05-28-2020 08:03 AM
My customer with quite a large ISE deployment applyed ISE 2.4 Patch 12 today. After applying the patch, he encouter serios authentication problems on machines using machine certificate for authentication.
I investigate the change and found very strange behavioru - at yhe end of authentication process after Patch 12 the ISE search only user database to find the resolved identity and as there was no suh user - authentication failed - this is the end of Authentication Detail:
-----
24433 | Looking up machine in Active Directory - AD-XXXXX |
24325 | Resolving identity - 402-A148-PROC2.XXXXXX |
24313 | Search for matching accounts at join point - XXXXXX |
24319 | Single matching account found in forest - XXXXX |
24323 | Identity resolution detected single matching account |
24700 | Identity resolution by certificate succeeded - AD-XXXXX |
22037 | Authentication Passed |
12506 | EAP-TLS authentication succeeded |
15036 | Evaluating Authorization Policy |
15048 | Queried PIP - Network Access.UserName |
15048 | Queried PIP - InternalUser.Name |
24432 | Looking up user in Active Directory - 402-A148-PROC2.XXXXX |
24325 | Resolving identity |
24313 | Search for matching accounts at join point |
24318 | No matching account found in forest |
24322 | Identity resolution detected no matching account |
24352 | Identity resolution failed |
24412 | User not found in Active Directory |
15048 | Queried PIP - XXXXXX.ExternalGroups (2 times) |
15048 | Queried PIP - DEVICE.Location |
15048 | Queried PIP - XXXXXX.ExternalGroups (64 times) |
15016 | Selected Authorization Profile - DenyAccess |
15039 | Rejected per authorization profile |
11503 | Prepared EAP-Success |
11003 | Returned RADIUS Access-Reject |
-----------
Then I traied to ssmall change in certificate authentication profile and selected
Use Identity From: Any Subject or Alternative Name Attributes in the Certificate (for Active Directory Only)
previously ttere was Certificate Attribute - Subject - Common Name
After this change the authentication started to work again - this time the detail change to this:
-------------
24433 | Looking up machine in Active Directory - AD-XXXXX |
24325 | Resolving identity - CN=402-A148-PROC2.XXXXX, 402-A148-PROC2.XXXXX, 402-A148-PROC2.XXXXXX |
24313 | Search for matching accounts at join point - XXXXX |
24319 | Single matching account found in forest - XXXXXX |
24323 | Identity resolution detected single matching account |
24700 | Identity resolution by certificate succeeded - AD-XXXXX |
22037 | Authentication Passed |
12506 | EAP-TLS authentication succeeded |
15036 | Evaluating Authorization Policy |
15048 | Queried PIP - Network Access.UserName |
15048 | Queried PIP - InternalUser.Name |
24433 | Looking up machine in Active Directory - 402-A148-PROC2$@XXXXXX |
24325 | Resolving identity |
24313 | Search for matching accounts at join point |
24318 | No matching account found in forest |
24315 | Single matching account found in domain |
24323 | Identity resolution detected single matching account |
24325 | Resolving identity |
24313 | Search for matching accounts at join point |
24318 | No matching account found in forest |
24315 | Single matching account found in domain |
24323 | Identity resolution detected single matching account |
24355 | LDAP fetch succeeded |
24435 | Machine Groups retrieval from Active Directory succeeded |
15048 | Queried PIP - AD-XXXXX.ExternalGroups |
15048 | Queried PIP - XXXX.Location |
15016 | Selected Authorization Profile - VlanXXX |
22081 | Max sessions policy passed |
22080 | New accounting session created in Session cache |
11503 | Prepared EAP-Success |
11002 | Returned RADIUS Access-Accept |
------------------------
so now it looks for machine account 402-A148-PROC2$@XXXXXX which is working. It is still big mystery, how the identity resoluton work and more, what changed ofter patch 12 - I do not need to mention the whole authentication process was fully working before Patch 12.
Can somebody explain this? Is there anybody with simmilar experience?
Regards
Pavel
Solved! Go to Solution.
05-28-2020 03:34 PM
Hi,
I believe this is related to the issue found here:
https://community.cisco.com/t5/network-access-control/ise-machine-authentication-failure/m-p/4084434
Thanks
05-28-2020 03:34 PM
Hi,
I believe this is related to the issue found here:
https://community.cisco.com/t5/network-access-control/ise-machine-authentication-failure/m-p/4084434
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide