Re: CCIE Sec/OT: Cisco ISE and windows sleep login problem

This hotfix is suppose to be for "connecting thru another 802.1x device"
but since am connecting thru a WAP and WLC, maybe this might help..let me
give it a shot.

Also someone suggested in the wireless adapter settings "do not allow the
computer to turn off the adapter for power management"..if this hotfix does
work, i'll try this.

I'll keep y'all posted.

Cheers

On Fri, Mar 15, 2013 at 2:05 PM, Charlie_CA <spycharlies_at_gmail.com> wrote:

> I believe windows is the culprit...i am running windows 7 SP1; i recently
> saw a hotfix on Microsoft's website that may address this problem. I'll see
> if that work.
> http://support.microsoft.com/kb/976373
>
> When i force it to sleep and resumes, it seems to send username and
> authenticates correctly....My plan now is to replicate thesame issue by
> leaving it to sleep overnight; with this hotfix, lets see what happens.
>
> I'll keep you guys posted.
>
> Thanks for your help.
>
> C.
>
>
> On Fri, Mar 15, 2013 at 12:32 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:
>
>> So I suspect the issue is with the PC.
>>
>> When it resumes from sleep, it is not triggering authentication. What
>> version of Windows are you testing with? Does it send out an authentication
>> request after resuming? This is your culprit I highly suspect. Let us know
>> how you get on.
>>
>> HTH,
>> Sadiq
>>
>>
>> On Thu, Mar 14, 2013 at 5:02 PM, Charlie_CA <spycharlies_at_gmail.com>wrote:
>>
>>> Sorry for not making myself clear enough...My deployment currently is
>>> through a WLC (7.3.112.0) to ISE, no switch is involved. A brief summary of
>>> my current setup...
>>>
>>> The controllers are properly configured with the AAA allowed checked,
>>> NAC State=Radius NAC etc..as required.
>>>
>>> The Authentication Policy for Wireless_802.1x is to allow default
>>> protocol referencing the External Identity Source = Active Directory
>>>
>>> For Authorization i have created 3 policies..
>>>
>>> 1. Rule Name=Machine, Condition=Machine, Permission=PermitAccess
>>>
>>> the compound expression for Machines is defined as
>>> Radius:Service-Type = Framed 'AND'
>>> Radius:Nas-Port-Type=Wireless IEEE 802.11 'AND'
>>> AD1:ExternalGroup=charlie.local/Users/Domain Computers
>>>
>>> 2. Rule Name=Users, Condition=Users, Permission=PermitAccess
>>>
>>> the compound expression for machines is defined as
>>> Radius:Service-Type = Framed 'AND'
>>> Radius:Nas-Port-Type=Wireless IEEE 802.11 'AND'
>>> AD1:ExternalGroup=charlie.local/Users/Domain Users
>>> Network Access:WasMachineAuthenticated=True
>>> Network Access:AuthenticationMethod=MSCHAPv2
>>>
>>> 3. Rule Name=AllOtherWireless, Condition=Wireless802.1x, Permission=Guest
>>> The Authorization Profile result for Guest
>>> Access Type=ACCESS_ACCEPT
>>> VLAN=2 ( fyi: VLAN 2 is for internet Only)
>>> Airespace ACL Name = Guest (this ACL was defined on the WLC access list
>>> to permit Internet only)
>>>
>>> Like i mentioned earlier, everything works fine except when the computer
>>> goes to sleep, when it does, Authenticated Users and Computer permanently
>>> remain on guest vlan; i believe this is happening because when i log back
>>> in from sleep-mode, windows does not send the username and password or
>>> machine credentials. To re-authenticated, i have to completely log off.
>>>
>>> Thanks
>>>
>>>
>>>
>>>
>>> On Thu, Mar 14, 2013 at 9:53 AM, Brandon J Carroll <
>>> brandon.j.carroll_at_gmail.com> wrote:
>>>
>>>> You might try changing the reauth period to something lower.
>>>>
>>>> dot1x timeout reauth-period XXXX
>>>>
>>>> This could also have something to do with WoL, or WoL may provide a
>>>> workaround for you. A Port can be configured to allow only outbound
>>>> frames to be transmitted in the pre-authenticated state. A WoL packet sent
>>>> to a host in sleep/standby should cause it to wake to an operational state.
>>>> If the client is configured to automatically authenticate when
>>>> prompted, it can then authenticate to the switch port
>>>>
>>>>
>>>> http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-wake-lan-supp.html
>>>>
>>>> This could also be an issue with the IOS version you are running.
>>>> I've seen a number of issues resolved by upgrading to a later IOS.
>>>>
>>>> I'm assuming that the client gets the proper VLAN *prior* to going into
>>>> sleep mode and its only after a wake that it gets stuck in the guest VLAN.
>>>>
>>>> Just a few ideas.
>>>>
>>>> Brandon
>>>>
>>>>
>>>> On Mar 14, 2013, at 7:33 AM, Charlie_CA <spycharlies_at_gmail.com> wrote:
>>>>
>>>> Hi Experts,
>>>>
>>>> I have been playing with ISE over the last few days, and noticed a
>>>> problem
>>>> when windows goes to sleep...
>>>>
>>>> I have a few policies including
>>>>
>>>> 1.If a machine authenticates via Active Directory, it is granted full
>>>> access
>>>> 2.If a user authenticates via AD (with Machine already authenticated) =
>>>> grants full access
>>>> 3.All other 802.1x is granted partial access = Guest vlan
>>>>
>>>> The issue is when windows goes to sleep, authenticated AD users and
>>>> machine
>>>> are put on Guest vlan; when I log back in, it still remains on Guest
>>>> VLan.
>>>> My temporary solution was to completely log of the computer and log
>>>> back in
>>>> so windows can re-authenticate.
>>>>
>>>> If this was in production, it will be a mess getting everyone to log off
>>>> and log back in have you witness this? How did you solve it?
>>>>
>>>> Thanks
>>>>
>>>> ~
>>>>
>>>> Charlie
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>> --
>> CCIEx2 (R&S|Sec) #19963

Blogs and organic groups at http://www.ccie.net
Received on Fri Mar 15 2013 - 14:20:08 ART