This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Currently experiencing a machine authentication problem between ISE 1.2 patch 2 and a customer AD installation.
AuthZ policy is set to match agains /Users/Domain Computers and /Users Domain Users. User authentication works, machine auth doesnt.
Machine authentication box is ticked.
If you try to disable an AD machine, or try a machine not in the domain you get the appropriate different response in the ISE logs which sugests it has the right access into AD to check this info.
This happens on all computers, both WinXP and Win7 corporate builds.
I know its not an ISE policy configuration as I have resorted to testing the same ISE against a vanilla lab AD environment with the same AD domain name (just by changing the DNS servers ISE uses) and the computer lookup works!
Anybody got any ideas?
TAC think we might have hit a bug like this: CSCui55934, ACS 5.4 Centrify cannot find machine with DNS suffix not on DC Groups. As ISE and ACS5 both use the same Centrify clients
Can you post a screenshot and an example of how this is failing, are you using eap-tls or peap for machine authentication?
*Please rate helpful posts*
TACs latest update is that this isnt the split domain issue as listed in the above posted bug number, but possibly a new bug. Awaiting a call with TAC for full update.
Can you tell me the TAC case number you have this issue under so that my TAC engineer can investigate as well?
I am in the process of upgrading from 220.127.116.11 patch-3 to 1.2 patch-3 and we're also using machine authentication integrating with AD. This really freaks me out.
The situation has evolved. It looks like the output error of 24492 is not appropriate. It is not authentication (as that happened above) but getting attributes for the host for use in authorization. The AD get group/attrib action invokes a root domain Global Catalgue query. This query fails due to 1) the centrify query process and/or error handling isnt ideal, 2) the clients DNS servers arent providing responses to all possible GC queries.
Still ongoing, but, it has a big dose of "Keep it simple stupid" all over this one ;-)
|24492||External-Active-Directory||Machine authentication against Active Directory has failed||Machine authentication against Active Directory has failed.||Error|
Please check NTP is in sync or not ISE