與技經評估組建立EAP連結
目錄
簡介
本文檔介紹如何使用基於隧道的可擴展身份驗證協定(TEAP)配置可擴展身份驗證協定(EAP)連結的ISE和Windows請求方。
必要條件
需求
思科建議您瞭解以下主題:
-
ISE
-
Windows請求方的配置
採用元件
本文中的資訊係根據以下軟體和硬體版本:
- Cisco ISE版本3.0
- Windows 10版本2004
- 技經評估組協定知識
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
背景資訊
TEAP是一種基於隧道的可擴展身份驗證協定方法,它建立安全隧道並在該安全隧道的保護下執行其他EAP方法。
TEAP身份驗證在初始EAP身份請求/響應交換後分兩個階段進行。
在第一階段,技經評估組使用TLS握手來提供經驗證的金鑰交換,並建立受保護的隧道。隧道建立後,第二階段從對等體開始,伺服器進行進一步的對話以建立所需的身份驗證和授權策略。
Cisco ISE 2.7及更高版本支援TEAP協定。 型別長度值(TLV)對象在隧道內用於在EAP對等體和EAP伺服器之間傳輸身份驗證相關資料。
Microsoft在2020年5月發佈的Windows 10 2004版本中引入了對TEAP的支援。
EAP連結允許在一個EAP/Radius會話內進行使用者和電腦身份驗證,而不是兩個單獨的會話。
以前,要實現此目的,您需要使用Cisco AnyConnect NAM模組並在Windows請求方上使用EAP-FAST,因為本機Windows請求方不支援此功能。現在,您可以使用Windows原生Supplicant客戶端使用TEAP通過ISE 2.7執行EAP連結。
設定
Cisco ISE配置
步驟1.您需要編輯「允許的協定」以啟用TEAP和EAP連結。
導航至 ISE > Policy > Policy Elements > Results > Authentication > Allowed Protocols > Add New .選中TEAP和EAP連結覈取方塊。
步驟2.建立證書配置檔案並將其新增到身份源序列。
導航至 ISE > Administration > Identities > identity Source Sequence 並選擇證書配置檔案。
步驟3.您需要在身份驗證策略中呼叫此序列。
導航至 ISE > Policy > Policy Sets. Choose the Policy Set for Dot1x > Authentication Policy 並選擇在步驟2中建立的Identity源序列。
步驟4.現在,您需要修改Dot1x Policy Set下的授權策略。
導航至 ISE > Policy > Policy Sets . Choose the Policy Set for Dot1x > Authentication Policy .
您需要建立兩個規則。第一條 規則檢查電腦是否已驗證,但使用者未驗證。第二規則驗證使用者和機器都經過身份驗證。
從ISE伺服器端完成配置。
Windows原生Supplicant客戶端配置
配置本文檔中的有線身份驗證設定。
導航至 Control Panel > Network and Sharing Center > Change Adapter Settings 並按一下右鍵 LAN Connection > Properties.按一下 Authentication 頁籤。
步驟1.按一下 Authentication 下拉選單並選擇 Microsoft EAP-TEAP.
步驟2. 按一下 Settings 按鈕。
- 保留
Enable Identity Privacy啟用了anonymous作為身份。 - 在用於在ISE PSN上簽署EAP身份驗證證書的受信任的根證書頒發機構下的根CA伺服器旁邊放置一個複選標籤。
步驟3.在Client Authentication下,選擇用於Microsoft身份驗證的EAP方法: Smart Card or other certificate
步驟4.對於每個EAP方法下拉選單,按一下 Configure 按鈕並根據需要修改;c舔一下 OK.
步驟5.按一下 Additional Settings 按鈕。
- 啟用指定身份驗證模式。
- 將下拉選單設定為適當的設定。
- 選擇
User or computer authentication使得兩者都是經過驗證且C舔一下OK.
