My customer with quite a large ISE deployment applyed ISE 2.4 Patch 12 today. After applying the patch, he encouter serios authentication problems on machines using machine certificate for authentication.
I investigate the change and found very strange behavioru - at yhe end of authentication process after Patch 12 the ISE search only user database to find the resolved identity and as there was no suh user - authentication failed - this is the end of Authentication Detail:
-----
24433 | Looking up machine in Active Directory - AD-XXXXX |
24325 | Resolving identity - 402-A148-PROC2.XXXXXX |
24313 | Search for matching accounts at join point - XXXXXX |
24319 | Single matching account found in forest - XXXXX |
24323 | Identity resolution detected single matching account |
24700 | Identity resolution by certificate succeeded - AD-XXXXX |
22037 | Authentication Passed |
12506 | EAP-TLS authentication succeeded |
15036 | Evaluating Authorization Policy |
15048 | Queried PIP - Network Access.UserName |
15048 | Queried PIP - InternalUser.Name |
24432 | Looking up user in Active Directory - 402-A148-PROC2.XXXXX |
24325 | Resolving identity |
24313 | Search for matching accounts at join point |
24318 | No matching account found in forest |
24322 | Identity resolution detected no matching account |
24352 | Identity resolution failed |
24412 | User not found in Active Directory |
15048 | Queried PIP - XXXXXX.ExternalGroups (2 times) |
15048 | Queried PIP - DEVICE.Location |
15048 | Queried PIP - XXXXXX.ExternalGroups (64 times) |
15016 | Selected Authorization Profile - DenyAccess |
15039 | Rejected per authorization profile |
11503 | Prepared EAP-Success |
11003 | Returned RADIUS Access-Reject |
-----------
Then I traied to ssmall change in certificate authentication profile and selected
Use Identity From: Any Subject or Alternative Name Attributes in the Certificate (for Active Directory Only)
previously ttere was Certificate Attribute - Subject - Common Name
After this change the authentication started to work again - this time the detail change to this:
-------------
24433 | Looking up machine in Active Directory - AD-XXXXX |
24325 | Resolving identity - CN=402-A148-PROC2.XXXXX, 402-A148-PROC2.XXXXX, 402-A148-PROC2.XXXXXX |
24313 | Search for matching accounts at join point - XXXXX |
24319 | Single matching account found in forest - XXXXXX |
24323 | Identity resolution detected single matching account |
24700 | Identity resolution by certificate succeeded - AD-XXXXX |
22037 | Authentication Passed |
12506 | EAP-TLS authentication succeeded |
15036 | Evaluating Authorization Policy |
15048 | Queried PIP - Network Access.UserName |
15048 | Queried PIP - InternalUser.Name |
24433 | Looking up machine in Active Directory - 402-A148-PROC2$@XXXXXX |
24325 | Resolving identity |
24313 | Search for matching accounts at join point |
24318 | No matching account found in forest |
24315 | Single matching account found in domain |
24323 | Identity resolution detected single matching account |
24325 | Resolving identity |
24313 | Search for matching accounts at join point |
24318 | No matching account found in forest |
24315 | Single matching account found in domain |
24323 | Identity resolution detected single matching account |
24355 | LDAP fetch succeeded |
24435 | Machine Groups retrieval from Active Directory succeeded |
15048 | Queried PIP - AD-XXXXX.ExternalGroups |
15048 | Queried PIP - XXXX.Location |
15016 | Selected Authorization Profile - VlanXXX |
22081 | Max sessions policy passed |
22080 | New accounting session created in Session cache |
11503 | Prepared EAP-Success |
11002 | Returned RADIUS Access-Accept |
------------------------
so now it looks for machine account 402-A148-PROC2$@XXXXXX which is working. It is still big mystery, how the identity resoluton work and more, what changed ofter patch 12 - I do not need to mention the whole authentication process was fully working before Patch 12.
Can somebody explain this? Is there anybody with simmilar experience?
Regards
Pavel
