topic Re: AD users failing to authenticate on Cisco ISE in Network Access Control

AD users failing to authenticate on Cisco ISE

cfak211 — Tue, 06 Aug 2024 09:50:40 GMT

Hi all,

Recently I've been facing an issue in my environment whereby accounts from Active Directory fail to authenticate on Cisco switches. Logs in Cisco ISE (TACACS > Live logs) show that selected shell profile is "Deny Access". However, according to my policy set configuration, I feel it should be going to a different shell profile ("Cisco Read Write").

TACACS live logs also show that the user is found in our AD so I'm unsure why the authentication is failing. Any help in resolving this issue and enabling AD logins on network devices would be appreciated. I have attached pictures of my device admin policy set and TACACS live logs for clarity.

Cheers

Re: AD users failing to authenticate on Cisco ISE

MHM Cisco World — Tue, 06 Aug 2024 10:26:50 GMT

Check depoly and license

-Admin>system >deployment

Enable device admin service

-admin > system > licensing

Device admin

MHM

Re: AD users failing to authenticate on Cisco ISE

ahollifield — Tue, 06 Aug 2024 15:22:50 GMT

Not enough information here to help unfortunately. But something is not matching your configured authorization rules. Your AD authentication is successful. My guess is the AD Group is not matching.

Re: AD users failing to authenticate on Cisco ISE

Greg Gibbs — Tue, 06 Aug 2024 22:22:59 GMT

To follow on to @ahollifield's comment, you might need to check the permissions on the ISE machine account in AD to ensure you have the necessary permissions as per this table... especially the 'Read tokenGroups' permission as that is required for group membership lookups.

You can also use the Test Users tool in ISE to confirm it sees the expected group memberships for the User account.

Re: AD users failing to authenticate on Cisco ISE

cfak211 — Wed, 07 Aug 2024 02:32:58 GMT

@MHM Cisco World Just checked, both Device admin service and Device admin license are active.

@Greg Gibbs I've tried the "Test user" tool and it's returning "Success" on the Authentication result, the group this particular account is a member of on the AD is showing up as well in the "Groups" tab.

I'm not aware of any ISE machine account in our AD however, is this something that will need to be configured on both the ISE and AD?

Thanks all for the responses.

Re: AD users failing to authenticate on Cisco ISE

Greg Gibbs — Wed, 07 Aug 2024 23:07:46 GMT

If you have integrated ISE with AD via a Join Point, there would have to be machine accounts created in AD for the ISE nodes.

Have you tried removing the condition related to 'InternalUser'. I don't understand why that is there if you are authorizing an external user against Active Directory. What are you trying to match with that condition?

Re: AD users failing to authenticate on Cisco ISE

cfak211 — Thu, 08 Aug 2024 01:16:49 GMT

That condition is actually there to enable logins to network devices from an internal account on ISE if connection to the AD fails.

Actually the problem is currently resolved, I just deleted the policy and added the conditions one by one. Now both AD accounts and the internal account are able to authenticate successfully.