cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
44712
Views
5
Helpful
11
Replies

Cisco ISE Machine failed machine authentication

Hi, last week we migrated to ISE 1.2 Patch 7 and since then we are having trouble with our corporate SSID.

We have a rule that says :
1) User is domain user.
2) Machine is authenticated.

But for some reason that I can't figure out some machine(I would say around 200/1000) can't seem to authenticate.

This is the message I found in the "steps"

24423     ISE has not been able to confirm previous successful machine authentication for user in Active Directory

I was wondering if I could force something on the controller or on ISE directly.

 

EDIT : In the operation > Authentication I can see that some host/MachineName are getting authenticated.

Would I be able to force this as a step in my other rule.

11 Replies 11

Sam Hertica
Cisco Employee
Cisco Employee

So, it sounds like you're using MAR (machine access restriction). Essentially using MAR is an easy way to determine whether or not someone is on a corporate device, and the way it works is whenever a machine authentication is performed (when the machine boots, sits at the login screen ,user logs out, etc) ISE will write down the timestamp of the authentication followed by the MAC address. Every consequent authentication with that MAC address for the next 6 hours (default MAR cache timeout) ISE will say the machine had authenticated successfully.

 

However, whenever the MAR cache times out ISE cannot validate whether or not the machine authenticated successfully. So 6 hours for a normal work day with re-authentications for the user-account will not work. But at the same time, you dont want to have the MAR cache be valid forever, since you might be forced to disable the machine account, update the password, etc. You need to find a happy medium for that cache timeout setting (found under the AD settings in the advanced tab) where it's long enough for users to not be bothered, but at the same time not too long.

 

That being said, that step will show up if you even have MAR enabled. If you aren't using a condition that enforces MAR (The AD->WasMachineAuthenticated attribute) it's a moot point.

What is the failure reason ISE gives for machines that can't authenticate?

Hi shertica, and thank you for the explanation. I started working with ISE a month ago and still getting familiarized but I think the problem is the relationship between the Machine and the user because I can't find any Host/MachineName fail in the last 24 hour and I can't seem to have any log further than that.

 

Failure Reason

15039 Rejected per authorization profile
Resolution

Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.

 

 

Steps

  11001 Received RADIUS Access-Request
  11017 RADIUS created a new session
  15049 Evaluating Policy Group
  15008 Evaluating Service Selection Policy
  15048 Queried PIP
  15048 Queried PIP
  15048 Queried PIP
  15004 Matched rule
  11507 Extracted EAP-Response/Identity
  12300 Prepared EAP-Request proposing PEAP with challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
  12318 Successfully negotiated PEAP version 0
  12800 Extracted first TLS record; TLS handshake started
  12805 Extracted TLS ClientHello message
  12806 Prepared TLS ServerHello message
  12807 Prepared TLS Certificate message
  12810 Prepared TLS ServerDone message
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12318 Successfully negotiated PEAP version 0
  12812 Extracted TLS ClientKeyExchange message
  12804 Extracted TLS Finished message
  12801 Prepared TLS ChangeCipherSpec message
  12802 Prepared TLS Finished message
  12816 TLS handshake succeeded
  12310 PEAP full handshake finished successfully
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  12313 PEAP inner method started
  11521 Prepared EAP-Request/Identity for inner EAP method
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  11522 Extracted EAP-Response/Identity for inner EAP method
  11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
  15041 Evaluating Identity Policy
  15006 Matched Default Rule
  15013 Selected Identity Source - XXX
  24430 Authenticating user against Active Directory
  24402 User authentication against Active Directory succeeded
  22037 Authentication Passed
  11824 EAP-MSCHAP authentication attempt passed
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
  11814 Inner EAP-MSCHAP authentication succeeded
  11519 Prepared EAP-Success for inner EAP method
  12314 PEAP inner method finished successfully
  12305 Prepared EAP-Request with another PEAP challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12304 Extracted EAP-Response containing PEAP challenge-response
  24423 ISE has not been able to confirm previous successful machine authentication for user in Active Directory
  15036 Evaluating Authorization Policy
  24432 Looking up user in Active Directory - XXX
  24416 User's Groups retrieval from Active Directory succeeded
  15048 Queried PIP
  15048 Queried PIP
  15048 Queried PIP
  15048 Queried PIP
  15048 Queried PIP
  15004 Matched rule - AuthZBlock_DOT1X
  15016 Selected Authorization Profile - DenyAccess
  15039 Rejected per authorization profile
  12306 PEAP authentication succeeded
  11503 Prepared EAP-Success
  11003 Returned RADIUS Access-Reject

 

Edit : I found a couple of these :

 

Event 5400 Authentication failed
Failure Reason 24485 Machine authentication against Active Directory has failed because of wrong password
Resolution Check if the machine is present in the Active Directory domain and if it is spelled correctly. Also check whether machine authentication is configured properly on the supplicant.
Root cause Machine authentication against Active Directory has failed because of wrong password.
Username host/MachineName

 

I also have an alarming number of : Misconfigured Supplicant Detected(3714)

This particular authentication steps indicate that there is a configuration failure along the way. The user successfully authenticated, but we are passing back the rule AuthZBlock_DOT1X which has the deny access result.

 

If you check out the details about that particular authentication (to the left of the steps) you are given all the information about that particular authentication. Next you should find the rule you expect to hit in the AuthZ section, and check out the conditions for that particular rule. If they are expected to join a wlan id 1 for example, you better see the wlan id 1 for that failed authentication.

 

For the second failure you see it's because the machine has the wrong password. The default period of time in AD for machine account passwords is 31 days, so if you had a machine disappear for 31 days (or less, whenever they last refreshed their credentials). When they connect to the network and talk with DCs they are able to reset the password gracefully. When they're trying to connect through ISE, it's technically an expired password so the machine is stuck until it can negotiate with the DCs again (typically. maybe you had a manual machine authentication with a user/password, but it doesn't seem that way).

 

You should also check out the ISE reporting. If you head to Operations -> Reports -> Authentication Services (i think, this is my memory), Authentication Summary. You can check out the summary for the past 7 or 31 days, and see a larger subset of results for authentications that are split into different sections to give you some more insight over where a particular problem may lie.

so I tracked a couple of error from this morning and it is going in my rule (Like it is suppose to)

Rule :

AuthzIA_Tab_Corpo

1)AuthZIA_DomainUsers(Costum condition)

2)WasAuthenticated equal True

4)WlanID = 1

 

When I remove "WasAuthenticated equal True" I don't have any error in the Authentications tab but I can Use the corporate wifi with my Macbook.

What could cause the Machine to not authenticate proprely ?

I took help of the AD team to understand MAR.

the issue is by default, after every 30 dayes the machine credentials are refreshed and thus, ISE will not be able to find that info in snapshot sometimes.

hence, usually a reboot of the machine helps.

what I asked the Administrator is if we could configure a policy that whenever this update happens, a machine reboot should also be initiated from the AD server itself.

he hasn't got back to me as of yet but I am betting it might just solve the issue.

currently I am testing it on a single machine with the update period of 1 day.

Check this guide:

http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html

Hope this helps..

Have you tried to rejoin the computer to the domain as some time the machine password gets expired and requires renewal and then do the ISE based authentication if you still gets this error then try to  to roll back to the previous ISE patch if it was working successfully.other wise based on the out put of log its seem to be the password of machine issue not the user.
 

****Do rate helpful posts*****

Seems to work this morning after changing Aging Time (hours) from 8760 to 36.

I will keep monitoring

I still have a couple Machine that are getting denied and I can't figure out why...

 

12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

OpenSSLErrorMessageSSL alert: code=0x230=560 ; source=remote ; type=fatal ; message="unknown CA"
OpenSSLErrorStack47761307310400:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1102:SSL alert number 48

manjeets
Level 3
Level 3

Here is the related video :

http://www.youtube.com/watch?v=bjH99xKepLY

 

We have found that if you update the NIC driver to the latest, log in as an Administrator and confirm successful authentication in ISE quick logs that the user can then log back in successfully.. we disable ISE on the port while the driver is getting updated.

hara12386
Level 1
Level 1

Hello,

The issue has been fixed after upgrading the NIC driver?

 

Many thanks