Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
661
Views
0
Helpful
5
Replies

Machine AND User Authentication Issue

fatalXerror
Level 5
Level 5

‎06-28-2019 06:49 AM

Hi Guys,

 

I am encountering an issue in my environment with ISE. We have deployed machine AND user authentication using MAR only. Every morning, my users have no issues connecting to the network either wired or wireless but after lunch time, I observed that some of endpoints that came from sleep/hibernate mode cannot authenticate anymore. Based on the logs, I noticed that ISE is not seeing that the endpoint have not successfully authenticated hence giving the deny profile. The behavior is not the one the we expected because the endpoint had undergone machine authentication in the morning.

 

So far, what I did is to change the MAR aging time from the default 5 hours to 9 hours but the issue is still the same.

 

Thanks for the help.

0 Helpful
5 Replies 5

howon
Cisco Employee
Cisco Employee

‎06-28-2019 09:05 AM

Can you post the details of the deny that ISE is sending? Suggest looking into whether MAR is the cause of deny or something else is in play. In general Windows native supplicant doesn't do well after hibernation and may fail to do 802.1X authentication thus the failure.

0 Helpful

fatalXerror
Level 5
Level 5
In response to howon

‎06-28-2019 09:21 AM

Hi @howon ,

Thanks for the feedback. Unfortunately, I cannot provide screenshot as per our policy.

But the phrase below is the one I noticed.

"ISE has not confirmed locally previous successful machine authentication for user in Active Directory"

The setup of my authorization policy is when the machine passed it will go to a QVLAN then when user is pass AND WasMachineAuthenticated = True then assign the user VLAN.

Based on my understanding in the log, ISE can't confirm if machine auth is successful hence it goes to my default deny profile.

How to resolve this issue?

Thanks

0 Helpful

howon
Cisco Employee
Cisco Employee
In response to fatalXerror

‎06-28-2019 06:15 PM

When experiencing the issue, if the user disconnects the interface and reconnect back, does it successfully connect with MAR? Also, can you post interface configuration and result of 'show authentication session interface Gig x/y/z detail' when experiencing the issue?

0 Helpful

fatalXerror
Level 5
Level 5
In response to howon

‎07-01-2019 04:26 AM

Hi @howon 

Thanks for the feedback. We observed it in wireless connection only because most of the time the endpoint is connected via wireless. They need to reboot the machine for the authentication to work again.

thanks

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to fatalXerror

‎07-01-2019 02:53 PM

You might need this -- Enable MAR Cache Distribution

0 Helpful
Customers Also Viewed These Support Documents