Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
481
Views
1
Helpful
3
Replies

ISE 2.7 authentication against DC with test account

Go to solution
georgip
Level 1
Level 1

‎10-23-2023 02:00 AM

primary ISE node is constantly trying to authenticate test account against multiple domain controllers

Active Directory is configured and all nodes are joined to domain controllers and operational

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to georgip

‎10-24-2023 06:26 AM

Yes, the traffic would come from ISE since ISE does the lookup.  However, if you have a Network Device that is using a test account (maybe used at the time of configuring this switch/controller/etc.) to test the connection to the RADIUS server, then unless ISE has a test user and Internal Users is queried before AD Join Points, then this is the expected behavior.

Filter the RADIUS Live Logs on the Identity of test to see if that user is shown.  If so, look for the value in the Network Devices column.  Note that the Network Device shown could be more than one if multiple NADs are configured in this manner.

If not, then you could always create a test user in ISE and in the 802.1x Policy Set, change the Identity Source Sequence to Internal Users before any AD Join Points.  If the queries stop, its a network device.

Do this for wired connections first (switches/ASAs/etc.).  If it doesn't stop, the do it for wireless connections (controllers/APs/etc.).

Of course, without knowing the password of the test user that is trying, ISE could move on to the next Identity Store.  So if you DO NOT know the password for this account, create a new Policy Set with the condition being RADIUS•User-Name EQUALS test. This will show the NAD that is sending the tests.

View solution in original post

3 Replies 3

Go to solution
ahollifield
VIP
VIP

‎10-23-2023 12:26 PM

Is it actually ISE doing the authentication?  Or is it a network device pointed to ISE and then ISE is querying AD for that username?

0 Helpful

Go to solution
georgip
Level 1
Level 1
In response to ahollifield

‎10-23-2023 01:09 PM

>From the source IP address, the traffic comes from the primary ISE node. The domain controller associated with this primary ISE node is only one but the target DC controllers that log this failed attempt are multiple ones, according to SOC and FW teams.
0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to georgip

‎10-24-2023 06:26 AM

Yes, the traffic would come from ISE since ISE does the lookup.  However, if you have a Network Device that is using a test account (maybe used at the time of configuring this switch/controller/etc.) to test the connection to the RADIUS server, then unless ISE has a test user and Internal Users is queried before AD Join Points, then this is the expected behavior.

Filter the RADIUS Live Logs on the Identity of test to see if that user is shown.  If so, look for the value in the Network Devices column.  Note that the Network Device shown could be more than one if multiple NADs are configured in this manner.

If not, then you could always create a test user in ISE and in the 802.1x Policy Set, change the Identity Source Sequence to Internal Users before any AD Join Points.  If the queries stop, its a network device.

Do this for wired connections first (switches/ASAs/etc.).  If it doesn't stop, the do it for wireless connections (controllers/APs/etc.).

Of course, without knowing the password of the test user that is trying, ISE could move on to the next Identity Store.  So if you DO NOT know the password for this account, create a new Policy Set with the condition being RADIUS•User-Name EQUALS test. This will show the NAD that is sending the tests.

Customers Also Viewed These Support Documents