topic Re: ISE 2.3 and Active Directory Probe in Network Access Control

ISE 2.3 and Active Directory Probe

creserva1 — Tue, 09 Oct 2018 21:24:47 GMT

I think this bug is hitting our ISE and we are not able to use AD-Join-Host-Point as one of authentication for host.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf55996

Re: ISE 2.3 and Active Directory Probe

hslai — Sat, 20 Oct 2018 19:44:16 GMT

This is a mis-interpretation.

AD-Join-Point (without "-Host-") is the one collected by ISE profiler's AD probe. And, AD-Host-Join-Point (with "-Host-") is collected by ISE profiler's RADIUS probe. As a result, it's not currently available in the dictionary ACTIVEDIRECTORY_PROBE.

Re: ISE 2.3 and Active Directory Probe

creserva1 — Wed, 24 Oct 2018 13:26:31 GMT

With that being said I can't use it as a profiler condition?

Re: ISE 2.3 and Active Directory Probe

hslai — Wed, 24 Oct 2018 15:14:19 GMT

With that being said I can't use it as a profiler condition?

Your picture shows AD-Join-Point used as a condition for a profiler check. It would be a bug if that is not working to make a match. As said previously, the other attribute, despite with the same value most of the time, is not available for such.

Re: ISE 2.3 and Active Directory Probe

creserva1 — Wed, 24 Oct 2018 16:28:45 GMT

Checking EndPointSource Active Directory Probe, other attributes is AD-Host-Join-Point but on profiler condition is AD-Join-Point. The AD-Join-Point is not showing on Endpoint other attributes.

If AD-Host-Join-Point used by ISE Radius probe, how can I make ISE to perform EndPointSource Radius Probe instead of Active Directory Probe? Turning off AD probe will that make it Radius probe to take place?

Re: ISE 2.3 and Active Directory Probe

hslai — Wed, 24 Oct 2018 16:57:27 GMT

No, it won't work like that. It's likely you are hitting some other bug, such as CSCve03360

Re: ISE 2.3 and Active Directory Probe

creserva1 — Wed, 24 Oct 2018 17:05:30 GMT

Our ISE 2.3 installed patch 2,3 I was planning on installing patch 4 and patch 5. Will that address the bug problem?

Re: ISE 2.3 and Active Directory Probe

Damien Miller — Wed, 24 Oct 2018 18:01:49 GMT

When you patch ISE, you don't need to install every patch released. The most recent patch incorporates all the previous patch fixes.
ex. You can apply just patch 5 on your ISE deployment and it will include all patch 1-4 items too.

Just commentary on patching. I don't know if your issue is fixed in patch X. When I am unsure if an issue is fixed in patch X, I work with TAC, I would suggest you do the same here. It can be very difficult to troubleshoot/identify fridge issues via forum posts.

Re: ISE 2.3 and Active Directory Probe

hslai — Wed, 24 Oct 2018 23:41:45 GMT

I concurred with Damien's comment.

CSCve03360 is due to ISE 2.2+ using AD probe to fetch both computer info and user info and two types of fetches using the same AD-Last-Fetch-Time such that computer info fetch not occurring if user info fetched within the last 24 hour or the configured interval. The bug is addressed in ISE 2.4 FCS. CSCvm72309 observed in ISE 2.4 Patch 1+.

Your deployment might need both bug fixes and TAC may help analyzing that.

Re: ISE 2.3 and Active Directory Probe

creserva1 — Thu, 25 Oct 2018 15:42:16 GMT

I turned on debug on ISE for profiler and I found out that the initial authentication method is MAB, then Radius Probe and then last Active Directory Probe.

I shutdown the interface first, deleted the endpoint on the ISE, rebooted the pc and do no shutdown on interface. For the first time when ISE sees the MAC address it will be unknown but the first sequence is MAB, then Radius Probe and then Active Directory probe.

ISE of course after I deleted the endpoint it has no longer the mac address in its database. How can I configure the ISE to perform Radius Probe or AD Probe only?

