Solved: ISE 2.4 patch 4 - Authentication Domain Server is not available

walwar · ‎10-23-2018

Hello,

We have two ISE nodes primary/secondary that are connected to our AD and everything works fine, except the patches. When I installed patch 1 to 3, Network Resources were on read mode for me with my AD login, but it worked fine with local admin user. Now this is fixed in patch 4 BUT and there is a big BUT, I can't login with my AD account, I get the following.

Authentication Domain Server is not available

Anyone has any clue? It might be a bug, but I didn't find anything.

Best,

W

pan · ‎10-29-2018

You would be hitting below bug: CSCvm93698

View solution in original post

sjones75 · ‎10-23-2018

Just a FYI, I had the same issue with patch 4. AD authentication stopped working. AD connector was running and the diagnostic tool passed all tests. Authentication logs showed "Failure Reason - Subject not found in the applicable identity stores(s)". I left and rejoined the domain, but still failed AD authentication. I didn't have time to troubleshoot further, so ended up rolling back the patch. AD worked fine again after the rollback.

Jason Kunst · ‎10-23-2018

Please call the tac

walwar · ‎10-23-2018

I might open a TAC case and troubleshoot this but in the meanwhile I will proceed with the installation for out client with patch 4. Do you have any issues with patch 3? Do you see your network devices in the network recourses? Can you edit, add and remove? For me in patch 3, the entire section was on read for me (everything was greyed out) and I didn't see my network devices, it only stated that there is "17" network devices, but the devices was not visible.

hslai · ‎10-24-2018

It's important to open a TAC case so TAC may help gathering the debug logs and possible recreate.

Your deployment seems to have two issues.

Prior to Patch 4, it has a data access issue.
- Is your AD user using a custom admin group or one of the default ones or matching more than one admin groups? If you are using either a custom admin group or matching more than one admin groups, try using the default "Super Admin".
With Patch 4, an AD user unable to login to ISE admin web UI.
- For this issue, we definitely need debug logs.

walwar · ‎10-25-2018

Thank you guys for the replies.

I will try to open the case as soon as I can (for now we have rolled back to patch 3), I understand that this should be addressed and solved.

We used a custom admin group and it worked like I mentioned perfectly fine. The permissions for the custom group is the same as the default "Super Admin" and this issue is only in patch 4, in patch 1 to 3 it works fine.

Needless to say, the more I work with the product the more in love I fall :D

walwar · ‎10-29-2018

I've now opened a TAC case and will be updating this thread once I have more info.

pan · ‎10-29-2018

You would be hitting below bug: CSCvm93698

walwar · ‎10-29-2018

Yeah, it seems like it, but I will wait for TAC to confirm it.

hslai · ‎10-29-2018

A small clarification -- The regression bug CSCvm93698 is due to the fix for CSCvk13569 included in both ISE 2.4 Patch 4 and 2.2 Patch 11.