Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
451
Views
1
Helpful
6
Replies

AD users failing to authenticate on Cisco ISE

cfak211
Level 1
Level 1

‎08-06-2024 02:50 AM

Hi all,
 
Recently I've been facing an issue in my environment whereby accounts from Active Directory fail to authenticate on Cisco switches. Logs in Cisco ISE (TACACS > Live logs) show that selected shell profile is "Deny Access". However, according to my policy set configuration, I feel it should be going to a different shell profile ("Cisco Read Write").
 
TACACS live logs also show that the user is found in our AD so I'm unsure why the authentication is failing. Any help in resolving this issue and enabling AD logins on network devices would be appreciated. I have attached pictures of my device admin policy set and TACACS live logs for clarity.
 
Cheers
Preview file
926 KB
Preview file
8737 KB
Preview file
73 KB
6 Replies 6

MHM Cisco World
VIP
VIP

‎08-06-2024 03:26 AM

Check depoly and license 

-Admin>system >deployment 

Enable device admin service 

-admin > system > licensing 

Device admin 

MHM

0 Helpful

ahollifield
VIP
VIP

‎08-06-2024 08:22 AM

Not enough information here to help unfortunately.  But something is not matching your configured authorization rules.  Your AD authentication is successful.  My guess is the AD Group is not matching.

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to ahollifield

‎08-06-2024 03:22 PM

To follow on to @ahollifield's comment, you might need to check the permissions on the ISE machine account in AD to ensure you have the necessary permissions as per this table... especially the 'Read tokenGroups' permission as that is required for group membership lookups.

You can also use the Test Users tool in ISE to confirm it sees the expected group memberships for the User account.

0 Helpful

cfak211
Level 1
Level 1

‎08-06-2024 07:32 PM

@MHM Cisco World Just checked, both Device admin service and Device admin license are active.

@Greg Gibbs I've tried the "Test user" tool and it's returning "Success" on the Authentication result, the group this particular account is a member of on the AD is showing up as well in the "Groups" tab.

I'm not aware of any ISE machine account in our AD however, is this something that will need to be configured on both the ISE and AD?

Thanks all for the responses.

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to cfak211

‎08-07-2024 04:07 PM

If you have integrated ISE with AD via a Join Point, there would have to be machine accounts created in AD for the ISE nodes.

Have you tried removing the condition related to 'InternalUser'. I don't understand why that is there if you are authorizing an external user against Active Directory. What are you trying to match with that condition?

0 Helpful

cfak211
Level 1
Level 1
In response to Greg Gibbs

‎08-07-2024 06:16 PM

That condition is actually there to enable logins to network devices from an internal account on ISE if connection to the AD fails.

Actually the problem is currently resolved, I just deleted the policy and added the conditions one by one. Now both AD accounts and the internal account are able to authenticate successfully.

0 Helpful
Customers Also Viewed These Support Documents