12-05-2012 06:59 AM - edited 03-10-2019 07:51 PM
Hi all,
Just wondering if any one would know the answer to this one...
We have ISE linked to AD...all working well, however, when a user is given a certificate, the user won't be able to connect to the (wireless) network due to certificate problems.....after 1/2 hour to an hour, the user will be able to authenticate successfuly....without any futher intervention from IT Support.
Seems like ISE to AD sync issue.....does anyone know how often does the ISE pulls AD for information....?
Thanks in advance.
UUmmmm thinking about this though, ISE should check the User "state" in AD every time the user tries to Authenticate....so could we possibly be talking about an AD replication issue here instead of ISE to AD???
12-05-2012 10:07 AM
If you check your Authentiction details. You will probably see no certificate found for the user. There is an issue with distributed AD environments:
In a distributed environment, a delay occurs before any domain controller has received the certificates and CRLs through Active Directory replication. The delay will vary depending on the Active Directory environment configuration.
So I'd ask the AD guys, what replication type and schedule are they running? This can be troubleshot watching the Published Certificates tab of the user record. Open and close the record while enrolling and after to see when it shows up.
What you should see is something like this in ISE record details, Steps section:
12811 Extracted TLS Certificate message containing client certificate |
12812 Extracted TLS ClientKeyExchange message |
12813 Extracted TLS CertificateVerify message |
12804 Extracted TLS Finished message |
12801 Prepared TLS ChangeCipherSpec message |
12802 Prepared TLS Finished message |
12816 TLS handshake succeeded |
12509 EAP-TLS full handshake finished successfully |
12505 Prepared EAP-Request with another EAP-TLS challenge |
11006 Returned RADIUS Access-Challenge |
11001 Received RADIUS Access-Request |
11018 RADIUS is re-using an existing session |
12504 Extracted EAP-Response containing EAP-TLS challenge-response |
Evaluating Identity Policy |
15048 Queried PIP |
15048 Queried PIP |
15004 Matched rule |
22037 Authentication Passed |
12506 EAP-TLS authentication succeeded |
11503 Prepared EAP-Success |
As far as your question:
does anyone know how often does the ISE pulls AD for information....?
It only "Pulls" information when you populate the AD dictionary (Groups and/or User attributes) in External Identities.
As far as how often if performs a lookup. It performs a lookup for every authentication as required and every processing of an Authorization Policy rule that requires a reference to that specifc rule. (think of multiple situations for processing rules which in turn would result in CoA processings for the session)
So your comment:
UUmmmm thinking about this though, ISE should check the User "state" in AD every time the user tries to Authenticate....so could we possibly be talking about an AD replication issue here instead of ISE to AD???
good troubleshooting /thinking!
I hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.
Please rate post you consider useful.
-James
05-22-2013 03:42 AM
Kindly review the below link:
https://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide