS as negotiated 12800 Extracted first TLS record; TLS handshake started 12545 Client requested EAP-TLS session ticket 12546 The EAP-TLS session ticket received from supplicant. Inner EAP-TLS does not support stateless session resume. Performing full authentication 12805 Extracted TLS ClientHello message 12806 Prepared TLS ServerHello message 12807 Prepared TLS Certificate message 12808 Prepared TLS ServerKeyExchange message 12809 Prepared TLS CertificateRequest message 12527 Prepared EAP-Request for inner method with another EAP-TLS challenge ... ... 12526 Extracted EAP-Response for inner method containing TLS challenge-response 12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for Users 12811 Extracted TLS Certificate message containing client certificate 12812 Extracted TLS ClientKeyExchange message 12813 Extracted TLS CertificateVerify message 12804 Extracted TLS Finished message 12801 Prepared TLS ChangeCipherSpec message 12802 Prepared TLS Finished message 12816 TLS handshake succeeded 12509 EAP-TLS full handshake finished successfully 12527 Prepared EAP-Request for inner method with another EAP-TLS challenge ... ... 12526 Extracted EAP-Response for inner method containing TLS challenge-response 61025 Open secure connection with TLS peer 15041 Evaluating Identity Policy 22072 Selected identity source sequence - forAD1 22070 Identity name is taken from certificate attribute 22037 Authentication Passed 12528 Inner EAP-TLS authentication succeeded 11519 Prepared EAP-Success for inner EAP method 11565 TEAP inner method finished successfully 33516 Sent TEAP Intermediate Result TLV indicating success 11596 Prepared EAP-Request with another TEAP challenge ... ... 11595 Extracted EAP-Response containing TEAP challenge-response 11637 Inner method supports EMSK but the client provided only MSK. Allow downgrade as per configuration 11576 TEAP cryptobinding verification passed 11574 Selected identity type 'Machine' 11564 TEAP inner method started ... ... 11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge 11596 Prepared EAP-Request with another TEAP challenge ... ... 12523 Extracted EAP-Response/NAK for inner method requesting to use EAP-TLS instead 12522 Prepared EAP-Request for inner method proposing EAP-TLS with challenge ... ... 12524 Extracted EAP-Response containing EAP-TLS challenge-response for inner method and accepting EAP-TLS as negotiated 12800 Extracted first TLS record; TLS handshake started 12545 Client requested EAP-TLS session ticket 12546 The EAP-TLS session ticket received from supplicant. Inner EAP-TLS does not support stateless session resume. Performing full authentication 12805 Extracted TLS ClientHello message 12806 Prepared TLS ServerHello message 12807 Prepared TLS Certificate message 12808 Prepared TLS ServerKeyExchange message 12809 Prepared TLS CertificateRequest message 12527 Prepared EAP-Request for inner method with another EAP-TLS challenge ... ... 12526 Extracted EAP-Response for inner method containing TLS challenge-response 12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for Users 12811 Extracted TLS Certificate message containing client certificate 12812 Extracted TLS ClientKeyExchange message 12813 Extracted TLS CertificateVerify message 12804 Extracted TLS Finished message 12801 Prepared TLS ChangeCipherSpec message 12802 Prepared TLS Finished message 12816 TLS handshake succeeded 12509 EAP-TLS full handshake finished successfully 12527 Prepared EAP-Request for inner method with another EAP-TLS challenge 11596 Prepared EAP-Request with another TEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 11595 Extracted EAP-Response containing TEAP challenge-response 12526 Extracted EAP-Response for inner method containing TLS challenge-response 61025 Open secure connection with TLS peer 15041 Evaluating Identity Policy 22072 Selected identity source sequence - forAD1 22070 Identity name is taken from certificate attribute 22037 Authentication Passed 12528 Inner EAP-TLS authentication succeeded 11519 Prepared EAP-Success for inner EAP method 11565 TEAP inner method finished successfully 33516 Sent TEAP Intermediate Result TLV indicating success 11596 Prepared EAP-Request with another TEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 11595 Extracted EAP-Response containing TEAP challenge-response 11637 Inner method supports EMSK but the client provided only MSK. Allow downgrade as per configuration 11576 TEAP cryptobinding verification passed 15036 Evaluating Authorization Policy 24209 Looking up Endpoint in Internal Endpoints IDStore - Administrator@example.local,host/Administrator 24211 Found Endpoint in Internal Endpoints IDStore 11055 User name change detected for the session. Attributes for the session will be removed from the cache 15048 Queried PIP - Network Access.EapChainingResult 15016 Selected Authorization Profile - PermitAccess 33514 Sent TEAP Result TLV indicating success 11596 Prepared EAP-Request with another TEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 11595 Extracted EAP-Response containing TEAP challenge-response 11597 TEAP authentication phase finished successfully 11503 Prepared EAP-Success 11002 Returned RADIUS Access-Accept
相关信息
修订历史记录
| 版本 | 发布日期 | 备注 |
|---|---|---|
1.0 |
10-Dec-2020 |
初始版本 |
反馈