驗證
您可以重新啟動Windows 10電腦,也可以註銷然後登入。只要顯示Windows登入螢幕,就會觸發電腦身份驗證。
在即時日誌中,您將在身份欄位中看到匿名、主機/管理員(此處為電腦名稱)。您會看到anonymous,因為您在上方為身份隱私配置了請求方。
當您使用憑證登入到PC時,可以在即時日誌Administrator@example.local(主機/管理員)中看到。這是EAP連結,使用者和電腦身份驗證都發生在一個EAP會話中。
詳細的身份驗證報告
在「即時日誌詳細資訊」中,電腦身份驗證僅顯示一個 NACRadiusUsername 條目,但鏈結使用者和電腦身份驗證顯示兩個條目(一個用於使用者,另一個用於電腦)。此外,您還會看到 Authentication Details 部分, TEAP (EAP-TLS) 用於 Authentication Protocol.如果您使用 MSCHAPv2 對於電腦和使用者身份驗證,身份驗證協定顯示 TEAP (Microsoft: Secured password (EAP-MSCHAP v2)).
機器驗證
使用者和電腦身份驗證
疑難排解
您需要在ISE上啟用這些調試:
runtime-AAAnsfnsf-sessionActive Directory(在ISE和AD之間進行故障排除)
在Windows上,可以檢查事件檢視器日誌。
即時日誌分析
機器驗證
11001 Received RADIUS Access-Request 11017 RADIUS created a new session ... ... 11507 Extracted EAP-Response/Identity 12756 Prepared EAP-Request proposing TEAP with challenge ... ... 12758 Extracted EAP-Response containing TEAP challenge-response and accepting TEAP as negotiated 12800 Extracted first TLS record; TLS handshake started 12805 Extracted TLS ClientHello message 12806 Prepared TLS ServerHello message 12807 Prepared TLS Certificate message 12808 Prepared TLS ServerKeyExchange message 12809 Prepared TLS CertificateRequest message ... ... 12811 Extracted TLS Certificate message containing client certificate 12812 Extracted TLS ClientKeyExchange message 12813 Extracted TLS CertificateVerify message 12804 Extracted TLS Finished message 12801 Prepared TLS ChangeCipherSpec message 12802 Prepared TLS Finished message 12816 TLS handshake succeeded ... ... 11559 Client certificate was requested but not received inside the tunnel. Will continue with inner method. 11620 TEAP full handshake finished successfully ... ... 11627 Starting EAP chaining 11573 Selected identity type 'User' 11564 TEAP inner method started 11521 Prepared EAP-Request/Identity for inner EAP method ... ... 11567 Identity type provided by client is equal to requested 11522 Extracted EAP-Response/Identity for inner EAP method 11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge 11596 Prepared EAP-Request with another TEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request ... ... 11515 Supplicant declined inner EAP method selected by Authentication Policy but did not proposed another one; inner EAP negotiation failed 11520 Prepared EAP-Failure for inner EAP method 11566 TEAP inner method finished with failure 22028 Authentication failed and the advanced options are ignored 33517 Sent TEAP Intermediate Result TLV indicating failure 11596 Prepared EAP-Request with another TEAP challenge ... ... 11574 Selected identity type 'Machine' 11564 TEAP inner method started 11521 Prepared EAP-Request/Identity for inner EAP method ... ... 11567 Identity type provided by client is equal to requested 11522 Extracted EAP-Response/Identity for inner EAP method 11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge 11596 Prepared EAP-Request with another TEAP challenge ... ... 12523 Extracted EAP-Response/NAK for inner method requesting to use EAP-TLS instead 12522 Prepared EAP-Request for inner method proposing EAP-TLS with challenge 12625 Valid EAP-Key-Name attribute received 11596 Prepared EAP-Request with another TEAP challenge ... ... 12524 Extracted EAP-Response containing EAP-TLS challenge-response for inner method and accepting EAP-TLS as negotiated 12800 Extracted first TLS record; TLS handshake started 12545 Client requested EAP-TLS session ticket 12546 The EAP-TLS session ticket received from supplicant. Inner EAP-TLS does not support stateless session resume. Performing full authentication 12805 Extracted TLS ClientHello message 12806 Prepared TLS ServerHello message 12807 Prepared TLS Certificate message 12808 Prepared TLS ServerKeyExchange message 12809 Prepared TLS CertificateRequest message 12527 Prepared EAP-Request for inner method with another EAP-TLS challenge ... ... 12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for Users 12811 Extracted TLS Certificate message containing client certificate 12812 Extracted TLS ClientKeyExchange message 12813 Extracted TLS CertificateVerify message 12804 Extracted TLS Finished message 12801 Prepared TLS ChangeCipherSpec message 12802 Prepared TLS Finished message 12816 TLS handshake succeeded 12509 EAP-TLS full handshake finished successfully ... ... 12527 Prepared EAP-Request for inner method with another EAP-TLS challenge 11596 Prepared EAP-Request with another TEAP challenge ... ... 61025 Open secure connection with TLS peer 15041 Evaluating Identity Policy 22072 Selected identity source sequence - forAD1 22070 Identity name is taken from certificate attribute 22037 Authentication Passed 12528 Inner EAP-TLS authentication succeeded 11519 Prepared EAP-Success for inner EAP method 11565 TEAP inner method finished successfully ... ... 33516 Sent TEAP Intermediate Result TLV indicating success 11596 Prepared EAP-Request with another TEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 11595 Extracted EAP-Response containing TEAP challenge-response 11637 Inner method supports EMSK but the client provided only MSK. Allow downgrade as per configuration 11576 TEAP cryptobinding verification passed ... ... 15036 Evaluating Authorization Policy 24209 Looking up Endpoint in Internal Endpoints IDStore - anonymous,host/Administrator 24211 Found Endpoint in Internal Endpoints IDStore 11055 User name change detected for the session. Attributes for the session will be removed from the cache 15048 Queried PIP - Network Access.EapChainingResult 15016 Selected Authorization Profile - PermitAccess 33514 Sent TEAP Result TLV indicating success ... ... 11597 TEAP authentication phase finished successfully 11503 Prepared EAP-Success 11002 Returned RADIUS Access-Accept
使用者和電腦身份驗證
11001 Received RADIUS Access-Request 11017 RADIUS created a new session ... ... 12756 Prepared EAP-Request proposing TEAP with challenge ... ... 12758 Extracted EAP-Response containing TEAP challenge-response and accepting TEAP as negotiated 12800 Extracted first TLS record; TLS handshake started 12805 Extracted TLS ClientHello message 12806 Prepared TLS ServerHello message 12807 Prepared TLS Certificate message 12808 Prepared TLS ServerKeyExchange message 12809 Prepared TLS CertificateRequest message 11596 Prepared EAP-Request with another TEAP challenge ... ... 12811 Extracted TLS Certificate message containing client certificate 12812 Extracted TLS ClientKeyExchange message 12813 Extracted TLS CertificateVerify message 12804 Extracted TLS Finished message 12801 Prepared TLS ChangeCipherSpec message 12802 Prepared TLS Finished message 12816 TLS handshake succeeded 11559 Client certificate was requested but not received inside the tunnel. Will continue with inner method. 11620 TEAP full handshake finished successfully 11596 Prepared EAP-Request with another TEAP challenge ... ... 11595 Extracted EAP-Response containing TEAP challenge-response 11627 Starting EAP chaining 11573 Selected identity type 'User' 11564 TEAP inner method started 11521 Prepared EAP-Request/Identity for inner EAP method 11596 Prepared EAP-Request with another TEAP challenge ... ... 11567 Identity type provided by client is equal to requested 11522 Extracted EAP-Response/Identity for inner EAP method 11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge 11596 Prepared EAP-Request with another TEAP challenge ... ... 12523 Extracted EAP-Response/NAK for inner method requesting to use EAP-TLS instead 12522 Prepared EAP-Request for inner method proposing EAP-TLS with challenge ... ... 11595 Extracted EAP-Response containing TEAP challenge-response 12524 Extracted EAP-Response containing EAP-TLS challenge-response for inner method and accepting EAP-TLS as negotiated 12800 Extracted first TLS record; TLS handshake started 12545 Client requested EAP-TLS session ticket 12546 The EAP-TLS session ticket received from supplicant. Inner EAP-TLS does not support stateless session resume. Performing full authentication 12805 Extracted TLS ClientHello message 12806 Prepared TLS ServerHello message 12807 Prepared TLS Certificate message 12808 Prepared TLS ServerKeyExchange message 12809 Prepared TLS CertificateRequest message 12527 Prepared EAP-Request for inner method with another EAP-TLS challenge ... ... 12526 Extracted EAP-Response for inner method containing TLS challenge-response 12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for Users 12811 Extracted TLS Certificate message containing client certificate 12812 Extracted TLS ClientKeyExchange message 12813 Extracted TLS CertificateVerify message 12804 Extracted TLS Finished message 12801 Prepared TLS ChangeCipherSpec message 12802 Prepared TLS Finished message 12816 TLS handshake succeeded 12509 EAP-TLS full handshake finished successfully 12527 Prepared EAP-Request for inner method with another EAP-TLS challenge ... ... 