取消
显示结果 
搜索替代 
您的意思是: 
cancel
公告

December 2020

December 2020

95
查看次数
0
有帮助
4
回复
liyanazure
Beginner

ISE always find the old AD ldap which is offline

The Customer has an ise(version 2.0) and there have 6 AD server(windows 2008*2/windows 2012*2/windows 2016*2).

He let windows 2008 offline then his wireless authentication failed.The error on ise is below.

11051 RADIUS packet contain invaild state attribute

24444 Active Directory operation has failed because of an unspecified error in the ISE

We check the ad_agent.log and find ISE always want to find the old ldap on AD server of windows 2008.

The information is on attachment.

Hope someone can help.

Thanks!!!

4 条回复4
liyanazure
Beginner

Jun 17 18:56:10 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> network.state ProbePorts complete for cnsrv004.cn.thyssenkrupp.as. Elapsed time 0.001615 secs
Jun 17 18:56:10 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> base.bind.udp UDPBinding::search :(&(NtVer=\06\00\00\00))
Jun 17 18:56:10 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> base.bind.udp UDPBinding::connectToServer - 10.100.47.84
Jun 17 18:56:10 TKECC-ISE-01 adclient[2999]: DIAG <bg:netstate> base.bind.ldap 10.100.47.84:389 search base="" filter="(&(NtVer=\06\00\00\00))"
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> base.osutil Module=LDAP : time out : Timed out (reference base/ldapsearch.cpp:117 rc: -5)
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> network.state DC cnsrv004-old.cn.thyssenkrupp.as(10.100.47.84) did not reply
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> base.bind.udp UDPBinding::search :(&(NtVer=\06\00\00\00))
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> base.bind.udp UDPBinding::connectToServer - 10.100.47.103
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DIAG <bg:netstate> base.bind.ldap 10.100.47.103:389 search base="" filter="(&(NtVer=\06\00\00\00))"
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> lrpc.adobject new object:
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo forest = thyssenkrupp.as
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo domain = cn.thyssenkrupp.as
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo hostName = CNSRV003.cn.thyssenkrupp.as
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo siteName1 = TKECC
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo siteName2 = TKECC
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo isWritable = true
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo isClosestSite = true
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo isTimeServer = true
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo isKDC = true
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo isDSRV = true
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo isLDAP = true
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo isGC = true
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo isPDC = false
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> network.state DC cnsrv003.cn.thyssenkrupp.as(10.100.47.103) answered in 0.000527 secs: Success
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> util.io.connectutil Connected to 10.100.47.103 in 0.000486 seconds
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> util.io.connectutil Connected to 10.100.47.103 in 0.000153 seconds
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> util.io.connectutil Connected to 10.100.47.103 in 0.000175 seconds
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> util.io.connectutil Connected to 10.100.47.103 in 0.000175 seconds
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> util.io.connectutil Connected to 10.100.47.103 in 0.000140 seconds
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> network.state ProbePorts complete for cnsrv003.cn.thyssenkrupp.as. Elapsed time 0.001807 secs
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> base.bind.udp UDPBinding::search :(&(NtVer=\06\00\00\00))
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> base.bind.udp UDPBinding::connectToServer - 10.100.47.114
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DIAG <bg:netstate> base.bind.ldap 10.100.47.114:389 search base="" filter="(&(NtVer=\06\00\00\00))"
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> lrpc.adobject new object:
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo forest = thyssenkrupp.as
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo domain = cn.thyssenkrupp.as
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo hostName = CNSRV014.cn.thyssenkrupp.as
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo siteName1 = TKECC
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo siteName2 = TKECC
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo isWritable = true
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo isClosestSite = true
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo isTimeServer = true
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo isKDC = true
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo isDSRV = true
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo isLDAP = true
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo isGC = true
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> dns.siteinfo isPDC = false
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> network.state DC cnsrv014.cn.thyssenkrupp.as(10.100.47.114) answered in 0.000511 secs: Success
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> util.io.connectutil Connected to 10.100.47.114 in 0.000189 seconds
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> util.io.connectutil Connected to 10.100.47.114 in 0.000156 seconds
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> util.io.connectutil Connected to 10.100.47.114 in 0.000159 seconds
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> util.io.connectutil Connected to 10.100.47.114 in 0.000183 seconds
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> util.io.connectutil Connected to 10.100.47.114 in 0.000150 seconds
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> network.state ProbePorts complete for cnsrv014.cn.thyssenkrupp.as. Elapsed time 0.001642 secs
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> base.bind.udp UDPBinding::search :(&(NtVer=\06\00\00\00))
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> base.bind.udp UDPBinding::connectToServer - 10.100.47.85
Jun 17 18:56:11 TKECC-ISE-01 adclient[2999]: DIAG <bg:netstate> base.bind.ldap 10.100.47.85:389 search base="" filter="(&(NtVer=\06\00\00\00))"
Jun 17 18:56:12 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> base.osutil Module=LDAP : time out : Timed out (reference base/ldapsearch.cpp:117 rc: -5)
Jun 17 18:56:12 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> network.state DC CNSRV046-old.cn.thyssenkrupp.as(10.100.47.85) did not reply
Jun 17 18:56:12 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> network.state CacheAccess purge
Jun 17 18:56:12 TKECC-ISE-01 adclient[2999]: DEBUG <bg:ageBindings> util.settings Setting domaincontroller to cnsrv014.cn.thyssenkrupp.as
Jun 17 18:56:42 TKECC-ISE-01 adclient[2999]: DEBUG <background> daemon.main now = Fri Jun 17 18:56:42 2022, nextPasswordChange: Mon Jul 11 16:51:10 2022, lastKrb5Renew: Fri Jun 17 11:27:43 2022, lastCacheCleanup: Fri Jun 17 18:50:55 2022, lastPrevalidate: Fri Jun 17 11:27:43 2022, lastChkDatadir: Fri Jun 17 18:53:55 2022, lastAzmanRefresh: Fri Jun 17 18:40:25 2022
Jun 17 18:56:42 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> network.state CacheAccess purge
Jun 17 18:56:42 TKECC-ISE-01 adclient[2999]: DEBUG <bg:ageBindings> util.settings Setting domaincontroller to cnsrv014.cn.thyssenkrupp.as
Jun 17 18:57:12 TKECC-ISE-01 adclient[2999]: DEBUG <background> daemon.main now = Fri Jun 17 18:57:12 2022, nextPasswordChange: Mon Jul 11 16:51:10 2022, lastKrb5Renew: Fri Jun 17 11:27:43 2022, lastCacheCleanup: Fri Jun 17 18:50:55 2022, lastPrevalidate: Fri Jun 17 11:27:43 2022, lastChkDatadir: Fri Jun 17 18:53:55 2022, lastAzmanRefresh: Fri Jun 17 18:40:25 2022
Jun 17 18:57:12 TKECC-ISE-01 adclient[2999]: DEBUG <bg:netstate> network.state CacheAccess purge
Jun 17 18:57:12 TKECC-ISE-01 adclient[2999]: DEBUG <bg:ageBindings> util.settings Setting domaincontroller to cnsrv014.cn.thyssenkrupp.as
Jun 17 18:57:17 TKECC-ISE-01 adclient[2999]: DEBUG <bg:bindingRefresh> base.adagent ADAgent::refreshBindings -- starting
Jun 17 18:57:17 TKECC-ISE-01 adclient[2999]: DEBUG <bg:bindingRefresh> base.adagent ADAgent::refreshBindings -- ending (fastReschedule = false)



Authentication Summary
Logged At: June 16,2022 12:14:22.475 PM
RADIUS Status: RADIUS Request dropped : 24444 Active Directory operation has failed because of an unspecified error in the ISE
NAS Failure:
Username: CNTKAS\10368071

MAC/IP Address: 28:16:AD:69:68:F6

Network Device: WLC-01 : 10.100.47.126 :
Allowed Protocol: Default Network Access

Identity Store: AD1
Authorization Profiles:
SGA Security Group:
Authentication Protocol : PEAP(EAP-MSCHAPv2)


Authentication Result
RadiusPacketType=Drop
AuthenticationResult=Error

Related Events


Authentication Details
Logged At: June 16,2022 12:14:22.475 PM
Occurred At: June 16,2022 12:14:22.474 PM
Server: TKECC-ISE-01

Authentication Method: dot1x
EAP Authentication Method : EAP-MSCHAPv2
EAP Tunnel Method : PEAP
Username: CNTKAS\10368071

RADIUS Username : CNTKAS\10368071
Calling Station ID: 28:16:AD:69:68:F6

Framed IP Address:
Use Case:
Network Device: WLC-01

Network Device Groups: Device Type#All Device Types,Location#All Locations
NAS IP Address: 10.100.47.126

NAS Identifier: TKECC-AC-WLC5508-1
NAS Port: 1
NAS Port ID:
NAS Port Type: Wireless - IEEE 802.11
Allowed Protocol: Default Network Access

Service Type: Framed
Identity Store: AD1
Authorization Profiles:
Active Directory Domain: cn.thyssenkrupp.as
Identity Group:
Allowed Protocol Selection Matched Rule: Wireless
Identity Policy Matched Rule: Default
Selected Identity Stores: AD1
Authorization Policy Matched Rule:
SGA Security Group:
AAA Session ID: TKECC-ISE-01/438773311/125377
Audit Session ID: 0a642f7e00041ef35760a16b
Tunnel Details: Tunnel-Type=(tag=0) VLAN,Tunnel-Medium-Type=(tag=0) 802,Tunnel-Private-Group-ID=(tag=0) 3
Cisco-AVPairs: audit-session-id=0a642f7e00041ef35760a16b
Other Attributes: ConfigVersionId=10,Device Port=32774,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,ExternalErrorCode=65538,Framed-MTU=1300,State=37CPMSessionID=0a642f7e00041ef35760a16b;39SessionID=TKECC-ISE-01/438773311/125377;,Acct-Session-Id=5760a15b/28:16:ad:69:68:f6/378716,attribute-89=00:,attribute-131=00:00:00:01,Airespace-Wlan-Id=5,CPMSessionID=0a642f7e00041ef35760a16b,EndPointMACAddress=28-16-AD-69-68-F6,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=10.100.47.126,Called-Station-ID=24-b6-57-b4-6f-10:CT-FT
Posture Status:
EPS Status:


Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12810 Prepared TLS ServerDone message
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - AD1
24430 Authenticating user against Active Directory
24444 Active Directory operation has failed because of an unspecified error in the ISE
22059 The advanced option that is configured for process failure is used
22062 The 'Drop' advanced option is configured in case of a failed authentication request
12315 PEAP inner method finished with failure
22028 Authentication failed and the advanced options are ignored

ilay
Collaborator

PEAP应该是不能使用LDAP来认证的吧

先检查一下ise中ad的join状态吧,另外确认一下ise上配置的dns能正常解析到所有的域控制器

最好发下相关的截图看下吧,还有ise版本及patch情况

liyanazure
Beginner

Can anyone provide ISE1.1 and Microsoft server AD compatibility?

创建
认可您的同行
Content for Community-Ad