Background:
Deployed two Cisco ISE 1.1.3. ISE will be used to authenticate wireless users, admin access to WLC and switches. Backend database is Microsoft AD running on Windows Server 2012. Existing Cisco ACS 4.2 still running and authenticating users. There are two Cisco WLCs version 7.2.111.3.
Wireless users authenticates to AD through ACS 4.2 works. Admin access to WLC and switches to AD through ISE works. Wireless authentication using PEAP-MSCHAPv2 and admin access wtih PAP/ASCII.
Problem:
Wireless users cannot authenticate to AD through ISE. The below is the error message "11051 RADIUS packet contains invalid state attribute" & "24444 Active Directory operation has failed because of an unspecified error in the ISE".
Conducted a detailed test of AD from ISE. The test was successful and the output seems all right except for the below:
xxdc01.xx.com (10.21.3.1)
Pinged:0 Mins Ago
State:down
xxdc02.xx.com (10.21.3.2)
Pinged:0 Mins Ago
State:down
xxdc01.xx.com
Last Success:Thu Jan 1 10:00:00 1970
Last Failure:Mon Mar 11 11:18:04 2013
Successes:0
Failures:11006
xxdc02.xx.com
Last Success:Mon Mar 11 09:43:31 2013
Last Failure:Mon Mar 11 11:18:04 2013
Successes:25
Failures:11006
Domain Controller: xxdc02.xx.com:389
Domain Controller Type: Unknown DC Functional Level: 5
Domain Name: xx.COM
IsGlobalCatalogReady: TRUE
DomainFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
ForestFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
Action Taken:
Log on to Cisco ISE and WLC using AD credentials. This rules out AD connection, clock and AAA shared secret as the problem.
2) Tested wireless authentication using EAP-FAST but same problem occurs.
3) Detailed error message shows the below. This rules out any authentication and authorization polices. Before even hitting the authentication policy, the AD lookup fails.
12304 Extracted EAP-Response containing PEAP challenge-response |
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated |
Evaluating Identity Policy |
15006 Matched Default Rule |
15013 Selected Identity Store - AD1 |
24430 Authenticating user against Active Directory |
24444 Active Directory operation has failed because of an unspecified error in the ISE |
4) Enabled AD debugging logging and had a look at the logging. Nothing significant and no clues to the problem.
5) Tested wireless on different laptos and mobile phones with same error
6) Delete and add again AAA Client/Devices on both Cisco ISE and WLC
7) Restarted ISE services
8) Rejoin domain on Cisco ISE
9) Checked release notes of ISE 1.1.3 and WLC 7.2.111.3 for any open caveats. Nothing found related to this problem.
10) There are two ISE and two WLC deployed. Tested different combination of ISE1 to WLC1, ISE1 to WLC2 etc. This rules out hardware issue of WLC.
Other possibilities/action:
1) Test it out on a different WLC version. Will have to wait outage approval to upgrade WLC software.
2) Incompatibility of Cisco ISE and AD running on Microsoft Windows Server 2012
Anyone out there experienced something similar of have any ideas on why this is happening?
Thanks.
Update:
1) Built another Cisco ISE 1.1.3 sever in another datacentre that uses the same domain but different domain controller. Thais domain controller is running Windows Server 2008. This works and authentication successful.
2) My colleague tested out in a lab environment of Cisco ISE 1.1.2 with Windows Server 2012. He got the same problem as described.
This leads me to think there is a compatibility issue of Cisco ISE with Windows Server 2012.
Accepted Solutions
