cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1718
Views
0
Helpful
2
Replies
superduperlopez
Beginner

ISE and AD synchronization

Hi all,

Just wondering if any one would know the answer to this one...

We have ISE linked to AD...all working well, however, when a user is given a certificate, the user won't be able to connect to the (wireless) network due to certificate problems.....after 1/2 hour to an hour, the user will be able to authenticate successfuly....without any futher intervention from IT Support.

Seems like ISE to AD sync issue.....does anyone know how often does the ISE pulls AD for information....?

Thanks in advance.

UUmmmm thinking about this though, ISE should check the User "state" in AD every time the user tries to Authenticate....so could we possibly be talking about an AD replication issue here instead of ISE to AD???

2 REPLIES 2
jw.sl9
Beginner

If you check your Authentiction details.  You will probably see no certificate found for the user. There is an issue with distributed AD environments:

In a distributed environment, a delay occurs before any domain  controller has received the certificates and CRLs through Active  Directory replication. The delay will vary depending on the Active  Directory environment configuration.

So I'd ask the AD guys, what replication type and schedule are they running? This can be troubleshot watching the Published Certificates tab of the user record.  Open and close the record while enrolling and after to see when it shows up.

What you should see is something like this in ISE record details, Steps section:

12811  Extracted TLS Certificate message containing client certificate

12812  Extracted TLS ClientKeyExchange message

12813  Extracted TLS CertificateVerify message

12804  Extracted TLS Finished message

12801  Prepared TLS ChangeCipherSpec message

12802  Prepared TLS Finished message

12816  TLS handshake succeeded

12509  EAP-TLS full handshake finished successfully

12505  Prepared EAP-Request with another EAP-TLS challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12504  Extracted EAP-Response containing EAP-TLS challenge-response

Evaluating Identity Policy

15048  Queried PIP

15048  Queried PIP

15004  Matched rule

22037  Authentication Passed

12506  EAP-TLS authentication succeeded

11503  Prepared EAP-Success

As far as your question:

does anyone know how often does the ISE pulls AD for information....?

It only "Pulls" information when you populate the AD dictionary (Groups and/or User attributes) in External Identities.

As far as how often if performs a lookup. It performs a lookup for every authentication as required and every processing of an Authorization Policy rule that requires a reference to that specifc rule. (think of multiple situations for processing rules which in turn would result in CoA processings for the session)

So your comment:

UUmmmm thinking about this though, ISE should check the User "state" in  AD every time the user tries to Authenticate....so could we possibly be  talking about an AD replication issue here instead of ISE to AD???

good troubleshooting /thinking!

I hope you find this answer useful, if it was satisfactory  for you, please mark the question as Answered.

Please rate post you consider useful.
-James


I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful. -James
Content for Community-Ad