Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
422
Views
0
Helpful
1
Replies

Cisco ISE Passive Identity - Order of Log Events

MattMH
Level 1
Level 1

‎09-01-2023 06:19 AM - edited ‎09-01-2023 06:21 AM

Has anyone seen this behavior before? We have an ISE 3.1 (patch 3) environment using 802.1X machine/PC Cert auth. From an ISE perspective, ISE is working as expected. However, our issues manifest themselves based on how ISE auth's a machine and what order the logs are generated. 

The issue is, when a user is logging into the network, they auth via ISE, so they are generating a log with an identity of their PC name and a log with an identify of the domain username. Below is a log where the domain username log has been generated, but its not the last log (most recent). What happens then, all of the passive identity info sent to FMC/Firepower has an active session based on PC name. Our firewall rule base uses identity mappings that grant access to various things based on username. So, any time a user has not been mapped (FMC event logs show the initiator user "not found") it prevents users from accessing services they are allowed to.

 

 

 

ISE-ORDER-NOTWORKING.jpg

 

 

 

 

 

 

On the flip side, when the domain username is the last entry in the log (most recent), everything works fine.

 

 

 

ISE-ORDER-WORKS.JPG

 

 

 

 

 

 

 

This happens every single time and it only happens for our wired EAP-TLS 802.1x connections (not wireless). Our ISE passive identity dashboard is good. All green. We have 4 DC's, I have checked to determine if there is 1 DC that is the root cause, which there is not. This can happen to any user auth'ing from any DC. It's totally random and does not impact the same set of users each time. I have ran the health checks on ISE, no issues. I have a TAC case opened and he mentioned he has seen this before, so I thought I'd see if anyone on this forum ran into this?

Is there any way to force ISE to generate the logs in the correct order? Is there a timer issue on our switch port configs?

0 Helpful
1 Reply 1

hslai
Cisco Employee
Cisco Employee

‎09-02-2023 06:18 PM

@MattMH The events look in correct order.

It's a known issue

  • that the sessions topic has this field isMachineAuthentication (see pxgrid-rest-ws / Service: com.cisco.ise.session) so the subscriber may use it to filter accordingly but FMC does not appear implemented this. See also, CSCvd73842
  • that ISE has no option to publish only the user authentication events.
0 Helpful
Customers Also Viewed These Support Documents