Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2794
Views
0
Helpful
3
Replies

constant AD authentication failures JCIFS from ISE server

Go to solution
hiker88
Level 1
Level 1

‎05-05-2018 10:48 AM

We are seeing thousands of authentication failures with the "source IP" of the ISE server. The username every time is "administrator" and the workstation is "JCIFS141.20_C9". I suspected, and confirmed from a post on Microsoft communities that the last part of the name are the last part of the machines IP address.  (Tracking Account Lockout from JCIFS?)

would ISE be generating these connections (I doubt it) or more likely, I would think, these auth failures are coming from some device endpoint device on the network. I am having a really hard time filtering through the ISE dashboards in an attempt to narrow down where these might be coming from. The only rejected endpoints in ISE are due to error 15039. After some cursory reading over ISE documentation that seems more like an ISE profile rejection rather than  AD auth failure.

Can I generate any report in ISE to show which endpoint is experiencing a high amount of AD auth failures with a particular username?

6 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cumminsdm
Level 1
Level 1

‎02-13-2019 12:00 PM - edited ‎02-13-2019 12:00 PM

While I can't be certain in your case, my issue turned out to be the credentials that were stored in the PassiveID Domain Controllers settings.

 

Administration > Identity Management > External Identity Sources > Active Directory > join point of your domain > Passive ID > then select a DC and Edit, updating your credentials.

 

In my case, we don't need to use Passive ID at the moment, and I've disabled the feature entirely on our policy nodes.  After doing this, the logs (in Splunk for "JCIFSxxx Failure") report no more incidents of my domain credentials being rejected, thus no longer triggering an account lockout.

 

Cheers,

Daniel 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
hslai
Cisco Employee
Cisco Employee

‎05-07-2018 10:09 AM

Go to [Operations > Reports > Reports > Diagnostics > RADIUS Errors] and filter on failure Reason with "Active Directory" and on Identity with the username.

0 Helpful

Go to solution
cumminsdm
Level 1
Level 1

‎02-13-2019 12:00 PM - edited ‎02-13-2019 12:00 PM

While I can't be certain in your case, my issue turned out to be the credentials that were stored in the PassiveID Domain Controllers settings.

 

Administration > Identity Management > External Identity Sources > Active Directory > join point of your domain > Passive ID > then select a DC and Edit, updating your credentials.

 

In my case, we don't need to use Passive ID at the moment, and I've disabled the feature entirely on our policy nodes.  After doing this, the logs (in Splunk for "JCIFSxxx Failure") report no more incidents of my domain credentials being rejected, thus no longer triggering an account lockout.

 

Cheers,

Daniel 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to cumminsdm

‎02-16-2019 12:37 PM

cumminsdm is likely right or it could also be due to integrating SCCM with ISE. See also 

AD account is getting locked from Domain controller

0 Helpful
Customers Also Viewed These Support Documents