cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7797
Views
15
Helpful
7
Replies

Cisco ISE AD (Windows Server 2013) Authentication Problem

nomadicwifi
Level 1
Level 1

Background:

Deployed two Cisco ISE 1.1.3. ISE will be used to authenticate wireless users, admin access to WLC and switches. Backend database is Microsoft AD running on Windows Server 2012. Existing Cisco ACS 4.2 still running and authenticating users. There are two Cisco WLCs version 7.2.111.3.

Wireless users authenticates to AD through ACS 4.2 works. Admin access to WLC and switches to AD through ISE works. Wireless authentication using PEAP-MSCHAPv2 and admin access wtih PAP/ASCII.

Problem:

Wireless users cannot authenticate to AD through ISE. The below is the error message "11051 RADIUS packet contains invalid state attribute" & "24444 Active Directory operation has failed because of an unspecified error in the ISE".

1.PNG

Conducted a detailed test of AD from ISE. The test was successful and the output seems all right except for the below:

xxdc01.xx.com (10.21.3.1)

Pinged:0 Mins Ago

State:down

xxdc02.xx.com (10.21.3.2)

Pinged:0 Mins Ago

State:down

xxdc01.xx.com

Last Success:Thu Jan  1 10:00:00 1970

Last Failure:Mon Mar 11 11:18:04 2013

Successes:0

Failures:11006

xxdc02.xx.com

Last Success:Mon Mar 11 09:43:31 2013

Last Failure:Mon Mar 11 11:18:04 2013

Successes:25

Failures:11006

Domain Controller: xxdc02.xx.com:389

    Domain Controller Type: Unknown DC Functional Level: 5

    Domain Name:            xx.COM

    IsGlobalCatalogReady:   TRUE

    DomainFunctionality:           2 = (DS_BEHAVIOR_WIN2003)

    ForestFunctionality:           2 = (DS_BEHAVIOR_WIN2003)

Action Taken:

Log on to Cisco ISE and WLC using AD credentials. This rules out AD connection, clock and AAA shared secret as the problem.

2)     Tested wireless authentication using EAP-FAST but same problem occurs.

3)     Detailed error message shows the below. This rules out any authentication and authorization polices. Before even hitting the authentication policy, the AD lookup fails.     

         

12304  Extracted EAP-Response containing PEAP challenge-response

11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated

Evaluating Identity Policy

15006  Matched Default Rule

15013  Selected Identity Store - AD1

24430  Authenticating user against Active Directory

24444  Active Directory operation has failed because of an unspecified error in the ISE

4)     Enabled AD debugging logging and had a look at the logging. Nothing significant and no clues to the problem.

5)     Tested wireless on different laptos and mobile phones with same error

6)     Delete and add again AAA Client/Devices on both Cisco ISE and WLC

7)     Restarted ISE services

8)     Rejoin domain on Cisco ISE

9)     Checked release notes of ISE 1.1.3 and WLC 7.2.111.3 for any open caveats. Nothing found related to this problem.

10)    There are two ISE and two WLC deployed. Tested different combination of ISE1 to WLC1, ISE1 to WLC2 etc. This rules out hardware issue of WLC.

Other possibilities/action:

1)     Test it out on a different WLC version. Will have to wait outage approval to upgrade WLC software.

2)     Incompatibility of Cisco ISE and AD running on Microsoft Windows Server 2012

Anyone out there experienced something similar of have any ideas on why this is happening?

Thanks.

Update:

1) Built another Cisco ISE 1.1.3 sever in another datacentre that uses the same domain but different domain controller. Thais domain controller is running Windows Server 2008. This works and authentication successful.

2) My colleague tested out in a lab environment of Cisco ISE 1.1.2 with Windows Server 2012. He got the same problem as described.

This leads me to think there is a compatibility issue of Cisco ISE with Windows Server 2012.



1 Accepted Solution

Accepted Solutions

Jay McMickle
Level 1
Level 1

Yes, it appears that 1.1.3 does not support Server 2012 as of yet.

External Identity Source OS/Version

Microsoft Windows Active Directory 2003 R2 32-bit and 64-bit

Microsoft Windows Active Directory 2008 32-bit and 64-bit

Microsoft Windows Active Directory 2008 R2 64-bit only

Microsoft Windows Active Directory 2003 32-bit only

http://www.cisco.com/en/US/docs/security/ise/1.1/compatibility/ise_sdt.pdf

View solution in original post

7 Replies 7

Jay McMickle
Level 1
Level 1

Yes, it appears that 1.1.3 does not support Server 2012 as of yet.

External Identity Source OS/Version

Microsoft Windows Active Directory 2003 R2 32-bit and 64-bit

Microsoft Windows Active Directory 2008 32-bit and 64-bit

Microsoft Windows Active Directory 2008 R2 64-bit only

Microsoft Windows Active Directory 2003 32-bit only

http://www.cisco.com/en/US/docs/security/ise/1.1/compatibility/ise_sdt.pdf

This is an updated version of the ISE compatability chart, and 2012 is still not listed.  I plan to check with my Cisco SE as 1.2 that is coming out soon may have this support.

ISE 1.2 will have this support

If any one has ACS then support is already released in ACS 5.4 patch 2

Thanks Jay. You are right, Server 2012 is not support on ISE1.1.3 yet.

Found that out through Cisco TAC. Was also told that ISE 1.1.4 and 1.2 might support Server 2012.

Any release date for ISE 1.2 ?

Hi Mehdi,

ISE 1.2 is targeted for release in mid July. No exact date as of now.

Jatin Katyal
- Do rate helpful posts -

~Jatin

John Finucane
Level 1
Level 1

Does anyone know if ISE 1.1.3 p1 supports AD DCs running 2012, if not which patch is required ot version?

Worryingly when ISE joins a 2012 DC it states it's connected successfully, and if another 2003 DC is available in that datacentre it will perform the auths against that DC whilst actually advertising (Connections in the GUI) that it's connected to the 2012 DC. We ended up mapping 8 PSN IP’s to another datacentre which has one Win2003 servers whilst the old 2003 DC is being promoted back, the 8 ISE servers started working, even though they still advertised they were connected to the 2012 DCs in the original datacentre - I performed a leave and join on one PSN and only then did it advertise that the node was connected to a DC in a different datacentre