Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4658
Views
5
Helpful
7
Replies

ISE 2.4 tries to authenticate domain computer as a domain user

Go to solution
jacob.fredriksson
Level 1
Level 1

‎08-22-2019 10:50 PM - edited ‎08-25-2019 10:30 PM

Hey everyone,

 

I ran into a weird issue yesterday on a ISE 2.4 patch 8 deployment in which ISE is (for some reason) trying to authenticate a domain computer (which is using EAP-TLS) as a domain user. The computers are configured to only use machine authentication using EAP-TLS as there are no user certificates in this environment.

 

Looking at the detailed log (image below) it seems that ISE authenticates the computer just fine, but it then continues on to look up if the computer name is a domain user. Since there is no domain user with that computer name, ISE tells us the user could not be found and the login attempt is rejected.

broken ise machine auth.jpg

The only differens between the broken machine authentication and a working one is how the username of the machine presents itself in ISE. A machine that goes through a successful authentication shows it's computer's name as host/<computername>.<domain>

 

working ise machine authentication.PNG

 

The problem only seems to be happening on a few computers (less than 1% of the total computers that are only using machine authentication) but we've yet to find a solution to fix this.

2 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to jacob.fredriksson

‎08-30-2019 05:53 AM

please work with TAC and vendors as this forum is not meant for break fix. I see you have some help here as well

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Arne Bier
VIP
VIP

‎08-25-2019 03:58 PM

is the AD clean?  I mean, are the affected AD accounts looking exactly as they should be?  Does the host/identity exist in more than one account attribute?  Sometimes ISE has to deal with ambiguity resolution and it's described in a the document below - maybe some hints there

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html

 

In the interim, you could test how ISE performs its external ID lookups by going to Administration/External ID Sources and then select the AD Joint point, select a server and Test User.  Type the combinations of username and host/username to see what the result is.

You may find that you need to perform an Identity Rewrite under Advanced Settings to always prefix the "host/" to the username - but you'd want to perform that re-write only for machine accounts - that might be challenging. 

Go to solution
jacob.fredriksson
Level 1
Level 1
In response to Arne Bier

‎08-25-2019 11:40 PM

Thank you Arne for taking a look at this.

I've been doing lookups from inside ISE on several machines that work and comparing them to the non-working one and unfortunately I haven't been able to find anything that looks out of order. The computers' usernames shows up in several attributes in AD, sometimes as host/<computername> and sometimes as <computername>.domain but it all looks the same for every computer.

As the images show, there is an identity rewrite happening in the broken authentication that does not happen in the working authentication. We have never had to resort to identity rewrites before to make things work. I am not sure why the "incoming identity" is different between the broken and working authentications. Unfortunately I cannot make too many changes in this environment as it may affect other production devices.

We have checked and there is no user account with the same name either. This deployment is connected to only a single Active Directory.

I've being trying to wrap my head around this but I simply cannot understand why ISE continues to try to authenticate this computer name as a domain user after it has already says that "a match was found" for the computer name.

 

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to jacob.fredriksson

‎08-26-2019 12:32 PM

I'd recommend a tac case if you can't resolve here
0 Helpful

Go to solution
ognyan.totev
Level 5
Level 5
In response to jacob.fredriksson

‎08-27-2019 07:39 AM

Hello , 

Can you share with us authentication rule and authorization rule.

 

0 Helpful

Go to solution
ognyan.totev
Level 5
Level 5
In response to jacob.fredriksson

‎08-29-2019 09:08 PM

Hello,

when you doing a certificate why you not point is to AD because on pictures i see active directory no applicable. Second in authentication rule you can add 1 more row with certificate ou containt your ou than use this cert profile

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to jacob.fredriksson

‎08-30-2019 05:53 AM

please work with TAC and vendors as this forum is not meant for break fix. I see you have some help here as well
0 Helpful

Go to solution
joel.moore
Level 1
Level 1

‎11-24-2020 04:15 PM

For some reason we cannot see the solution to this question.  It is very similar to an issue we are seeing.  Can some one re-post the solution?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents