cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

806
Views
0
Helpful
3
Replies
Highlighted
Beginner

constant AD authentication failures JCIFS from ISE server

We are seeing thousands of authentication failures with the "source IP" of the ISE server. The username every time is "administrator" and the workstation is "JCIFS141.20_C9". I suspected, and confirmed from a post on Microsoft communities that the last part of the name are the last part of the machines IP address.  (Tracking Account Lockout from JCIFS?)

would ISE be generating these connections (I doubt it) or more likely, I would think, these auth failures are coming from some device endpoint device on the network. I am having a really hard time filtering through the ISE dashboards in an attempt to narrow down where these might be coming from. The only rejected endpoints in ISE are due to error 15039. After some cursory reading over ISE documentation that seems more like an ISE profile rejection rather than  AD auth failure.

Can I generate any report in ISE to show which endpoint is experiencing a high amount of AD auth failures with a particular username?

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Re: constant AD authentication failures JCIFS from ISE server

While I can't be certain in your case, my issue turned out to be the credentials that were stored in the PassiveID Domain Controllers settings.

 

Administration > Identity Management > External Identity Sources > Active Directory > join point of your domain > Passive ID > then select a DC and Edit, updating your credentials.

 

In my case, we don't need to use Passive ID at the moment, and I've disabled the feature entirely on our policy nodes.  After doing this, the logs (in Splunk for "JCIFSxxx Failure") report no more incidents of my domain credentials being rejected, thus no longer triggering an account lockout.

 

Cheers,

Daniel 

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

Re: constant AD authentication failures JCIFS from ISE server

Go to [Operations > Reports > Reports > Diagnostics > RADIUS Errors] and filter on failure Reason with "Active Directory" and on Identity with the username.

Highlighted
Beginner

Re: constant AD authentication failures JCIFS from ISE server

While I can't be certain in your case, my issue turned out to be the credentials that were stored in the PassiveID Domain Controllers settings.

 

Administration > Identity Management > External Identity Sources > Active Directory > join point of your domain > Passive ID > then select a DC and Edit, updating your credentials.

 

In my case, we don't need to use Passive ID at the moment, and I've disabled the feature entirely on our policy nodes.  After doing this, the logs (in Splunk for "JCIFSxxx Failure") report no more incidents of my domain credentials being rejected, thus no longer triggering an account lockout.

 

Cheers,

Daniel 

View solution in original post

Highlighted
Cisco Employee

Re: constant AD authentication failures JCIFS from ISE server

cumminsdm is likely right or it could also be due to integrating SCCM with ISE. See also 

AD account is getting locked from Domain controller