Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16702
Views
45
Helpful
21
Replies

Cisco ISE Machine failed machine authentication

Go to solution
Simon Laurendeau
Level 1
Level 1

‎05-20-2014 05:01 AM - edited ‎03-10-2019 09:43 PM

Hi, Since we migrated to ISE 1.2 patch 7 we are having problems with our corporate SSID.

We have a rule that basically say :

User is Domain User.

Machine is in domain.

 

But for some reason some workstation are getting denied by this :

24423     ISE has not been able to confirm previous successful machine authentication for user in Active Directory

 

I was wondering if I could force a sync ?

 

Labels:
0 Helpful
21 Replies 21

Go to solution
Simon Laurendeau
Level 1
Level 1
In response to nspasov

‎06-16-2014 08:12 AM

I can see the user in ISE "Authentication" tab but not the computer.

seems like 6 to 5% of our laptop are having this issue I think it's time I start working with our helpdesk here to check GPO and other hardware related issue. What I find weird is this happend right after migrating from ISE 1.1 to 1.2

 

Steps :

 

Steps

 11001Received RADIUS Access-Request
 11017RADIUS created a new session
 15049Evaluating Policy Group
 15008Evaluating Service Selection Policy
 15048Queried PIP
 15048Queried PIP
 15048Queried PIP
 15004Matched rule
 11507Extracted EAP-Response/Identity
 12300Prepared EAP-Request proposing PEAP with challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12302Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
 12318Successfully negotiated PEAP version 0
 12800Extracted first TLS record; TLS handshake started
 12805Extracted TLS ClientHello message
 12806Prepared TLS ServerHello message
 12807Prepared TLS Certificate message
 12810Prepared TLS ServerDone message
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 12318Successfully negotiated PEAP version 0
 12812Extracted TLS ClientKeyExchange message
 12804Extracted TLS Finished message
 12801Prepared TLS ChangeCipherSpec message
 12802Prepared TLS Finished message
 12816TLS handshake succeeded
 12310PEAP full handshake finished successfully
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 12313PEAP inner method started
 11521Prepared EAP-Request/Identity for inner EAP method
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 11522Extracted EAP-Response/Identity for inner EAP method
 11806Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 11808Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
 15041Evaluating Identity Policy
 15006Matched Default Rule
 15013Selected Identity Source - IdentityStore_AD
 24430Authenticating user against Active Directory
 24402User authentication against Active Directory succeeded
 22037Authentication Passed
 11824EAP-MSCHAP authentication attempt passed
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 11810Extracted EAP-Response for inner method containing MSCHAP challenge-response
 11814Inner EAP-MSCHAP authentication succeeded
 11519Prepared EAP-Success for inner EAP method
 12314PEAP inner method finished successfully
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 24423ISE has not been able to confirm previous successful machine authentication for user in Active Directory
 15036Evaluating Authorization Policy
 24432Looking up user in Active Directory - DOMAIN\USER
 24416User's Groups retrieval from Active Directory succeeded
 15048Queried PIP
 15048Queried PIP
 15048Queried PIP
 15048Queried PIP
 15048Queried PIP
 15004Matched rule - AuthZBlock_DOT1X
 15016Selected Authorization Profile - DenyAccess
 15039Rejected per authorization profile
 12306PEAP authentication succeeded
 11503Prepared EAP-Success
 11003

Returned RADIUS Access-Reject

 

Radius :

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Simon Laurendeau

‎06-16-2014 10:59 AM

Hmm, you when you restart the machine you should see an authentication entry that starts with " host/ " Let's try this:

1. Uncheck both the "Suppress Anomalous Clients" and "Suppress Repeated Successful Authentications" 

2. Wait 10 minutes 

3. Restart the machine and try again and let us know what happens

0 Helpful

Go to solution
Simon Laurendeau
Level 1
Level 1
In response to nspasov

‎06-18-2014 06:36 AM

seems to be working I restarded 3-4 laptop and they all authenticated after rebooting I am still monitoring but it's looking positive!

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Simon Laurendeau

‎06-18-2014 09:52 AM

Good to hear! Hopefully this was resolved! Keep us posted :)

Go to solution
Simon Laurendeau
Level 1
Level 1
In response to nspasov

‎06-26-2014 07:09 AM

I can confirm it's now working ! thanks for the help !

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Simon Laurendeau

‎06-26-2014 08:22 AM

No problem! Glad the issue was solved :)

0 Helpful

Go to solution
fatalXerror
Level 5
Level 5
In response to Simon Laurendeau

‎06-28-2019 06:35 AM

Hi @Simon Laurendeau / @nspasov ,

 

So what is the issue then? Is it because of the MAR? I am having the same issue. 

 

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents