This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hi, Since we migrated to ISE 1.2 patch 7 we are having problems with our corporate SSID.
We have a rule that basically say :
User is Domain User.
Machine is in domain.
But for some reason some workstation are getting denied by this :
24423 ISE has not been able to confirm previous successful machine authentication for user in Active Directory
I was wondering if I could force a sync ?
Solved! Go to Solution.
Hmm, you when you restart the machine you should see an authentication entry that starts with " host/ " Let's try this:
1. Uncheck both the "Suppress Anomalous Clients" and "Suppress Repeated Successful Authentications"
2. Wait 10 minutes
3. Restart the machine and try again and let us know what happens
Have you tried to rejoin the computer to the domain as some time the machine password gets expired and requires renewal and then do the ISE based authentication if you still gets this error then try to to roll back to the previous ISE patch if it was working successfully.
****Do rate helpful posts*****
Are you using EAP-Chaining (EAP-TEAP) or are you utilizing MAR (machine access restriction)? Can you provide some screen shots of the rules that you have in place?
We use MAR.
Rule Screenshot :
AD Settings :
Allow Protocol :
I've been workign with ISE for a month now and still trying to understand alot of it so thank you all for your help!
OK, thank you for the screenshots. So the machine authentication related to MAR only happens when:
1. The machine first boots up
2. The user logs off and logs back in to the computer
ISE then stores the machine's MAC address information until the "Aging Time" expires. In your situation that is 8760 hours. Once that timer expires the user will have to either reboot the machine or log off/log back in. In addition, MAR comes with a couple of caveats:
1. The MAR information/state is not replicated between ISE nodes. Thus, if you are load balancing the sessions and/or you have a failover all of the previously MAR authenticated machines would have to either be rebooted or logged off/logged back on.
2. Since the method uses the MAC address of the machine the authentication process would have to be repeated if authenticating MAC address changes. For instance, a user comes comes to the office, boots the computer and authenticates on the wireless and everything works as expected. However, the user then goes to his/hers desk and connects to a wired port. At that point the machine will need to perform wired authentication, thus, it will be using the MAC address from its wired LAN adapter. That MAC address won't be in ISE's database and the machine will be marked as "not previously authenticated." At this point another restart/logg off/on will be required. The same will apply if the user for some reason uses a docking station. The docking station will have it's own MAC address that will be different than the one from the machine which won't be in the database of ISE.
Overall, MAR is not be most elegant solution. There are some good alternatives out there. You can take a look at the following document:
Hope this helps.
Thank you for rating!
While using MAR to make sure that corporate users are actually using a domain computer to connect to the network was a discussion topic in several implementations, it was quickly scrapped due to the numerous issues:
- Sleeping computers may not perform machine authentication first
- Users with laptops going from wired to wireless wouldn't perform machine authentication first -> failed user auth
I suggest you try EAP-Chaining with the Anyconnect supplicant.
Simon, were we able to solve your issue? If not let us know if you need more clarifications. Otherwise, please mark the thread as closed/answered :)
I am still working on this I can't figure out how some PC just won't authenticate (No trace in ISE) I'm waiting on an internal signing request for ISE to see if that would help
Hmm, that is interesting. You should be seeing hits in ISE weather they were for successful or unsuccessful authentications. Did you make sure that all of your NADs (Switches, WLCs) are added to ISE. Also, under Administration > Settings > Protocols > Radius, check and see if you have Suppression enabled. This will prevent ISE from showing up logs for "miss-behaving" clients. You can temporary disable it and troubleshoot the issue.
From the WLC issue:
debug client client_mac_address
Then try to authenticate with the affected machine and post the output back here.
Sorry... i've been so busy with other stuff and since we just desactivated the machine auth it wasn`t a priority.
you can find debug on pastebin :http://pastebin.com/UCL6p5CU
Your debug logs are showing that the client is getting an "access-reject" which is sent by the radius server. As a result, the WLC removes/deletes the client. Thus, there must be logs in ISE about this client. Can you please double check? If there are no logs paste screen shots of the following:
Administration > System > Settings > Protocols > Radius