Solved: Re: ise authentication issue (not sure how to title this)

Meuserid1979 · ‎10-29-2017

hi experts,

our customer deployed a new psn in country A, the PAN is at country B. when user from country B visited country A they can connect to wireless automatically but when that user returned back to country B, the laptop is getting issue connecting to wireless. users needs to logoff / login then it will work.

wireless is doing both machine and users athentications using anyconnect eap chaining. anybody has any idea what is going on? thanks in advance. not sure yet how to troubleshoot this.

Craig Hyps · ‎10-30-2017

It certainly looks like an issue related to Machine + User auth and apparent need to re-trigger machine auth. Unlike MAR, EAP Chaining should handle this more transparently and recommend review policy to ensure there is policy for Machine only vs User Only in addition to Machine+User. Could be an issue with machine PAC file used to authentication in on location / set of PSNs and those located elsewhere and time delta. Is user simply putting laptop in sleep/hibernate and reconnecting to new location? Look to Hsing's advice an reviewing auth detail reports for failure reason and AC logs.

Craig

View solution in original post

hslai · ‎10-30-2017

No clue from ISE auth detail reports? I would suggest to get the AnyConnect DART files from the affect client machines, the approximate time of failing auth requests, and submit them to TAC for investigation.

Craig Hyps · ‎10-30-2017

It certainly looks like an issue related to Machine + User auth and apparent need to re-trigger machine auth. Unlike MAR, EAP Chaining should handle this more transparently and recommend review policy to ensure there is policy for Machine only vs User Only in addition to Machine+User. Could be an issue with machine PAC file used to authentication in on location / set of PSNs and those located elsewhere and time delta. Is user simply putting laptop in sleep/hibernate and reconnecting to new location? Look to Hsing's advice an reviewing auth detail reports for failure reason and AC logs.

Craig

Meuserid1979 · ‎10-30-2017

hi guys, thanks for the reply. i havent get the info yet id the user just hibernate/sleep there laptops when travelling from A to B. im suspecting that its due to mar timing expiry thats triggers the machine needs to re-auth. im asking the user for some simulation to trigger the same scenario. will try to get that dart file as well.

hslai · ‎10-30-2017

Are you using AD MAR condition "Network Access:WasMachineAuthenticated EQUALS True", then? EAP Chaining has no need for that.

We may rely on the EAP Chaining conditions, such as

(Network Access:UseCase EQUALS Eap Chaining AND

Network Access:EapChainingResult EQUALS User and machine both succeeded)

Meuserid1979 · ‎10-30-2017

yes i believe that attribute was machine auth = true is configured. its originally there so i dont like to mess around their original config =p. thanks for the info i can maybe suggest that settings instead

hslai · ‎10-30-2017

In case you have not read them yet, here are two good references on the subject:

Craig Hyps · ‎10-31-2017

It sounds like they may have retained remnants of a previous MAR config when moving to EAP Chaining.

The specific condition Hsing called out... Network Access:WasMachineAuthenticated EQUALS True ...is more specific to MAR and machine auth cache. If add this line to config, then you are actually relying on MAR cache which is not required with EAP Chaining. It would account for the issue described when move between PSNs. Recommend review with customer and, if present, ask them to remove that condition.

For those NOT using EAP Chaining and still using MAR, in ISE 2.3 we added option to sync MAR cache for all PSNs in same node group. However, in this example (movement between data centers), the same experience would be seen since MAR cache not synced between geographic clusters.

Craig