topic Re: seems to be working I in Network Access Control

Cisco ISE Machine failed machine authentication

Simon Laurendeau — Mon, 11 Mar 2019 04:43:54 GMT

Hi, Since we migrated to ISE 1.2 patch 7 we are having problems with our corporate SSID.

We have a rule that basically say :

User is Domain User.

Machine is in domain.

But for some reason some workstation are getting denied by this :

24423 ISE has not been able to confirm previous successful machine authentication for user in Active Directory

I was wondering if I could force a sync ?

Have you tried to rejoin the

kaaftab — Tue, 20 May 2014 17:43:22 GMT

Have you tried to rejoin the computer to the domain as some time the machine password gets expired and requires renewal and then do the ISE based authentication if you still gets this error then try to to roll back to the previous ISE patch if it was working successfully.

****Do rate helpful posts*****

Are you using EAP-Chaining

nspasov — Thu, 22 May 2014 22:54:52 GMT

Are you using EAP-Chaining (EAP-TEAP) or are you utilizing MAR (machine access restriction)? Can you provide some screen shots of the rules that you have in place?

We use MAR.Rule Screenshot

Simon Laurendeau — Fri, 23 May 2014 15:05:37 GMT

We use MAR.

Rule Screenshot :

AD Settings :

Allow Protocol :

I've been workign with ISE for a month now and still trying to understand alot of it so thank you all for your help!

OK, thank you for the

nspasov — Fri, 23 May 2014 19:07:33 GMT

OK, thank you for the screenshots. So the machine authentication related to MAR only happens when:

1. The machine first boots up

2. The user logs off and logs back in to the computer

ISE then stores the machine's MAC address information until the "Aging Time" expires. In your situation that is 8760 hours. Once that timer expires the user will have to either reboot the machine or log off/log back in. In addition, MAR comes with a couple of caveats:

1. The MAR information/state is not replicated between ISE nodes. Thus, if you are load balancing the sessions and/or you have a failover all of the previously MAR authenticated machines would have to either be rebooted or logged off/logged back on.

2. Since the method uses the MAC address of the machine the authentication process would have to be repeated if authenticating MAC address changes. For instance, a user comes comes to the office, boots the computer and authenticates on the wireless and everything works as expected. However, the user then goes to his/hers desk and connects to a wired port. At that point the machine will need to perform wired authentication, thus, it will be using the MAC address from its wired LAN adapter. That MAC address won't be in ISE's database and the machine will be marked as "not previously authenticated." At this point another restart/logg off/on will be required. The same will apply if the user for some reason uses a docking station. The docking station will have it's own MAC address that will be different than the one from the machine which won't be in the database of ISE.

Overall, MAR is not be most elegant solution. There are some good alternatives out there. You can take a look at the following document:

http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html

Hope this helps.

Thank you for rating!

Hi,While using MAR to make

radu.ioncu — Sun, 25 May 2014 08:01:44 GMT

Hi,

While using MAR to make sure that corporate users are actually using a domain computer to connect to the network was a discussion topic in several implementations, it was quickly scrapped due to the numerous issues:

- Sleeping computers may not perform machine authentication first

- Users with laptops going from wired to wireless wouldn't perform machine authentication first -> failed user auth

I suggest you try EAP-Chaining with the Anyconnect supplicant.

Simon, were we able to solve

nspasov — Wed, 28 May 2014 17:37:29 GMT

Simon, were we able to solve your issue? If not let us know if you need more clarifications. Otherwise, please mark the thread as closed/answered 🙂

I am still working on this I

Simon Laurendeau — Wed, 28 May 2014 17:40:25 GMT

I am still working on this I can't figure out how some PC just won't authenticate (No trace in ISE) I'm waiting on an internal signing request for ISE to see if that would help

Hmm, that is interesting. You

nspasov — Wed, 28 May 2014 17:58:03 GMT

Hmm, that is interesting. You should be seeing hits in ISE weather they were for successful or unsuccessful authentications. Did you make sure that all of your NADs (Switches, WLCs) are added to ISE. Also, under Administration > Settings > Protocols > Radius, check and see if you have Suppression enabled. This will prevent ISE from showing up logs for "miss-behaving" clients. You can temporary disable it and troubleshoot the issue.

Is this normal ?show radius

Simon Laurendeau — Wed, 28 May 2014 19:02:21 GMT

Is this normal ?

show radius summary

Authentication Servers

Idx Type Server Address    Port    State     Tout MgmtTout RFC3576 IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
--- ---- ---------------- ------ -------- ---- -------- ------- ------------------------------------------------
1    NM    10.1.1.34         1812    Enabled   2     2         Enabled   Disabled - none/unknown/group-0/0 none/none
2    NM    10.4.2.36         1812    Enabled   2     2         Enabled   Disabled - none/unknown/group-0/0 none/none
3    NM    10.8.2.84         1812    Enabled   2     2         Enabled   Disabled - none/unknown/group-0/0 none/none

Accounting Servers

--More or (q)uit current module or <ctrl-z> to abort

Idx Type Server Address    Port    State     Tout MgmtTout RFC3576 IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
--- ---- ---------------- ------ -------- ---- -------- ------- ------------------------------------------------
1      N     10.1.1.34         1813    Enabled   2     2         N/A       Disabled - none/unknown/group-0/0 none/none
2      N     10.4.2.36         1813    Enabled   2     2         N/A       Disabled - none/unknown/group-0/0 none/none
3      N     10.8.2.84         1813    Enabled   2     2         N/A       Disabled - none/unknown/group-0/0 none/none

Where are you pulling this

nspasov — Thu, 29 May 2014 01:34:49 GMT

Where are you pulling this information from? I mean what type of device?

Also, is this for wired or wireless?

This is for wireless and it

Simon Laurendeau — Thu, 29 May 2014 13:53:05 GMT

This is for wireless and it is from our WLC

From the WLC issue:debug

nspasov — Fri, 30 May 2014 05:44:34 GMT

From the WLC issue:

debug client client_mac_address

Then try to authenticate with the affected machine and post the output back here.

Sorry... i've been so busy

Simon Laurendeau — Thu, 12 Jun 2014 14:08:23 GMT

Sorry... i've been so busy with other stuff and since we just desactivated the machine auth it wasn`t a priority.

you can find debug on pastebin :http://pastebin.com/UCL6p5CU

Your debug logs are showing

nspasov — Sun, 15 Jun 2014 21:40:25 GMT

Your debug logs are showing that the client is getting an "access-reject" which is sent by the radius server. As a result, the WLC removes/deletes the client. Thus, there must be logs in ISE about this client. Can you please double check? If there are no logs paste screen shots of the following:

Administration > System > Settings > Protocols > Radius

I can see the user in ISE "Au

Simon Laurendeau — Mon, 16 Jun 2014 15:12:02 GMT

I can see the user in ISE "Authentication" tab but not the computer.

seems like 6 to 5% of our laptop are having this issue I think it's time I start working with our helpdesk here to check GPO and other hardware related issue. What I find weird is this happend right after migrating from ISE 1.1 to 1.2

Steps :

Steps

	11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP
	15048	Queried PIP
	15048	Queried PIP
	15004	Matched rule
	11507	Extracted EAP-Response/Identity
	12300	Prepared EAP-Request proposing PEAP with challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12302	Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
	12318	Successfully negotiated PEAP version 0
	12800	Extracted first TLS record; TLS handshake started
	12805	Extracted TLS ClientHello message
	12806	Prepared TLS ServerHello message
	12807	Prepared TLS Certificate message
	12810	Prepared TLS ServerDone message
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	12318	Successfully negotiated PEAP version 0
	12812	Extracted TLS ClientKeyExchange message
	12804	Extracted TLS Finished message
	12801	Prepared TLS ChangeCipherSpec message
	12802	Prepared TLS Finished message
	12816	TLS handshake succeeded
	12310	PEAP full handshake finished successfully
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	12313	PEAP inner method started
	11521	Prepared EAP-Request/Identity for inner EAP method
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	11522	Extracted EAP-Response/Identity for inner EAP method
	11806	Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	11808	Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
	15041	Evaluating Identity Policy
	15006	Matched Default Rule
	15013	Selected Identity Source - IdentityStore_AD
	24430	Authenticating user against Active Directory
	24402	User authentication against Active Directory succeeded
	22037	Authentication Passed
	11824	EAP-MSCHAP authentication attempt passed
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	11810	Extracted EAP-Response for inner method containing MSCHAP challenge-response
	11814	Inner EAP-MSCHAP authentication succeeded
	11519	Prepared EAP-Success for inner EAP method
	12314	PEAP inner method finished successfully
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	24423	ISE has not been able to confirm previous successful machine authentication for user in Active Directory
	15036	Evaluating Authorization Policy
	24432	Looking up user in Active Directory - DOMAIN\USER
	24416	User's Groups retrieval from Active Directory succeeded
	15048	Queried PIP
	15048	Queried PIP
	15048	Queried PIP
	15048	Queried PIP
	15048	Queried PIP
	15004	Matched rule - AuthZBlock_DOT1X
	15016	Selected Authorization Profile - DenyAccess
	15039	Rejected per authorization profile
	12306	PEAP authentication succeeded
	11503	Prepared EAP-Success
	11003	Returned RADIUS Access-Reject

Radius :

Hmm, you when you restart the

nspasov — Mon, 16 Jun 2014 17:59:40 GMT

Hmm, you when you restart the machine you should see an authentication entry that starts with " host/ " Let's try this:

1. Uncheck both the "Suppress Anomalous Clients" and "Suppress Repeated Successful Authentications"

2. Wait 10 minutes

3. Restart the machine and try again and let us know what happens

seems to be working I

Simon Laurendeau — Wed, 18 Jun 2014 13:36:28 GMT

seems to be working I restarded 3-4 laptop and they all authenticated after rebooting I am still monitoring but it's looking positive!

Good to hear! Hopefully this

nspasov — Wed, 18 Jun 2014 16:52:36 GMT

Good to hear! Hopefully this was resolved! Keep us posted 🙂

I can confirm it's now

Simon Laurendeau — Thu, 26 Jun 2014 14:09:54 GMT

I can confirm it's now working ! thanks for the help !