cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
644
Views
0
Helpful
4
Replies

ISE 1.2.1 AD machine authent fails

preston trogden
Level 1
Level 1

We put ISE into bypass mode due to the 2012 R2 issue and after upgrading to 1.2.1 in ISE, and taking it out of bypass. i am seeing machines fail due to either "supplicant stopped responding" or it fails saying not found in Identity Stores. The only thing that fixes it is an auth open on the port. at first they would report the MAC as the username instead of the Machine name. Now i see them reporting the machine name correctly but with a fail message of "supplicant stopped responding". TAC has said its a local machine problem or GPO but nothing has changed on either one of those, the only change was ISE. I did as he suggested, stop/started wired auto config, no change, also downloaded some hotfixes from MS for various EAP issues, no change.

What ever info you need, let me know. i know this is a huge area to try to troubleshoot.

4 Replies 4

nspasov
Cisco Employee
Cisco Employee

Will need some more info:

1. What type of authentication are you performing? (EAP-PEAP, EAP-TLS, etc?)

2. Can you post screen shots with the supplicant's configuration

3. Screen shots of the failed authentication detailed screen

4. Screen shot or export of your authentication/authorization rules

5. What is the status of ISE's connection to AD? I have seen it go to joined but disconnected after upgrade

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!

I'm almost sure this is a Windows problem or a physical cabling problem. I was troubleshooting such issues for a long time.

 

The only thing that fixes it is an auth open on the port. at first they would report the MAC as the username instead of the Machine name.

This means MAB process started because no EAP frame arrived.

http://support.microsoft.com/kb/980295/en-us - works for me!

manjeets
Level 3
Level 3

Here is the helpful video :

http://www.youtube.com/watch?v=bjH99xKepLY