|
◆ Cisco ISE - 802.1X EAP-TLS - Success !
・ Cisco ISE - Operations - Authentication - Details
・ Catalyst 2960-X - IOS 15.x - show authentication sessions interface
gigabitEthernet 1/0/1
%AUTHMGR-5-START: Starting 'dot1x' for client (0000.0011.1111) on Interface Gi1/0/1 AuditSessionID C0A000
%DOT1X-5-SUCCESS: Authentication successful for client (0000.0011.1111)
on Interface Gi1/0/1 AuditSessionID C0A000
%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client
(0000.0011.1111) on
Interface Gi1/0/1 AuditSessionID C0A000
%AUTHMGR-5-SUCCESS: Authorization succeeded for client (0000.0011.1111)
on Interface Gi1/0/1 AuditSessionID C0A000
%LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
◆ Cisco ISE - 802.1X EAP-TLS - Failed(不正なクライアント証明書提示による結果)
Cisco ISEでは、クライアントPCから提示されるクライアント証明書をISEで保持するCAのルート証明書を見て、
その妥当性を確認します。以下のISEでの認証失敗ログは、PCが提示してきたクライアント証明書に問題がある
場合に発生するログです。以下のログは異なるCAから発行した証明書を使用した時に出力した結果となります。
ISEへ発行したサーバ証明書とルート証明書を認証局(CA1)から発行し、クライアントPCに発行したクライアント
証明書とルート証明書を認証局(CA2)から発行して、これらの証明書で認証を行えば、以下のとおり失敗します。
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12815 Extracted TLS Alert message
12520 EAP-TLS failed SSL/TLS handshake because the client rejected the
ISE local-certificate
12507 EAP-TLS authentication failed
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
5434 Endpoint conducted several failed authentications of the same scenario
上のISEの認証失敗ログは、5434 Endpoint conducted several failed authentications of the same scenario
のEventのStpes情報です。
Switchステータスは以下のようになります。認証(Authentication)が失敗した場合は認可(Authorization)
も連動して失敗します。この時点でLEDはオレンジのままで通信不可状態です。
※ authentication openの設定がある場合にはLEDはグリーン状態になります。
%AUTHMGR-5-START: Starting 'dot1x' for client (0000.0011.1111) on Interface
Gi1/0/1 AuditSessionID C0A000
%DOT1X-5-FAIL: Authentication failed for client (0000.0011.1111) on Interface Gi1/0/1 AuditSessionID C0A000
%AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client
(0000.0011.1111) on Interface Gi1/0/1
AuditSessionID C0A000
%AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0000.0011.1111) on Interface Gi1/0/1 AuditSessionID
C0A000
%LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1,
changed state to up
# show authentication sessions interface gigabitEthernet 1/0/1
Interface: GigabitEthernet1/0/1
MAC Address: 0000.0011.1111
IP Address: Unknown
User-Name: host/cool2.infraexpert.com
Status: Authz Failed
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A000
Acct Session ID: 0x000000A1
Handle: 0xCE000099
Runnable methods list:
Method State
dot1x Authc Failed
mab Not run
|