Authentication by Machine certificate changed after ISE 2.4 patch 12

pnavratil — Thu, 28 May 2020 15:03:36 GMT

My customer with quite a large ISE deployment applyed ISE 2.4 Patch 12 today. After applying the patch, he encouter serios authentication problems on machines using machine certificate for authentication.

I investigate the change and found very strange behavioru - at yhe end of authentication process after Patch 12 the ISE search only user database to find the resolved identity and as there was no suh user - authentication failed - this is the end of Authentication Detail:

-----

24433	Looking up machine in Active Directory - AD-XXXXX
24325	Resolving identity - 402-A148-PROC2.XXXXXX
24313	Search for matching accounts at join point - XXXXXX
24319	Single matching account found in forest - XXXXX
24323	Identity resolution detected single matching account
24700	Identity resolution by certificate succeeded - AD-XXXXX
22037	Authentication Passed
12506	EAP-TLS authentication succeeded
15036	Evaluating Authorization Policy
15048	Queried PIP - Network Access.UserName
15048	Queried PIP - InternalUser.Name
24432	Looking up user in Active Directory - 402-A148-PROC2.XXXXX
24325	Resolving identity
24313	Search for matching accounts at join point
24318	No matching account found in forest
24322	Identity resolution detected no matching account
24352	Identity resolution failed
24412	User not found in Active Directory
15048	Queried PIP - XXXXXX.ExternalGroups (2 times)
15048	Queried PIP - DEVICE.Location
15048	Queried PIP - XXXXXX.ExternalGroups (64 times)
15016	Selected Authorization Profile - DenyAccess
15039	Rejected per authorization profile
11503	Prepared EAP-Success
11003	Returned RADIUS Access-Reject

-----------

Then I traied to ssmall change in certificate authentication profile and selected

Use Identity From: Any Subject or Alternative Name Attributes in the Certificate (for Active Directory Only)

previously ttere was Certificate Attribute - Subject - Common Name

After this change the authentication started to work again - this time the detail change to this:

-------------

24433	Looking up machine in Active Directory - AD-XXXXX
24325	Resolving identity - CN=402-A148-PROC2.XXXXX, 402-A148-PROC2.XXXXX, 402-A148-PROC2.XXXXXX
24313	Search for matching accounts at join point - XXXXX
24319	Single matching account found in forest - XXXXXX
24323	Identity resolution detected single matching account
24700	Identity resolution by certificate succeeded - AD-XXXXX
22037	Authentication Passed
12506	EAP-TLS authentication succeeded
15036	Evaluating Authorization Policy
15048	Queried PIP - Network Access.UserName
15048	Queried PIP - InternalUser.Name
24433	Looking up machine in Active Directory - 402-A148-PROC2$@XXXXXX
24325	Resolving identity
24313	Search for matching accounts at join point
24318	No matching account found in forest
24315	Single matching account found in domain
24323	Identity resolution detected single matching account
24325	Resolving identity
24313	Search for matching accounts at join point
24318	No matching account found in forest
24315	Single matching account found in domain
24323	Identity resolution detected single matching account
24355	LDAP fetch succeeded
24435	Machine Groups retrieval from Active Directory succeeded
15048	Queried PIP - AD-XXXXX.ExternalGroups
15048	Queried PIP - XXXX.Location
15016	Selected Authorization Profile - VlanXXX
22081	Max sessions policy passed
22080	New accounting session created in Session cache
11503	Prepared EAP-Success
11002	Returned RADIUS Access-Accept

------------------------

so now it looks for machine account 402-A148-PROC2$@XXXXXX which is working. It is still big mystery, how the identity resoluton work and more, what changed ofter patch 12 - I do not need to mention the whole authentication process was fully working before Patch 12.

Can somebody explain this? Is there anybody with simmilar experience?

Regards

Pavel

Re: Authentication by Machine certificate changed after ISE 2.4 patch 12

Aileron88 — Thu, 28 May 2020 22:34:03 GMT

Hi,

I believe this is related to the issue found here:

https://community.cisco.com/t5/network-access-control/ise-machine-authentication-failure/m-p/4084434

Thanks

topic Authentication by Machine certificate changed after ISE 2.4 patch 12 in Network Access Control

Authentication by Machine certificate changed after ISE 2.4 patch 12

Re: Authentication by Machine certificate changed after ISE 2.4 patch 12