topic My problem was fixed. I in Network Security

Cisco ISE Detected Host Lookup problem

alik_prochazka — Fri, 21 Feb 2020 13:11:05 GMT

Hi,

I have a problem. Sometimes it happen, when PC was authenticated by dot1x, it is invoked after some time event "Detected Host Lookup UseCase (Service-Type = Call Check (10))" and then falls to MAB. After calling this event the AD station logs using mac addresses. Correctly must be by AD user name.

I use a supplicant Cisco Anyconnect.

My id stores is Active Directory.

Thanks

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

11027 Detected Host Lookup UseCase (Service-Type = Call Check (10))

15049 Evaluating Policy Group

15008 Evaluating Service Selection Policy

15048 Queried PIP

15004 Matched rule

15048 Queried PIP

15004 Matched rule

15041 Evaluating Identity Policy

15006 Matched Default Rule

15013 Selected Identity Source -

24432 Looking up user in Active Directory - 28:D2:44:64:DA:87

24412 User not found in Active Directory

24210 Looking up User in Internal Users IDStore - 28:D2:44:64:DA:87

24216 The user is not found in the internal users identity store

24631 Looking up User in Internal Guests IDStore

24633 The user is not found in the internal guests identity store

22016 Identity sequence completed iterating the IDStores

22056 Subject not found in the applicable identity store(s)

22058 The advanced option that is configured for an unknown user is used

22060 The 'Continue' advanced option is configured in case of a failed authentication request

I have a similar problem but

franklinb — Mon, 15 Sep 2014 07:55:06 GMT

I have a similar problem but we use the native Windows supplicant, and ISE 1.2 with AD objects.

The machine authenticates fine when it wants to. I checked the logs and found it had failed 80-90% of attempts over the weekend.

Is this a timeout issue? The machine is apparently quite a mess so could potentially be responding too slowly to auth attempts.

Switch in question is a 3750G/3750E mixed stack

	11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	11027	Detected Host Lookup UseCase (Service-Type = Call Check (10))
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP
	15048	Queried PIP
	15048	Queried PIP
	15004	Matched rule
	15041	Evaluating Identity Policy
	15006	Matched Default Rule
	15013	Selected Identity Source - Internal Endpoints
	24209	Looking up Endpoint in Internal Endpoints IDStore - D0:67:E5:xx:xx:xx
	24211	Found Endpoint in Internal Endpoints IDStore
	22037	Authentication Passed
	15036	Evaluating Authorization Policy
	15048	Queried PIP
	15048	Queried PIP
	15048	Queried PIP
	15048	Queried PIP
	15048	Queried PIP
	15004	Matched rule - Default
	15016	Selected Authorization Profile - DenyAccess
	15039	Rejected per authorization profile
	11003	Returned RADIUS Access-Reject

Hi franklinb, I have this

alik_prochazka — Mon, 15 Sep 2014 07:55:07 GMT

Hi franklinb,

I have this problem only on switches Catalyst 2960-C and you?

My problem was fixed. I

alik_prochazka — Thu, 06 Nov 2014 12:08:37 GMT

My problem was fixed. I downgraded IOS from 15.2 on 15.0 and added commands radius-server vsa send accounting, radius-server vsa send authentication. When I added this commands into 2960-C (IOS 15.2) and I looked on "sh run" this command weren`t there.

No - for me it's on a stack

franklinb — Tue, 11 Nov 2014 01:58:11 GMT

No - for me it's on a stack of 3750G's