https://community.cisco.com/t5/network-access-control/constant-ad-authentication-failures-jcifs-from-ise-server/m-p/3499913#M510147 <HTML><HEAD></HEAD><BODY><P>Go to [Operations &gt; Reports &gt; Reports &gt; Diagnostics &gt; RADIUS Errors] and filter on failure Reason with "Active Directory" and on Identity with the username.</P></BODY></HTML> Mon, 07 May 2018 17:09:21 GMT hslai 2018-05-07T17:09:21Z https://community.cisco.com/t5/network-access-control/constant-ad-authentication-failures-jcifs-from-ise-server/m-p/3499912#M510146 <HTML><HEAD></HEAD><BODY><P>We are seeing thousands of authentication failures with the "source IP" of the ISE server. The username every time is "administrator" and the workstation is "JCIFS141.20_C9". I suspected, and confirmed from a post on Microsoft communities that the last part of the name are the last part of the machines IP address.&nbsp; (<A href="https://social.technet.microsoft.com/Forums/windowsserver/en-US/ceb178b9-d25c-4298-87c1-d339cfde631e/tracking-account-lockout-from-jcifs?forum=winserverDS" title="https://social.technet.microsoft.com/Forums/windowsserver/en-US/ceb178b9-d25c-4298-87c1-d339cfde631e/tracking-account-lockout-from-jcifs?forum=winserverDS">Tracking Account Lockout from JCIFS?</A>)</P><P></P><P>would ISE be generating these connections (I doubt it) or more likely, I would think, these auth failures are coming from some device endpoint device on the network. I am having a really hard time filtering through the ISE dashboards in an attempt to narrow down where these might be coming from. The only rejected endpoints in ISE are due to error 15039. After some cursory reading over ISE documentation that seems more like an ISE profile rejection rather than&nbsp; AD auth failure. </P><P></P><P>Can I generate any report in ISE to show which endpoint is experiencing a high amount of AD auth failures with a particular username?</P></BODY></HTML> Sat, 05 May 2018 17:48:23 GMT https://community.cisco.com/t5/network-access-control/constant-ad-authentication-failures-jcifs-from-ise-server/m-p/3499912#M510146 hiker88 2018-05-05T17:48:23Z https://community.cisco.com/t5/network-access-control/constant-ad-authentication-failures-jcifs-from-ise-server/m-p/3499913#M510147 <HTML><HEAD></HEAD><BODY><P>Go to [Operations &gt; Reports &gt; Reports &gt; Diagnostics &gt; RADIUS Errors] and filter on failure Reason with "Active Directory" and on Identity with the username.</P></BODY></HTML> Mon, 07 May 2018 17:09:21 GMT https://community.cisco.com/t5/network-access-control/constant-ad-authentication-failures-jcifs-from-ise-server/m-p/3499913#M510147 hslai 2018-05-07T17:09:21Z https://community.cisco.com/t5/network-access-control/constant-ad-authentication-failures-jcifs-from-ise-server/m-p/3801285#M510149 <P>While I can't be certain in your case, my issue turned out to be the credentials that were stored in the PassiveID Domain Controllers settings.</P> <P>&nbsp;</P> <P>Administration &gt; Identity Management &gt; External Identity Sources &gt; Active Directory &gt; join point of your domain &gt; Passive ID &gt; then select a DC and Edit, updating your credentials.</P> <P>&nbsp;</P> <P>In my case, we don't need to use Passive ID at the moment, and I've disabled the feature entirely on our policy nodes.&nbsp; After doing this, the logs (in Splunk for "JCIFSxxx Failure") report no more incidents of my domain credentials being rejected, thus no longer triggering an account lockout.</P> <P>&nbsp;</P> <P>Cheers,</P> <P>Daniel&nbsp;</P> Wed, 13 Feb 2019 20:00:56 GMT https://community.cisco.com/t5/network-access-control/constant-ad-authentication-failures-jcifs-from-ise-server/m-p/3801285#M510149 cumminsdm 2019-02-13T20:00:56Z https://community.cisco.com/t5/network-access-control/constant-ad-authentication-failures-jcifs-from-ise-server/m-p/3803348#M510158 <P><A href="https://community.cisco.com/t5/user/viewprofilepage/user-id/112330" target="_blank">cumminsdm</A>&nbsp;is likely right or it could also be due to integrating SCCM with ISE. See also&nbsp;</P> <P><A href="https://social.technet.microsoft.com/Forums/en-US/bf5d80a1-9785-4ba0-a611-5ca96be117d7/ad-account-is-getting-locked-from-domain-controller?forum=winserverDS" target="_blank">AD account is getting locked from Domain controller</A></P> Sat, 16 Feb 2019 20:37:59 GMT https://community.cisco.com/t5/network-access-control/constant-ad-authentication-failures-jcifs-from-ise-server/m-p/3803348#M510158 hslai 2019-02-16T20:37:59Z