Solved: AD-Host-Exists

Alex Pfeil · ‎04-11-2018

I have a condition which assigns 100 points if AD-Host-Exists. I have a domain computer that is able to authenticate to the domain, but it is not getting the AD-Host-Exists in the response. It is getting multiple other AD criteria, just not that one. We are running 2.3 with the second patch, not the third.

Thanks,

Alex

hslai · ‎04-11-2018

You are probably hitting CSCve03360, which is addressed in ISE 2.4, planned for ISE 2.2 Patch 9, and a future ISE 2.3 Patch release via patch parity.

If you need it sooner for ISE 2.3, please engage TAC and ask for a hot patch.

View solution in original post

hslai · ‎04-11-2018

You are probably hitting CSCve03360, which is addressed in ISE 2.4, planned for ISE 2.2 Patch 9, and a future ISE 2.3 Patch release via patch parity.

If you need it sooner for ISE 2.3, please engage TAC and ask for a hot patch.

paul · ‎04-12-2018

Hsing,

I don't see that bug being visible. What is the description/symptoms of it?

Thanks.

paul · ‎04-12-2018

Do you have DNS profiler enabled to get the reverse lookup? The AD profiler works after collecting the hostname/FQDN of a device using either DHCP profiling or DNS reverse lookups. The DNS profiler is not enabled by default.

Alex Pfeil · ‎04-12-2018

Yes,

We have DNS profiler enabled. Almost all of the AD information gets populated, but not the AD-Host-Exists.

Cisco Communities <https://communities.cisco.com/>

AD-Host-Exists

reply from paul@berbee<https://communities.cisco.com/people/paul%40berbee> in Technology > Security > Policy and Access > Identity Services Engine (ISE) - View the full discussion<https://communities.cisco.com/message/287570#287570>

paul · ‎04-12-2018

Is the system doing 802.1x authentication or only MAB? If it is doing 802.1x authentication much of that AD information gets populated from the 802.1x authentication and subsequent AD lookup. Do you see the AD OS version field populated?

I have seen this issue as well though, but haven't spent time investigating. I see the FQDN field populated and know the FQDN is in AD, but doesn't profile as hosts exists in AD. I am hoping Hsing posts the bug.

Alex Pfeil · ‎04-12-2018

We are doing 802.1x only. AD OS version field is not populated. Many devices are working, the issue is just with some devices. One difference could be is that I have the helper-address on some VLANs and not on others, but the wireless is all the same.

Thanks,

Alex

paul · ‎04-12-2018

If the OS version is not populated then I don’t think you are doing any AD lookup at all for that device. I think the AD information you are seeing is from the 802.1x authentication.

Do you see the FQDN value populated or the DHCP hostname?

Are you doing AD host name exists profiling to try to lock down AD User 802.1x to domain machines?

Alex Pfeil · ‎04-12-2018

How about this one

AD Probe not triggered/retrieving OS info when domain PC auth to network

CSCve03360

Alex Pfeil · ‎05-21-2018

After upgrading to ISE 2.4, the first test that I completed worked for AD-Host-Exists.