05-20-2014 05:01 AM - edited 03-10-2019 09:43 PM
Hi, Since we migrated to ISE 1.2 patch 7 we are having problems with our corporate SSID.
We have a rule that basically say :
User is Domain User.
Machine is in domain.
But for some reason some workstation are getting denied by this :
24423 ISE has not been able to confirm previous successful machine authentication for user in Active Directory
I was wondering if I could force a sync ?
Solved! Go to Solution.
06-16-2014 10:59 AM
Hmm, you when you restart the machine you should see an authentication entry that starts with " host/ " Let's try this:
1. Uncheck both the "Suppress Anomalous Clients" and "Suppress Repeated Successful Authentications"
2. Wait 10 minutes
3. Restart the machine and try again and let us know what happens
05-20-2014 10:43 AM
05-22-2014 03:54 PM
Are you using EAP-Chaining (EAP-TEAP) or are you utilizing MAR (machine access restriction)? Can you provide some screen shots of the rules that you have in place?
05-23-2014 08:05 AM
We use MAR.
Rule Screenshot :
AD Settings :
Allow Protocol :
I've been workign with ISE for a month now and still trying to understand alot of it so thank you all for your help!
05-23-2014 12:07 PM
OK, thank you for the screenshots. So the machine authentication related to MAR only happens when:
1. The machine first boots up
2. The user logs off and logs back in to the computer
ISE then stores the machine's MAC address information until the "Aging Time" expires. In your situation that is 8760 hours. Once that timer expires the user will have to either reboot the machine or log off/log back in. In addition, MAR comes with a couple of caveats:
1. The MAR information/state is not replicated between ISE nodes. Thus, if you are load balancing the sessions and/or you have a failover all of the previously MAR authenticated machines would have to either be rebooted or logged off/logged back on.
2. Since the method uses the MAC address of the machine the authentication process would have to be repeated if authenticating MAC address changes. For instance, a user comes comes to the office, boots the computer and authenticates on the wireless and everything works as expected. However, the user then goes to his/hers desk and connects to a wired port. At that point the machine will need to perform wired authentication, thus, it will be using the MAC address from its wired LAN adapter. That MAC address won't be in ISE's database and the machine will be marked as "not previously authenticated." At this point another restart/logg off/on will be required. The same will apply if the user for some reason uses a docking station. The docking station will have it's own MAC address that will be different than the one from the machine which won't be in the database of ISE.
Overall, MAR is not be most elegant solution. There are some good alternatives out there. You can take a look at the following document:
http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html
Hope this helps.
Thank you for rating!
05-25-2014 01:01 AM
Hi,
While using MAR to make sure that corporate users are actually using a domain computer to connect to the network was a discussion topic in several implementations, it was quickly scrapped due to the numerous issues:
- Sleeping computers may not perform machine authentication first
- Users with laptops going from wired to wireless wouldn't perform machine authentication first -> failed user auth
I suggest you try EAP-Chaining with the Anyconnect supplicant.
05-28-2014 10:37 AM
Simon, were we able to solve your issue? If not let us know if you need more clarifications. Otherwise, please mark the thread as closed/answered :)
05-28-2014 10:40 AM
I am still working on this I can't figure out how some PC just won't authenticate (No trace in ISE) I'm waiting on an internal signing request for ISE to see if that would help
05-28-2014 10:58 AM
Hmm, that is interesting. You should be seeing hits in ISE weather they were for successful or unsuccessful authentications. Did you make sure that all of your NADs (Switches, WLCs) are added to ISE. Also, under Administration > Settings > Protocols > Radius, check and see if you have Suppression enabled. This will prevent ISE from showing up logs for "miss-behaving" clients. You can temporary disable it and troubleshoot the issue.
05-28-2014 12:02 PM
Is this normal ?
show radius summary
05-28-2014 06:34 PM
Where are you pulling this information from? I mean what type of device?
Also, is this for wired or wireless?
05-29-2014 06:53 AM
This is for wireless and it is from our WLC
05-29-2014 10:44 PM
From the WLC issue:
debug client client_mac_address
Then try to authenticate with the affected machine and post the output back here.
06-12-2014 07:08 AM
Sorry... i've been so busy with other stuff and since we just desactivated the machine auth it wasn`t a priority.
you can find debug on pastebin :http://pastebin.com/UCL6p5CU
06-15-2014 02:40 PM
Your debug logs are showing that the client is getting an "access-reject" which is sent by the radius server. As a result, the WLC removes/deletes the client. Thus, there must be logs in ISE about this client. Can you please double check? If there are no logs paste screen shots of the following:
Administration > System > Settings > Protocols > Radius
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Have you tried to rejoin the computer to the domain as some time the machine password gets expired and requires renewal and then do the ISE based authentication if you still gets this error then try to to roll back to the previous ISE patch if it was working successfully.
****Do rate helpful posts*****