Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
19786
Views
45
Helpful
21
Replies

Cisco ISE Machine failed machine authentication

Go to solution
Simon Laurendeau
Level 1
Level 1

‎05-20-2014 05:01 AM - edited ‎03-10-2019 09:43 PM

Hi, Since we migrated to ISE 1.2 patch 7 we are having problems with our corporate SSID.

We have a rule that basically say :

User is Domain User.

Machine is in domain.

 

But for some reason some workstation are getting denied by this :

24423     ISE has not been able to confirm previous successful machine authentication for user in Active Directory

 

I was wondering if I could force a sync ?

 

Labels:
0 Helpful
21 Replies 21

Go to solution
Simon Laurendeau
Level 1
Level 1
In response to nspasov

‎06-16-2014 08:12 AM

I can see the user in ISE "Authentication" tab but not the computer.

seems like 6 to 5% of our laptop are having this issue I think it's time I start working with our helpdesk here to check GPO and other hardware related issue. What I find weird is this happend right after migrating from ISE 1.1 to 1.2

 

Steps :

 

Steps

 11001Received RADIUS Access-Request
 11017RADIUS created a new session
 15049Evaluating Policy Group
 15008Evaluating Service Selection Policy
 15048Queried PIP
 15048Queried PIP
 15048Queried PIP
 15004Matched rule
 11507Extracted EAP-Response/Identity
 12300Prepared EAP-Request proposing PEAP with challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12302Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
 12318Successfully negotiated PEAP version 0
 12800Extracted first TLS record; TLS handshake started
 12805Extracted TLS ClientHello message
 12806Prepared TLS ServerHello message
 12807Prepared TLS Certificate message
 12810Prepared TLS ServerDone message
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 12318Successfully negotiated PEAP version 0
 12812Extracted TLS ClientKeyExchange message
 12804Extracted TLS Finished message
 12801Prepared TLS ChangeCipherSpec message
 12802Prepared TLS Finished message
 12816TLS handshake succeeded
 12310PEAP full handshake finished successfully
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 12313PEAP inner method started
 11521Prepared EAP-Request/Identity for inner EAP method
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 11522Extracted EAP-Response/Identity for inner EAP method
 11806Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 11808Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
 15041Evaluating Identity Policy
 15006Matched Default Rule
 15013Selected Identity Source - IdentityStore_AD
 24430Authenticating user against Active Directory
 24402User authentication against Active Directory succeeded
 22037Authentication Passed
 11824EAP-MSCHAP authentication attempt passed
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 11810Extracted EAP-Response for inner method containing MSCHAP challenge-response
 11814Inner EAP-MSCHAP authentication succeeded
 11519Prepared EAP-Success for inner EAP method
 12314PEAP inner method finished successfully
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 24423ISE has not been able to confirm previous successful machine authentication for user in Active Directory
 15036Evaluating Authorization Policy
 24432Looking up user in Active Directory - DOMAIN\USER
 24416User's Groups retrieval from Active Directory succeeded
 15048Queried PIP
 15048Queried PIP
 15048Queried PIP
 15048Queried PIP
 15048Queried PIP
 15004Matched rule - AuthZBlock_DOT1X
 15016Selected Authorization Profile - DenyAccess
 15039Rejected per authorization profile
 12306PEAP authentication succeeded
 11503Prepared EAP-Success
 11003

Returned RADIUS Access-Reject

 

Radius :

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Simon Laurendeau

‎06-16-2014 10:59 AM

Hmm, you when you restart the machine you should see an authentication entry that starts with " host/ " Let's try this:

1. Uncheck both the "Suppress Anomalous Clients" and "Suppress Repeated Successful Authentications" 

2. Wait 10 minutes 

3. Restart the machine and try again and let us know what happens

Thank you for rating helpful posts!
0 Helpful

Go to solution
Simon Laurendeau
Level 1
Level 1
In response to nspasov

‎06-18-2014 06:36 AM

seems to be working I restarded 3-4 laptop and they all authenticated after rebooting I am still monitoring but it's looking positive!

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Simon Laurendeau

‎06-18-2014 09:52 AM

Good to hear! Hopefully this was resolved! Keep us posted :)

Thank you for rating helpful posts!

Go to solution
Simon Laurendeau
Level 1
Level 1
In response to nspasov

‎06-26-2014 07:09 AM

I can confirm it's now working ! thanks for the help !

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Simon Laurendeau

‎06-26-2014 08:22 AM

No problem! Glad the issue was solved :)

Thank you for rating helpful posts!
0 Helpful

Go to solution
fatalXerror
Level 5
Level 5
In response to Simon Laurendeau

‎06-28-2019 06:35 AM

Hi @Simon Laurendeau / @nspasov ,

 

So what is the issue then? Is it because of the MAR? I am having the same issue. 

 

Thanks

0 Helpful
Customers Also Viewed These Support Documents