cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
679
Views
1
Helpful
6
Replies

AD users failing to authenticate on Cisco ISE

cfak211
Level 1
Level 1
Hi all,
 
Recently I've been facing an issue in my environment whereby accounts from Active Directory fail to authenticate on Cisco switches. Logs in Cisco ISE (TACACS > Live logs) show that selected shell profile is "Deny Access". However, according to my policy set configuration, I feel it should be going to a different shell profile ("Cisco Read Write").
 
TACACS live logs also show that the user is found in our AD so I'm unsure why the authentication is failing. Any help in resolving this issue and enabling AD logins on network devices would be appreciated. I have attached pictures of my device admin policy set and TACACS live logs for clarity.
 
Cheers
6 Replies 6

Check depoly and license 

-Admin>system >deployment 

Enable device admin service 

-admin > system > licensing 

Device admin 

MHM

Not enough information here to help unfortunately.  But something is not matching your configured authorization rules.  Your AD authentication is successful.  My guess is the AD Group is not matching.

To follow on to @ahollifield's comment, you might need to check the permissions on the ISE machine account in AD to ensure you have the necessary permissions as per this table... especially the 'Read tokenGroups' permission as that is required for group membership lookups.

You can also use the Test Users tool in ISE to confirm it sees the expected group memberships for the User account.

cfak211
Level 1
Level 1

@MHM Cisco World Just checked, both Device admin service and Device admin license are active.

@Greg Gibbs I've tried the "Test user" tool and it's returning "Success" on the Authentication result, the group this particular account is a member of on the AD is showing up as well in the "Groups" tab.

I'm not aware of any ISE machine account in our AD however, is this something that will need to be configured on both the ISE and AD?

Thanks all for the responses.

If you have integrated ISE with AD via a Join Point, there would have to be machine accounts created in AD for the ISE nodes.

Have you tried removing the condition related to 'InternalUser'. I don't understand why that is there if you are authorizing an external user against Active Directory. What are you trying to match with that condition?

That condition is actually there to enable logins to network devices from an internal account on ISE if connection to the AD fails.

Actually the problem is currently resolved, I just deleted the policy and added the conditions one by one. Now both AD accounts and the internal account are able to authenticate successfully.