Solved: Re: Cisco ISE 3.3 P2 authentication issue, asking user to sign in

mitchellT · ‎04-28-2024

we are testing version 3.3 p2 and when I point my existing user ,which are working fine on version 3.2 p5 , they start getting the action required that asking them to sign in to the network. this does not happen on verision 3.2 only on version 3.3. if they don't click on sign in the authentication will fail and on ISE the error will say no response from user.

ahollifield · ‎04-29-2024

So you re-issued a new certificate? Or manually imported/exported the certificate? Private keys are not contained in the backup file except for the PAN.

Is the ISE PSN FQDN in the SAN field of the certificate?

What type of deployment is this? How many nodes and what roles?

View solution in original post

mitchellT · ‎06-11-2024

I installed a vm version on one of my UCS server and the issue did not occur. so the problem is caused by Azure ISE and cisco TAC has no idea and don't even reply to any email anymore after I sent them the logs they asked. My advise to those thinking about using Azure ISE, don't.

View solution in original post

mitchellT · ‎04-28-2024

this is the error message on switch. Anyone has seen this issue ? thanks

Apr 27 08:57:25.537: %SESSION_MGR-5-FAIL: Switch 3 R0/0: sessmgrd: Authorization failed or unapplied for client (c4b9.cdb5.4ba0) on Interface GigabitEthernet2/0/11 AuditSessionID 0A2E0A01000181E31C2948C2. Failure reason: Authc fail. Authc failure reason: No Response from Client.

ahollifield · ‎04-29-2024

This indicates a supplicant issue. What is the EAP type? What is the supplicant? What is the NAD?

mitchellT · ‎04-29-2024

they are windows native wired dot1x supplicant using EAP-TLS and connecting from Cisco 3850 switches. both version 3.2 and 3.3 use the same root certificate and domain controller for AD.

ahollifield · ‎04-29-2024

What version of IOS-XE? Everything correct on the supplicant side? Is ISE 3.3 using a different certificate than 3.2? What other differences in the configuration exist between the 3.2 and 3.3 deployments? Is the supplicant configured to only talk to certain RADIUS servers? And the 3.3 PSNs are not in this list?

mitchellT · ‎04-29-2024

Cisco IOS XE Software, Version 16.12.07. I built version 3.3 and restore from backup with version 3.2's back file so they are exactly the same configuration with same root certificate. I've added the new version 3.3 to the list of allowed radius server on windows supplicant. the only change I'm doing is pointing the radius server to either version 3.2 or version 3.3 on the switch itself and this is when I point to version 3.3 it will ask user to sign in but it will not do that on version 3.2

aaa group server radius RADIUS-GROUP
server name ISESERVER3.2OR3.3

ahollifield · ‎04-29-2024

So you re-issued a new certificate? Or manually imported/exported the certificate? Private keys are not contained in the backup file except for the PAN.

Is the ISE PSN FQDN in the SAN field of the certificate?

What type of deployment is this? How many nodes and what roles?

mitchellT · ‎05-16-2024

I thought that fixed the issue with limited testing but with more testing we still have the same issue with asking user to sign in. Cisco TAC has no idea either.

mitchellT · ‎04-29-2024

yes, i did re-issue a new certificate since the same of the server is different from version 3.2. the PSN FQDN is not in the SAN field of version 3.3 but i checked my version 3.2 and it doesn't have that either. maybe I'll add that and see if that helps with version 3.3.

this version 3.3 is only one node and it does all. my version 3.2 has only two nodes with primary and secondary PAN but both PSN are active.

ahollifield · ‎04-29-2024

3.3 is a single node? Will it become a two or three node? Note that standalone ISE nodes are only supported from an evaluation standpoint.

mitchellT · ‎04-29-2024

yes, when we get this sorted out it will be two node deployment

mitchellT · ‎05-02-2024

adding ISE FQDN to SAN seems to have helped with limited testing, will do more testing

mitchellT · ‎06-11-2024

I installed a vm version on one of my UCS server and the issue did not occur. so the problem is caused by Azure ISE and cisco TAC has no idea and don't even reply to any email anymore after I sent them the logs they asked. My advise to those thinking about using Azure ISE, don't.

Greg Gibbs · ‎06-11-2024

Possibly related to this issue with Azure dropping out of sequence UDP packets (which is normal for EAP-TLS), but would have to look at packet captures and more detail to confirm.

https://community.cisco.com/t5/network-access-control/eap-tls-to-azure-ise-is-failing-but-not-with-an-ise-node-in-the/td-p/4739038

mitchellT · ‎06-12-2024

we have another azure ISE version 3.2 in the same azure vnet without this issue. that one has tons of other problems that's why we are trying to get rid of it by going to version 3.3.