09-01-2023 06:19 AM - edited 09-01-2023 06:21 AM
Has anyone seen this behavior before? We have an ISE 3.1 (patch 3) environment using 802.1X machine/PC Cert auth. From an ISE perspective, ISE is working as expected. However, our issues manifest themselves based on how ISE auth's a machine and what order the logs are generated.
The issue is, when a user is logging into the network, they auth via ISE, so they are generating a log with an identity of their PC name and a log with an identify of the domain username. Below is a log where the domain username log has been generated, but its not the last log (most recent). What happens then, all of the passive identity info sent to FMC/Firepower has an active session based on PC name. Our firewall rule base uses identity mappings that grant access to various things based on username. So, any time a user has not been mapped (FMC event logs show the initiator user "not found") it prevents users from accessing services they are allowed to.
On the flip side, when the domain username is the last entry in the log (most recent), everything works fine.
This happens every single time and it only happens for our wired EAP-TLS 802.1x connections (not wireless). Our ISE passive identity dashboard is good. All green. We have 4 DC's, I have checked to determine if there is 1 DC that is the root cause, which there is not. This can happen to any user auth'ing from any DC. It's totally random and does not impact the same set of users each time. I have ran the health checks on ISE, no issues. I have a TAC case opened and he mentioned he has seen this before, so I thought I'd see if anyone on this forum ran into this?
Is there any way to force ISE to generate the logs in the correct order? Is there a timer issue on our switch port configs?
09-02-2023 06:18 PM
@MattMH The events look in correct order.
It's a known issue
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide