ISE 2.2 Patch 1 affecting AD authentications

Allen P Chen — Tue, 06 Jun 2017 14:51:36 GMT

Hi Folks,

I noticed after applying Patch 1 to ISE 2.2 that none of AD authentications were working. The message was "22056 Subject not found in the applicable identity store(s)". Here are the logs. Notice that even though ISE detected a matching account in the AD join point, it still went on to the next identity store.

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

11117 Generated a new session ID

15049 Evaluating Policy Group

15008 Evaluating Service Selection Policy

15048 Queried PIP - Network Access.NetworkDeviceName

15048 Queried PIP - Radius.NAS-Port-Id

15048 Queried PIP - Radius.NAS-Port-Type

15004 Matched rule - PAP_ASCII_ASYNC

15041 Evaluating Identity Policy

15006 Matched Default Rule

22072 Selected identity source sequence - AD_LOCAL

15013 Selected Identity Source - AD1

24430 Authenticating user against Active Directory - AD1

24325 Resolving identity - ise_ad

24313 Search for matching accounts at join point - demo.local

24319 Single matching account found in forest - demo.local

24323 Identity resolution detected single matching account

24343 RPC Logon request succeeded - ise_ad@demo.local

15013 Selected Identity Source - Internal Users

24210 Looking up User in Internal Users IDStore - ise_ad

24216 The user is not found in the internal users identity store

22016 Identity sequence completed iterating the IDStores

22056 Subject not found in the applicable identity store(s)

22058 The advanced option that is configured for an unknown user is used

22061 The 'Reject' advanced option is configured in case of a failed authentication request

11003 Returned RADIUS Access-Reject

I removed Patch 1 and authentication was successful again. Here are the logs:

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

11117 Generated a new session ID

15049 Evaluating Policy Group

15008 Evaluating Service Selection Policy

15048 Queried PIP - Network Access.NetworkDeviceName

15048 Queried PIP - Radius.NAS-Port-Id

15048 Queried PIP - Radius.NAS-Port-Type

15004 Matched rule - PAP_ASCII_ASYNC

15041 Evaluating Identity Policy

15006 Matched Default Rule

22072 Selected identity source sequence - AD_LOCAL

15013 Selected Identity Source - AD1

24430 Authenticating user against Active Directory - AD1

24325 Resolving identity - ise_ad

24313 Search for matching accounts at join point - demo.local

24319 Single matching account found in forest - demo.local

24323 Identity resolution detected single matching account

24343 RPC Logon request succeeded - ise_ad@demo.local

24402 User authentication against Active Directory succeeded - AD1

22037 Authentication Passed

15036 Evaluating Authorization Policy

24432 Looking up user in Active Directory - AD1

24355 LDAP fetch succeeded - demo.local

24416 User's Groups retrieval from Active Directory succeeded - AD1

15048 Queried PIP - AD1.ExternalGroups

15048 Queried PIP - Radius.NAS-Port-Type

15004 Matched rule - DEVICE_ADMIN_AD_SYNC

15016 Selected Authorization Profile - PERMIT_PRIV15

22081 Max sessions policy passed

22080 New accounting session created in Session cache

11002 Returned RADIUS Access-Accept

Is this a known issue? Not sure why Patch 1 does not perform user authentication against AD even though the account is recognized.

Thanks in advance.

Re: ISE 2.2 Patch 1 affecting AD authentications

Jason Kunst — Tue, 06 Jun 2017 15:55:21 GMT

Alan if this is for a customer open a tac case, researching otherwise

Re: ISE 2.2 Patch 1 affecting AD authentications

Allen P Chen — Tue, 06 Jun 2017 15:58:40 GMT

Hi Jason,

Thanks for chiming in. This is for my home lab. I was testing something for a customer and prior to testing, I decided to install Patch 1. Thought it was something with my AD instance. Long story short, I removed Patch 1 and everything is back to normal.

Re: ISE 2.2 Patch 1 affecting AD authentications

Jason Kunst — Tue, 06 Jun 2017 18:03:50 GMT

Thanks if you can reproduce and want to work with us then maybe that could be setup, otherwise will move on if we can’t work on reproduction

topic Re: ISE 2.2 Patch 1 affecting AD authentications in Network Access Control

ISE 2.2 Patch 1 affecting AD authentications

Re: ISE 2.2 Patch 1 affecting AD authentications

Re: ISE 2.2 Patch 1 affecting AD authentications

Re: ISE 2.2 Patch 1 affecting AD authentications