cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1870
Views
0
Helpful
16
Replies

After ISE 3.2 patch-3 External Authentication stopped working

dan.l.smith
Level 1
Level 1

Currently running ISE 3.2 patch2, after installing patch 3 external authentication stops working for all devices as well as logging into the ISE itself. Internal local login still works. While logged in with the local account the external indentities diag tool shows all green and test users function is successful. however the web ui and devices still do  

After rolling back to Patch 2 everything works again. 

3 Accepted Solutions

Accepted Solutions

@TravisIS  We conducted internal validations on this and we are able to reproduce the issue internally and we are further validating the issue with CRL check. Will get back to you with more details on this shortly.

View solution in original post

@Naresh Ginjupalli  - Thank you for looking into this - I will notify my TAC engineer of this as well; I still need to perform a couple of PCAPs for her but if you can reproduce the issue in the lab that's great!

View solution in original post

@dan.l.smith Please provide the SR number of your TAC case.

View solution in original post

16 Replies 16

balaji.bandi
Hall of Fame
Hall of Fame

May be worth opening TAC case to investigate for you.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

thomas
Cisco Employee
Cisco Employee

You have provided no specific error messages or logs or anything for us to help you.  "external authentication stops working" is not an actual error and could be anything.

Please see How to Ask The Community for Help and try again or submit your case to TAC and they may spend the time collecting the necessary information to troubleshoot it with you.

@thomas:  You sound like Cisco TAC, LOL....

@dan.l.smith:  patch 3 is really buggy and IMHO, broken.  I don't know how much QA Cisco did with patch 3 but it does appear they did a very poor job on it.  FWIW, I also have a TAC case with Cisco on ISE 3.2 patch-3 and the case is currently in the hand of the BU.  

@adamscottmaster2013 , no I'm not TAC but I do see many people posting questions here that do not understand how to help us help them.  We cannot see their screens and their configs or know what their scenario is so they need to quickly and efficiently communicate it to us.  I don't know why they think we can solve it faster than TAC with no visibility into the real problem.  And we are all just trying to help here and we would rather not waste our time asking you 20 questions about your scenario to understand your situation. 

Everyone here his trying to help but TAC gets paid to ask for troubleshooting details - we don't.

TravisIS
Level 1
Level 1

@adamscottmaster2013same experience here - as of Patch 3, CRL retrieval is failing for EAP-TLS auth. Had to check the option to continue with auth even if the CRL check fails.

Hi Adam,

Can I please get SR details, if it is already opened? We are noticed the issue with CRL and want to see if the scenario we discovered is the same as of yours.

@Naresh Ginjupalli:  Yes, I have the ticket opened three weeks ago and it is not CRL.  The issue is upgrading the 3.2 cluster (1 PAN, 1 Secondary PAN, 2 PSN nodes) from patch-2 to patch-3.  Followed the instruction and the PAN started upgrade process but the Secondary and PSN nodes did not get upgraded.  It is currently being investigated by BU and developers.

Btw, how much "leverage" do you have in getting it resolved quickly :-)?

Hi Adam,

I am analysing the SR for more details and will get back to you shortly on this.

Apologize. I need SR number to expedite it.

Naresh - were you asking me to respond to the CRL issue or Adam?

Please let me know - I have a TAC case open for this defect (SR 696031940) however as it takes all dot1x auth down to replicate, I haven't yet had an opportunity to perform the necessary pcap etc but there are notes attached to the case you could look at for similarities if you like.

Thank you Travis, I looked at the SR and I am analysing the data provided in SR. Will get more details in a day.

Hi Naresh,

The CRL issue is now fixed in 3.2 Patch 4. There is a laundry list of fixed bugs in this patch, those of you on Patch 3 would do well to review the release notes at your earliest opportunity.

 

@TravisIS  We conducted internal validations on this and we are able to reproduce the issue internally and we are further validating the issue with CRL check. Will get back to you with more details on this shortly.

@Naresh Ginjupalli  - Thank you for looking into this - I will notify my TAC engineer of this as well; I still need to perform a couple of PCAPs for her but if you can reproduce the issue in the lab that's great!