12526 Extracted EAP-Response for inner method containing TLS challenge-response 61025 Open secure connection with TLS peer 15041 Evaluating Identity Policy 22072 Selected identity source sequence - forAD1 22070 Identity name is taken from certificate attribute 22037 Authentication Passed 12528 Inner EAP-TLS authentication succeeded 11519 Prepared EAP-Success for inner EAP method 11565 TEAP inner method finished successfully 33516 Sent TEAP Intermediate Result TLV indicating success 11596 Prepared EAP-Request with another TEAP challenge ... ... 11595 Extracted EAP-Response containing TEAP challenge-response 11637 Inner method supports EMSK but the client provided only MSK. Allow downgrade as per configuration 11576 TEAP cryptobinding verification passed 11574 Selected identity type 'Machine' 11564 TEAP inner method started ... ... 11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge 11596 Prepared EAP-Request with another TEAP challenge ... ... 12523 Extracted EAP-Response/NAK for inner method requesting to use EAP-TLS instead 12522 Prepared EAP-Request for inner method proposing EAP-TLS with challenge ... ... 12524 Extracted EAP-Response containing EAP-TLS challenge-response for inner method and accepting EAP-TLS as negotiated 12800 Extracted first TLS record; TLS handshake started 12545 Client requested EAP-TLS session ticket 12546 The EAP-TLS session ticket received from supplicant. Inner EAP-TLS does not support stateless session resume. Performing full authentication 12805 Extracted TLS ClientHello message 12806 Prepared TLS ServerHello message 12807 Prepared TLS Certificate message 12808 Prepared TLS ServerKeyExchange message 12809 Prepared TLS CertificateRequest message 12527 Prepared EAP-Request for inner method with another EAP-TLS challenge ... ... 12526 Extracted EAP-Response for inner method containing TLS challenge-response 12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for Users 12811 Extracted TLS Certificate message containing client certificate 12812 Extracted TLS ClientKeyExchange message 12813 Extracted TLS CertificateVerify message 12804 Extracted TLS Finished message 12801 Prepared TLS ChangeCipherSpec message 12802 Prepared TLS Finished message 12816 TLS handshake succeeded 12509 EAP-TLS full handshake finished successfully 12527 Prepared EAP-Request for inner method with another EAP-TLS challenge 11596 Prepared EAP-Request with another TEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 11595 Extracted EAP-Response containing TEAP challenge-response 12526 Extracted EAP-Response for inner method containing TLS challenge-response 61025 Open secure connection with TLS peer 15041 Evaluating Identity Policy 22072 Selected identity source sequence - forAD1 22070 Identity name is taken from certificate attribute 22037 Authentication Passed 12528 Inner EAP-TLS authentication succeeded 11519 Prepared EAP-Success for inner EAP method 11565 TEAP inner method finished successfully 33516 Sent TEAP Intermediate Result TLV indicating success 11596 Prepared EAP-Request with another TEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 11595 Extracted EAP-Response containing TEAP challenge-response 11637 Inner method supports EMSK but the client provided only MSK. Allow downgrade as per configuration 11576 TEAP cryptobinding verification passed 15036 Evaluating Authorization Policy 24209 Looking up Endpoint in Internal Endpoints IDStore - Administrator@example.local,host/Administrator 24211 Found Endpoint in Internal Endpoints IDStore 11055 User name change detected for the session. Attributes for the session will be removed from the cache 15048 Queried PIP - Network Access.EapChainingResult 15016 Selected Authorization Profile - PermitAccess 33514 Sent TEAP Result TLV indicating success 11596 Prepared EAP-Request with another TEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 11595 Extracted EAP-Response containing TEAP challenge-response 11597 TEAP authentication phase finished successfully 11503 Prepared EAP-Success 11002 Returned RADIUS Access-Accept
相關資訊
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
1.0 |
10-Dec-2020 |
初始版本 |
意見