cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17919
Views
45
Helpful
21
Replies

Cisco ISE Machine failed machine authentication

Hi, Since we migrated to ISE 1.2 patch 7 we are having problems with our corporate SSID.

We have a rule that basically say :

User is Domain User.

Machine is in domain.

 

But for some reason some workstation are getting denied by this :

24423     ISE has not been able to confirm previous successful machine authentication for user in Active Directory

 

I was wondering if I could force a sync ?

 

21 Replies 21

I can see the user in ISE "Authentication" tab but not the computer.

seems like 6 to 5% of our laptop are having this issue I think it's time I start working with our helpdesk here to check GPO and other hardware related issue. What I find weird is this happend right after migrating from ISE 1.1 to 1.2

 

Steps :

 

Steps

 11001Received RADIUS Access-Request
 11017RADIUS created a new session
 15049Evaluating Policy Group
 15008Evaluating Service Selection Policy
 15048Queried PIP
 15048Queried PIP
 15048Queried PIP
 15004Matched rule
 11507Extracted EAP-Response/Identity
 12300Prepared EAP-Request proposing PEAP with challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12302Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
 12318Successfully negotiated PEAP version 0
 12800Extracted first TLS record; TLS handshake started
 12805Extracted TLS ClientHello message
 12806Prepared TLS ServerHello message
 12807Prepared TLS Certificate message
 12810Prepared TLS ServerDone message
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 12318Successfully negotiated PEAP version 0
 12812Extracted TLS ClientKeyExchange message
 12804Extracted TLS Finished message
 12801Prepared TLS ChangeCipherSpec message
 12802Prepared TLS Finished message
 12816TLS handshake succeeded
 12310PEAP full handshake finished successfully
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 12313PEAP inner method started
 11521Prepared EAP-Request/Identity for inner EAP method
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 11522Extracted EAP-Response/Identity for inner EAP method
 11806Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 11808Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
 15041Evaluating Identity Policy
 15006Matched Default Rule
 15013Selected Identity Source - IdentityStore_AD
 24430Authenticating user against Active Directory
 24402User authentication against Active Directory succeeded
 22037Authentication Passed
 11824EAP-MSCHAP authentication attempt passed
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 11810Extracted EAP-Response for inner method containing MSCHAP challenge-response
 11814Inner EAP-MSCHAP authentication succeeded
 11519Prepared EAP-Success for inner EAP method
 12314PEAP inner method finished successfully
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 24423ISE has not been able to confirm previous successful machine authentication for user in Active Directory
 15036Evaluating Authorization Policy
 24432Looking up user in Active Directory - DOMAIN\USER
 24416User's Groups retrieval from Active Directory succeeded
 15048Queried PIP
 15048Queried PIP
 15048Queried PIP
 15048Queried PIP
 15048Queried PIP
 15004Matched rule - AuthZBlock_DOT1X
 15016Selected Authorization Profile - DenyAccess
 15039Rejected per authorization profile
 12306PEAP authentication succeeded
 11503Prepared EAP-Success
 11003

Returned RADIUS Access-Reject

 

Radius :

Hmm, you when you restart the machine you should see an authentication entry that starts with " host/ " Let's try this:

1. Uncheck both the "Suppress Anomalous Clients" and "Suppress Repeated Successful Authentications" 

2. Wait 10 minutes 

3. Restart the machine and try again and let us know what happens

seems to be working I restarded 3-4 laptop and they all authenticated after rebooting I am still monitoring but it's looking positive!

Good to hear! Hopefully this was resolved! Keep us posted :)

I can confirm it's now working ! thanks for the help !

No problem! Glad the issue was solved :)

Hi @Simon Laurendeau / @nspasov ,

 

So what is the issue then? Is it because of the MAR? I am having the same issue. 

 

Thanks