Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2610
Views
0
Helpful
8
Replies

ISE 1.2 - 24492 Machine authentication against AD has failed

Nicholas Poole
Level 1
Level 1

‎10-25-2013 02:39 AM - last edited on ‎03-25-2019 05:31 PM by Community Manager

Currently experiencing a machine authentication problem between ISE 1.2 patch 2 and a customer AD installation.

AuthZ policy is set to match agains /Users/Domain Computers and /Users Domain Users.  User authentication works, machine auth doesnt.

Machine authentication box is ticked.

If you try to disable an AD machine, or try a machine not in the domain you get the appropriate different response in the ISE logs which sugests it has the right access into AD to check this info.

This happens on all computers, both WinXP and Win7 corporate builds.

I know its not an ISE policy configuration as I have resorted to testing the same ISE against a vanilla lab AD environment with the same AD domain name (just by changing the DNS servers ISE uses) and the computer lookup works!

Anybody got any ideas?

thanks.

Labels:
0 Helpful
8 Replies 8

Nicholas Poole
Level 1
Level 1

‎10-25-2013 07:26 AM

TAC think we might have hit a bug like this: CSCui55934, ACS 5.4 Centrify cannot find machine with DNS suffix not on DC Groups.  As ISE and ACS5 both use the same Centrify clients

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Nicholas Poole

‎10-27-2013 12:17 AM

Can you post a screenshot and an example of how this is failing, are you using eap-tls or peap for machine authentication?

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Nicholas Poole
Level 1
Level 1
In response to Tarik Admani

‎10-28-2013 03:30 AM

Using PEAP, will post screenshot.

0 Helpful

Nicholas Poole
Level 1
Level 1
In response to Nicholas Poole

‎10-28-2013 03:51 AM

0 Helpful

Nicholas Poole
Level 1
Level 1
In response to Nicholas Poole

‎10-28-2013 04:14 AM

TACs latest update is that this isnt the split domain issue as listed in the above posted bug number, but possibly a new bug.  Awaiting a call with TAC for full update.

0 Helpful

david.tran
Level 4
Level 4
In response to Nicholas Poole

‎10-29-2013 02:51 AM

Can you tell me the TAC case number you have this issue under so that my TAC engineer can investigate as well?

I am in the process of upgrading from 1.1.2.145 patch-3 to 1.2 patch-3 and we're also using machine authentication integrating with AD.  This really freaks me out.

0 Helpful

Nicholas Poole
Level 1
Level 1
In response to Nicholas Poole

‎10-29-2013 08:18 AM

The situation has evolved.  It looks like the output error of 24492 is not appropriate.  It is not authentication (as that happened above) but getting attributes for the host for use in authorization.  The AD get group/attrib action invokes a root domain Global Catalgue query.  This query fails due to 1) the centrify query process and/or error handling isnt ideal, 2) the clients DNS servers arent providing responses to all possible GC queries.

Still ongoing, but, it has a big dose of "Keep it simple stupid" all over this one ;-)

0 Helpful

blenka
Level 3
Level 3

‎10-30-2013 03:52 PM

24492External-Active-DirectoryMachine   authentication against Active Directory has failedMachine   authentication against Active Directory has failed.Error

Please check NTP is in sync or not  ISE

0 Helpful
Customers Also Viewed These Support Documents