Re: ISE 2.3 and Active Directory Probe

creserva1 — Thu, 25 Oct 2018 16:03:36 GMT

Radius Probe

Attribute:AAA-Server value:<omitted>
Attribute:AD-Error-Details value:Domain trust is one-way
Attribute:AD-Groups-Names value:<omitted>/Builtin/Domain Computers
Attribute:AD-Host-Candidate-Identities value:<omitted>
Attribute:AD-Host-DNS-Domain value:<omitted>
Attribute:AD-Host-Join-Point value:EXAMPLE.ORG
Attribute:AD-Host-NetBios-Name value:EXAMPLE
Attribute:AD-Host-Resolved-DNs value:<omitted>
Attribute:AD-Host-Resolved-Identities <omitted>
Attribute:AD-Last-Fetch-Time value:1540480415942
Attribute:AKI value:<omitted>
Attribute:AuthenticationIdentityStore value:EXAMPLE
Attribute:AuthenticationMethod value:x509_PKI
Attribute:AuthenticationStatus value:AuthenticationPassed
Attribute:AuthorizationPolicyMatchedRule value:AD OU Computers Root CA
Attribute:BYODRegistration value:Unknown
Attribute:CacheUpdateTime value:1540480415962
Attribute:Called-Station-ID value:<omitted>
Attribute:Calling-Station-ID value:<omitted>
Attribute:CreateTime value:1540480406501
Attribute:DTLSSupport value:Unknown
Attribute:Days to Expiry value:3393
Attribute:DestinationIPAddress value:<omitted>
Attribute:DestinationPort value:1812
Attribute:Device IP Address value:<omitted>
Attribute:Device Identifier value:
Attribute:Device Port value:1645
Attribute:Device Type value:<omitted>
Attribute:DeviceRegistrationStatus value:NotRegistered
Attribute:EndPointMACAddress value:<omitted>
Attribute:EndPointPolicy value:Dell-Inc-Device
Attribute:EndPointPolicyID value:<omitted>
Attribute:EndPointProfilerServer value:<omitted>
Attribute:EndPointSource value:RADIUS Probe

On the Profiling Condition , selecting Radius as Type, searching for AD-Host-Join-Point name is not available. I can't build these attributes and use it for matching endpoint that are part of Active Directory.

Here is the AD Probe

MAC: <omitted>
Attribute:AD-Last-Fetch-Time value:1540480480951
Attribute:BYODRegistration value:Unknown
Attribute:DeviceRegistrationStatus value:NotRegistered
Attribute:EndPointProfilerServer value:<omitted>
Attribute:EndPointSource value:Active Directory Probe
Attribute:MACAddress value:<omitted>
Attribute:NmapSubnetScanID value:0
Attribute:OUI value:Dell Inc.
Attribute:PolicyVersion value:0
Attribute:PortalUser value:
Attribute:PostureApplicable value:Yes
Attribute:User-Fetch-CountryName value:
Attribute:User-Fetch-Department value:
Attribute:User-Fetch-Email value:
Attribute:User-Fetch-First-Name value:
Attribute:User-Fetch-Job-Title value:
Attribute:User-Fetch-Last-Name value:
Attribute:User-Fetch-LocalityName value:
Attribute:User-Fetch-Organizational-Unit value:
Attribute:User-Fetch-StateOrProvinceName value:
Attribute:User-Fetch-StreetAddress value:
Attribute:User-Fetch-Telephone value:
Attribute:User-Fetch-User-Name value:<omitted>
Attribute:SkipProfiling value:false

The attribute for AD-Join-Point is not even showing.

Re: ISE 2.3 and Active Directory Probe

ramkchel — Thu, 25 Oct 2018 16:40:44 GMT

Please check if this post could help you

https://community.cisco.com/t5/policy-and-access/ise-2-3-and-active-directory-probe/td-p/3351475

Re: ISE 2.3 and Active Directory Probe

hslai — Thu, 25 Oct 2018 18:12:54 GMT

Attribute:AD-Last-Fetch-Time value:1540480480951

...
Attribute:User-Fetch-CountryName value:
Attribute:User-Fetch-Department value:
Attribute:User-Fetch-Email value:
Attribute:User-Fetch-First-Name value:
Attribute:User-Fetch-Job-Title value:
Attribute:User-Fetch-Last-Name value:
Attribute:User-Fetch-LocalityName value:
Attribute:User-Fetch-Organizational-Unit value:
Attribute:User-Fetch-StateOrProvinceName value:
Attribute:User-Fetch-StreetAddress value:
Attribute:User-Fetch-Telephone value:
Attribute:User-Fetch-User-Name value:<omitted>

This is pretty much CSCve03360. The User-Fetch-* attributes are fetched by the AD probe for the user visibility data and updated AD-Last-Fetch-Time so the AD probe won't fetch for the computer data for another 24 hours. I do not know any reliable workaround until getting the fix for the bug.