collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: New user login and expired passwords  (Read 5381 times)

Offline Crypto

  • Cisco Newbie
  • *
  • Posts: 6
  • Reputation: 0
    • View Profile
  • Certification: CCIE
New user login and expired passwords
« on: July 10, 2015, 04:52:08 AM »
Hi,

I have anyconnect NAM configured for wireless authentication using EAP Chaining, problem is if you try to login with a new user (a user that never logged into the machine before) it gives and error stating that no authentication server can be reached.

Also if the user password expired, he can't set a new one (because the ADs are not reachable) while any logged in user can change his password with no issues.

I think this happens because all communications to the network are blocked until the user logs into windows and anyconnect NAM authenticates him.

Is that the normal behavior of EAP Chaining or am I missing something over here?

Thanks,

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 383
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
    • View Profile
  • Certification: CCIE
Re: New user login and expired passwords
« Reply #1 on: July 11, 2015, 05:29:04 PM »
For new user login, you need to make sure after successful machine auth, you allow the machine to communicate with AD in the dACL so the new user can authenticate to AD since it cannot use the local cache credential.
For the password expired, this is nothing unique to AnyConnect NAM or EAP-Chaining.
The problem is when user tries to authenticate and AD returns expired password to ISE, ISE takes it as failed auth and reject RADIUS causing 802.1X to fail on switchport preventing user to proceed further to change password even though the user may see the change password screen. After that, the behavior is random. If you are lucky and the machine auth retried or somehow you failback to MAB and once again allow machine to hit AD, user might eventually be able to change password in subsequent try.
Definitely open a case with Cisco and let them know the behavior.

Offline Crypto

  • Cisco Newbie
  • *
  • Posts: 6
  • Reputation: 0
    • View Profile
  • Certification: CCIE
Re: New user login and expired passwords
« Reply #2 on: July 13, 2015, 01:04:29 AM »
Hi MC,

Yes I figured that out yesterday, but the change password is working too. I tried with 2 different users on 2 different PCs and it's working fine. See below the RADIUS Authentication steps....

Thanks,

11001  Received RADIUS Access-Request 
  11017  RADIUS created a new session 
  15049  Evaluating Policy Group 
  15008  Evaluating Service Selection Policy 
  15048  Queried PIP 
  15048  Queried PIP 
  15048  Queried PIP 
  15004  Matched rule 
  15048  Queried PIP 
  15048  Queried PIP 
  15048  Queried PIP 
  15004  Matched rule 
  11507  Extracted EAP-Response/Identity 
  12500  Prepared EAP-Request proposing EAP-TLS with challenge 
  12625  Valid EAP-Key-Name attribute received 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12101  Extracted EAP-Response/NAK requesting to use EAP-FAST instead 
  12100  Prepared EAP-Request proposing EAP-FAST with challenge 
  12625  Valid EAP-Key-Name attribute received 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12102  Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated 
  12800  Extracted first TLS record; TLS handshake started 
  12805  Extracted TLS ClientHello message 
  12806  Prepared TLS ServerHello message 
  12807  Prepared TLS Certificate message 
  12810  Prepared TLS ServerDone message 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  12812  Extracted TLS ClientKeyExchange message 
  12804  Extracted TLS Finished message 
  12801  Prepared TLS ChangeCipherSpec message 
  12802  Prepared TLS Finished message 
  12816  TLS handshake succeeded 
  12149  EAP-FAST built authenticated tunnel for purpose of PAC provisioning 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  12209  Starting EAP chaining 
  12218  Selected identity type 'User' 
  12125  EAP-FAST inner method started 
  11521  Prepared EAP-Request/Identity for inner EAP method 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  12212  Identity type provided by client is equal to requested 
  11522  Extracted EAP-Response/Identity for inner EAP method 
  11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated 
  15041  Evaluating Identity Policy 
  15006  Matched Default Rule 
  15013  Selected Identity Source - AD1 
  24430  Authenticating user against Active Directory 
  24402  User authentication against Active Directory succeeded 
  22037  Authentication Passed 
  11824  EAP-MSCHAP authentication attempt passed 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response 
  11814  Inner EAP-MSCHAP authentication succeeded 
  11519  Prepared EAP-Success for inner EAP method 
  12128  EAP-FAST inner method finished successfully 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  12126  EAP-FAST cryptobinding verification passed 
  12200  Approved EAP-FAST client Tunnel PAC request 
  12202  Approved EAP-FAST client Authorization PAC request 
  12219  Selected identity type 'Machine' 
  12125  EAP-FAST inner method started 
  11521  Prepared EAP-Request/Identity for inner EAP method 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  12212  Identity type provided by client is equal to requested 
  11522  Extracted EAP-Response/Identity for inner EAP method 
  11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated 
  15041  Evaluating Identity Policy 
  15006  Matched Default Rule 
  15013  Selected Identity Source - AD1 
  24431  Authenticating machine against Active Directory 
  24470  Machine authentication against Active Directory is successful 
  22037  Authentication Passed 
  11824  EAP-MSCHAP authentication attempt passed 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response 
  11814  Inner EAP-MSCHAP authentication succeeded 
  11519  Prepared EAP-Success for inner EAP method 
  12128  EAP-FAST inner method finished successfully 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  12126  EAP-FAST cryptobinding verification passed 
  12201  Approved EAP-FAST client Machine PAC request 
  15036  Evaluating Authorization Policy 
  11055  User name change detected for the session. Attributes for the session will be removed from the cache 
  24432  Looking up user in Active Directory - test.user1,host/MT13L032 
  24416  User's Groups retrieval from Active Directory succeeded 
  24433  Looking up machine in Active Directory - test.user1,host/MT13L032 
  24435  Machine Groups retrieval from Active Directory succeeded 
  15004  Matched rule 
  15048  Queried PIP 
  15048  Queried PIP 
  15048  Queried PIP 
  15048  Queried PIP 
  15048  Queried PIP 
  15048  Queried PIP 
  15016  Selected Authorization Profile - Wireless IT-Admins 
  12169  Successfully finished EAP-FAST tunnel PAC provisioning/update 
  12171  Successfully finished EAP-FAST user authorization PAC provisioning/update 
  12170  Successfully finished EAP-FAST machine PAC provisioning/update 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  12651  Accept client on authenticated provisioning 
  12107  EAP-FAST provisioning phase finished successfully 
  11503  Prepared EAP-Success 
  11002  Returned RADIUS Access-Accept

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 383
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
    • View Profile
  • Certification: CCIE
Re: New user login and expired passwords
« Reply #3 on: July 13, 2015, 05:32:21 AM »
Glad to hear.. Is this for wireless? If so, may I ask which controller model and code version?

Offline Crypto

  • Cisco Newbie
  • *
  • Posts: 6
  • Reputation: 0
    • View Profile
  • Certification: CCIE
Re: New user login and expired passwords
« Reply #4 on: July 15, 2015, 01:30:48 AM »
Hi MC,

Sorry for the late replay, Yesterday and the day before were one of those lovely working days for me :)

So, yes it's for wireless, and I'm using 3850 as WLC with IOS-XE Version 03.03.05SE

For wired I didn't face this issue because I'm doing Low Impact mode and the Pre-Auth ACL is allowing AD traffic

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 383
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
    • View Profile
  • Certification: CCIE
Re: New user login and expired passwords
« Reply #5 on: July 15, 2015, 05:47:28 AM »
Got it. Thank you. You may want to keep your eyes out on the wired once you switch over to enforcement mode.

Offline Crypto

  • Cisco Newbie
  • *
  • Posts: 6
  • Reputation: 0
    • View Profile
  • Certification: CCIE
Re: New user login and expired passwords
« Reply #6 on: July 15, 2015, 08:02:59 AM »
Will do... Thanks a lot :)

 

Related Topics

  Subject / Started by Replies Last post
2 Replies
2747 Views
Last post November 22, 2013, 01:09:20 PM
by MC
10 Replies
6847 Views
Last post September 04, 2018, 08:20:52 PM
by MC
4 Replies
2632 Views
Last post March 19, 2014, 06:28:39 AM
by Ted
3 Replies
2586 Views
Last post September 03, 2014, 01:12:23 AM
by MC
4 Replies
1767 Views
Last post April 24, 2017, 09:34:50 PM
by MC

SimplePortal 2.3.5 © 2008-2012, SimplePortal