12-19-2019 10:26 AM
I am seeing what is described here:
The poster describes forcing ISE to use Kerberos instead of MS-RPC. I don't see any setting like that in ISE. I know when I do a Test User against AD I can simulate this exact issue. When I use MS-RPC I get the duplicate 4776 logs on the domain controller (failure followed by a success). If I changed to Kerberos life is good. Just not sure how to force ISE to use Kerberos for 802.1x auth.
12-19-2019 03:01 PM
There is an option in ISE under External Identity Sources->Active Directory-><Your Domain>->"Advanced Authentication Settings" called "Use Kerberos for Plain Text Authentication". I think that may force ISE to use Kerberos instead of MS-RPC. If that doesn't work, then you can block TCP/UDP/135 at a firewall and ensure that TCP/88 is open.
12-19-2019 06:19 PM
01-16-2020 04:13 AM - edited 01-16-2020 04:54 AM
01-16-2020 04:57 AM
I saw the same issue while migrating fron ACS to ISE 2.3 LWA authentication.
Since PAP authentication was involved I got rid of the duplicated events switching from RPC to kerberos for plain text protocols.
This was against cisco recommendation bus our AD forest is quite simple so I took the risk.
Now we are migrating wired and wireless dot1x to ISE as well and the issue is present again because of peap ms-chapv2, this is a not plain text protocol so I am afraid that user can be authenticated just with NTLM over RPC because ISE migth not be able to know user password and do "kerberos proxy".
The good news is that at the end Cisco admitted that
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf45991/?rfs=iqvred
is not a microsoft only issue.
It seems that patch 10 for ISE 2.4 fixed it.
We are going to install patch 11 finger crossing
Regards
MM
01-17-2020 06:36 AM
Hi patch 11 did not solve the issue.
MM
01-18-2020 10:23 AM - edited 01-18-2020 10:26 AM
To use the fix, we need configure a registry key in AD Advanced Tuning page in ISE:
Registry Key:
REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\WorkaroundForFalseFailedLoginEvent
By default the registry key is set to NO.
Set it to YES to use the fix.
01-19-2020 11:32 PM
01-20-2020 07:52 AM - edited 01-20-2020 07:52 AM
Sure, if you like.
Please keep in mind that the two failure audit log entries is due to DC trying its local DB first before reaching out to the real AD. This happens because ISE uses UPN.
The fix with the registry key is to use sAMAccountName with a non-empty domain name. This may potentially cause ambiguity, as it's not as unique as UPN.
Thus, my recommendation is not to use it unless sAMAccountName is real unique in your deployment(s).
01-20-2020 10:50 PM
Thank you very much.
Actually on our ActiveDirectory sAMAccountName are unique even between trusted domains, anyway we have just one kerberos realm per domain. So if with this configuration ise sends sAMAccountName along with NTB domain name, it should work.
Do you think the patch might rise some issue in trusted domain searches given that there are not duplicated sAMAccountName between trusted domain?
I asked our TAM to reach for ISE BU and ask them to write down some official documentation about this patch.
I saw that the configuration makes AD connector to restart with less then a minute traffic disruption but TAC is not able to confirm because of lack of documentation
Regards
MM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide