cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

constant AD authentication failures JCIFS from ISE server

hiker88
Beginner
Beginner

We are seeing thousands of authentication failures with the "source IP" of the ISE server. The username every time is "administrator" and the workstation is "JCIFS141.20_C9". I suspected, and confirmed from a post on Microsoft communities that the last part of the name are the last part of the machines IP address.  (Tracking Account Lockout from JCIFS?)

would ISE be generating these connections (I doubt it) or more likely, I would think, these auth failures are coming from some device endpoint device on the network. I am having a really hard time filtering through the ISE dashboards in an attempt to narrow down where these might be coming from. The only rejected endpoints in ISE are due to error 15039. After some cursory reading over ISE documentation that seems more like an ISE profile rejection rather than  AD auth failure.

Can I generate any report in ISE to show which endpoint is experiencing a high amount of AD auth failures with a particular username?

1 ACCEPTED SOLUTION

Accepted Solutions

cumminsdm
Beginner
Beginner

While I can't be certain in your case, my issue turned out to be the credentials that were stored in the PassiveID Domain Controllers settings.

 

Administration > Identity Management > External Identity Sources > Active Directory > join point of your domain > Passive ID > then select a DC and Edit, updating your credentials.

 

In my case, we don't need to use Passive ID at the moment, and I've disabled the feature entirely on our policy nodes.  After doing this, the logs (in Splunk for "JCIFSxxx Failure") report no more incidents of my domain credentials being rejected, thus no longer triggering an account lockout.

 

Cheers,

Daniel 

View solution in original post

3 REPLIES 3

hslai
Cisco Employee
Cisco Employee

Go to [Operations > Reports > Reports > Diagnostics > RADIUS Errors] and filter on failure Reason with "Active Directory" and on Identity with the username.

cumminsdm
Beginner
Beginner

While I can't be certain in your case, my issue turned out to be the credentials that were stored in the PassiveID Domain Controllers settings.

 

Administration > Identity Management > External Identity Sources > Active Directory > join point of your domain > Passive ID > then select a DC and Edit, updating your credentials.

 

In my case, we don't need to use Passive ID at the moment, and I've disabled the feature entirely on our policy nodes.  After doing this, the logs (in Splunk for "JCIFSxxx Failure") report no more incidents of my domain credentials being rejected, thus no longer triggering an account lockout.

 

Cheers,

Daniel 

cumminsdm is likely right or it could also be due to integrating SCCM with ISE. See also 

AD account is getting locked from Domain controller

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: