cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1824
Views
8
Helpful
8
Replies

Intermittent AD Authentication failures in ISE 1.2

jcarrabine1
Level 1
Level 1

          Starting today I was getting intermittent authentication failures in ISE. It would say that the user was not found in the selected identity store. The account is there though. At one point I ran a authetication test from the external identity source menu and I got a failure and then the next time a pass. I have no idea why this is happening. I just updated to ISE 1.2 the other day. I'm also seeing what looks like a high level of latency on both of my PSN's. Is this normal?  Any ideas?

Thanks

Jef

8 Replies 8

Ravi Singh
Level 7
Level 7

I would suggest you to check the Network connectivity between devices. Also check the AD id properly connected to ISE and groups are listed in ISE.

Kevin P Sheahan
Level 5
Level 5

I have experienced this same issue very recently. At the time, the AD server to which I was authenticating was being overrun with multicast flows due to a configuration error caused when another engineer was troubleshooting multicast.

Moral of the story: don't just look at ISE as the possible culprit, check out the AD server as well to ensure that it has both the appropriate resources and isn't being adversely affected by another network-related issue.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349

Interesting. I have one location that is not having this problem at all. The other is having it somewhat frequently. The PSN's for each location are tied to the local AD servers. I have not had this until we started getting 300-380 PC's connecting. We are a school so we are slowly getting started. It's real random. One user will work then another time they won't. Happens with admin and user. I have notices that with this new version of ISE it is complaining that it is getting accounting updates from the NAS too often, but I have not looked into this because I just installed 1.2 about 3-4 days ago and haven't had time to look into it.

When you say Multicast to you AD...how did you check that? We do use multicast.

Saurav Lodh
Level 7
Level 7

Please try rejoining the ISE with AD, hope it helps

I was thinking of trying this, but have not. My though was that it was connected, and most of the time performing authentications.

Venkatesh Attuluri
Cisco Employee
Cisco Employee

Check your latency values with ISE bandwith and latency calculator

Minimum bandwidth bt Mnt and PSN 1 Mbps

Minimum bandwidth bt Mnt and Admin 256 Kbps

Minimum bandwidth between Admin and PSN 256 Kbps

test aaa group radius new-code

Check for these  to help narrow the focus of the potential problem with RADIUS

   Connect port

• Connect NAD IP address

• Connect Policy Service ISE node IP address

• Correct server key

• Recognized username or password

• Connectivity between the NAD and Policy Service ISE node

Muhammad Munir
Level 5
Level 5

Hi

Please check whether the subject is present in any one of the chosen identity stores. Note that some identity stores may have been skipped if they do not support the current authentication protocol.

Make sure the authentication policy points to correct identity store. For authentication in a Microsoft Windows network with multiple domains, make sure that the supplicant is appending the domain suffix (For users: administrator@example.com, for machines: winxp.example.com).

Jacob Snyder
Level 5
Level 5

I've also just had where one of multiple AD servers was not working and required a reboot.

Sent from Cisco Technical Support iPhone App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: