ISE denies MAB authentication after restart

TheUser27 · ‎07-12-2024

Hi everyone,

we have an issue with an ISE deployment for a customer and Cisco TAC is currently unable to help us...

The customer is using 4 virtual ISE nodes with 2x PAN/Mnt and 2x PSN on Version 3.2 Patch 5.

After an update or simple restart of the primary PSN (first on the switches) the switches do a failover to the second PSN as they should. But when the primary PSN is started again there is a small time frame where the PSN is accepting RADIUS requests again and is marked as alive but rejects our MAB request since the endpoint isn't found in the internal database. On the next reauthentication the request is accepted.

So the PSN node is answering radius request even when the internal MAB database isn't available yet after rebooting. This causes devices that get reauthenticated to receive a wrong vlan which causes outages for our customer.

Has anyone seen this before and has a solution for this problem? Cisco TAC told us to modify the dead-timer on the switch or block access to this node till it's full up again but thats not really a solution for the problem.

Thanks in advance!

marce1000 · ‎07-12-2024

>...Cisco TAC told us to modify the dead-timer on the switch or block access to this node till it's full up again but thats not really a solution for the problem.
I can assume that the blocking access solution is not feasible , but what's wrong with the dead-timer option ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

TheUser27 · ‎07-15-2024

Hi marce1000. Thanks for your reply.

Of course it's an option and we already have 5 Minutes configured but we don't want to extend the dead-timer to an unreasonable value. If we increase the timer to 10 minutes and ISE needs 9.5 Minutes to reboot we'll experience the same issue.

If we increase the dead-timer even further it could be a problem when upgrading/rebooting the nodes and we need to wait for the dead-timer to end.

Also the automate-tester marks the ise alive even when ise isn't completely ready...

MHM Cisco World · ‎07-15-2024

For me what I think is happened is

User is auth via mab in one ise

And other ise is auth via mab and guest policy set.

The policy set must config with order and with conditions to eliminate this case

Guest auth use mab as first authc and it add unknown mac to internal db of ise

Mab authc use known mac to authc.

That why the ise re-authc mab device with authz wrong vlan

MHM

TheUser27 · ‎07-18-2024

Hi,

sorry but i don't really understand your response. Both PSN Nodes are in the same deployment and the MAC is present in the internal Database and assigned to the correct groups. There is only one MAB ruleset for internal devices and no "guest authentication".

The nodes responds with "AuthenticationResult=UnknownUser" for some time after reload. And works fine after some minutes.

Thanks in advance!

MHM Cisco World · ‎07-18-2024

there is
1-Wireless Guest Authc which use two authc
A- first MAB with unknownUser add to specific group
B- portal
2-Wired MAB
which need user add to internal ISE

I think the wired MAB is auth via guest Authc not via Wired MAB
you need to separate wireless than wired

are you use wireless Guest ?

MHM