Solved: No problem! Glad the issue - Page 2

Simon Laurendeau · ‎05-20-2014

Hi, Since we migrated to ISE 1.2 patch 7 we are having problems with our corporate SSID.

We have a rule that basically say :

User is Domain User.

Machine is in domain.

But for some reason some workstation are getting denied by this :

24423 ISE has not been able to confirm previous successful machine authentication for user in Active Directory

I was wondering if I could force a sync ?

Simon Laurendeau · ‎06-16-2014

I can see the user in ISE "Authentication" tab but not the computer.

seems like 6 to 5% of our laptop are having this issue I think it's time I start working with our helpdesk here to check GPO and other hardware related issue. What I find weird is this happend right after migrating from ISE 1.1 to 1.2

Steps :

Steps

	11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP
	15048	Queried PIP
	15048	Queried PIP
	15004	Matched rule
	11507	Extracted EAP-Response/Identity
	12300	Prepared EAP-Request proposing PEAP with challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12302	Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
	12318	Successfully negotiated PEAP version 0
	12800	Extracted first TLS record; TLS handshake started
	12805	Extracted TLS ClientHello message
	12806	Prepared TLS ServerHello message
	12807	Prepared TLS Certificate message
	12810	Prepared TLS ServerDone message
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	12318	Successfully negotiated PEAP version 0
	12812	Extracted TLS ClientKeyExchange message
	12804	Extracted TLS Finished message
	12801	Prepared TLS ChangeCipherSpec message
	12802	Prepared TLS Finished message
	12816	TLS handshake succeeded
	12310	PEAP full handshake finished successfully
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	12313	PEAP inner method started
	11521	Prepared EAP-Request/Identity for inner EAP method
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	11522	Extracted EAP-Response/Identity for inner EAP method
	11806	Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	11808	Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
	15041	Evaluating Identity Policy
	15006	Matched Default Rule
	15013	Selected Identity Source - IdentityStore_AD
	24430	Authenticating user against Active Directory
	24402	User authentication against Active Directory succeeded
	22037	Authentication Passed
	11824	EAP-MSCHAP authentication attempt passed
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	11810	Extracted EAP-Response for inner method containing MSCHAP challenge-response
	11814	Inner EAP-MSCHAP authentication succeeded
	11519	Prepared EAP-Success for inner EAP method
	12314	PEAP inner method finished successfully
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	24423	ISE has not been able to confirm previous successful machine authentication for user in Active Directory
	15036	Evaluating Authorization Policy
	24432	Looking up user in Active Directory - DOMAIN\USER
	24416	User's Groups retrieval from Active Directory succeeded
	15048	Queried PIP
	15048	Queried PIP
	15048	Queried PIP
	15048	Queried PIP
	15048	Queried PIP
	15004	Matched rule - AuthZBlock_DOT1X
	15016	Selected Authorization Profile - DenyAccess
	15039	Rejected per authorization profile
	12306	PEAP authentication succeeded
	11503	Prepared EAP-Success
	11003	Returned RADIUS Access-Reject

Radius :

nspasov · ‎06-16-2014

Hmm, you when you restart the machine you should see an authentication entry that starts with " host/ " Let's try this:

1. Uncheck both the "Suppress Anomalous Clients" and "Suppress Repeated Successful Authentications"

2. Wait 10 minutes

3. Restart the machine and try again and let us know what happens

Simon Laurendeau · ‎06-18-2014

seems to be working I restarded 3-4 laptop and they all authenticated after rebooting I am still monitoring but it's looking positive!

nspasov · ‎06-18-2014

Good to hear! Hopefully this was resolved! Keep us posted :)

Simon Laurendeau · ‎06-26-2014

I can confirm it's now working ! thanks for the help !

nspasov · ‎06-26-2014

No problem! Glad the issue was solved :)

fatalXerror · ‎06-28-2019

Hi @Simon Laurendeau / @nspasov ,

So what is the issue then? Is it because of the MAR? I am having the same issue.

Thanks

Cisco ISE Machine failed machine authentication

Steps