cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2611
Views
0
Helpful
8
Replies

ISE 1.2 - 24492 Machine authentication against AD has failed

Nicholas Poole
Level 1
Level 1

Currently experiencing a machine authentication problem between ISE 1.2 patch 2 and a customer AD installation.

AuthZ policy is set to match agains /Users/Domain Computers and /Users Domain Users.  User authentication works, machine auth doesnt.

Machine authentication box is ticked.

If you try to disable an AD machine, or try a machine not in the domain you get the appropriate different response in the ISE logs which sugests it has the right access into AD to check this info.

This happens on all computers, both WinXP and Win7 corporate builds.

I know its not an ISE policy configuration as I have resorted to testing the same ISE against a vanilla lab AD environment with the same AD domain name (just by changing the DNS servers ISE uses) and the computer lookup works!

Anybody got any ideas?

thanks.

8 Replies 8

Nicholas Poole
Level 1
Level 1

TAC think we might have hit a bug like this: CSCui55934, ACS 5.4 Centrify cannot find machine with DNS suffix not on DC Groups.  As ISE and ACS5 both use the same Centrify clients

Can you post a screenshot and an example of how this is failing, are you using eap-tls or peap for machine authentication?

Thanks,

Tarik Admani
*Please rate helpful posts*

Using PEAP, will post screenshot.

TACs latest update is that this isnt the split domain issue as listed in the above posted bug number, but possibly a new bug.  Awaiting a call with TAC for full update.

Can you tell me the TAC case number you have this issue under so that my TAC engineer can investigate as well?

I am in the process of upgrading from 1.1.2.145 patch-3 to 1.2 patch-3 and we're also using machine authentication integrating with AD.  This really freaks me out.

The situation has evolved.  It looks like the output error of 24492 is not appropriate.  It is not authentication (as that happened above) but getting attributes for the host for use in authorization.  The AD get group/attrib action invokes a root domain Global Catalgue query.  This query fails due to 1) the centrify query process and/or error handling isnt ideal, 2) the clients DNS servers arent providing responses to all possible GC queries.

Still ongoing, but, it has a big dose of "Keep it simple stupid" all over this one ;-)

blenka
Level 3
Level 3
24492External-Active-DirectoryMachine   authentication against Active Directory has failedMachine   authentication against Active Directory has failed.Error

Please check NTP is in sync or not  ISE