Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

5735
Views
5
Helpful
4
Replies
NetEngineerKC15
Beginner
Beginner
‎07-18-2018 08:04 AM
‎07-18-2018 08:04 AM

ISE has not confirmed locally previous successful machine authentication for user in Active Directory

ISE 2.3.0.298

External Sources: AD

Mode: Monitor

MAR: On (12hrs)

Cisco Phones-EAP

Switches: Correctly Configured per Interface

 

Policy:

     Authentication:

     EAP-TLS - Network Access·EapTunnel Equals TTLS - Use Sequence (Internal Endpoints, AD) [hit=0]

     Wired_MAB - Wired_MAB - Use Sequence (Internal Endpoint) [hit=9907]

 

Authorization Policy
hit=0
Printers:
Network Access - EapAuthentication EQUALS EAP-TLS
IdentityGroup-Name EQUALS Endpoint Identity
Groups: HP_Printers
[Printers MAC Addresses are in there]

 

hit=54
Cisco_Phones:
IdentityGroup-Name EQUALS Endpoint Identity
Groups: Switch_Devices: Cisco_Phones
[Switch is in there and so is the Cisco Phone MAC Addresses]

 

Okay, So I am brand new with ISE so bare with me.  However, I noticed they keep getting rejected with typically the following stages:

 

  11001 Received RADIUS Access-Request
  11017 RADIUS created a new session
  11027 Detected Host Lookup UseCase (Service-Type = Call Check (10))
  15049 Evaluating Policy Group
  15008 Evaluating Service Selection Policy
  15048 Queried PIP
  15048 Queried PIP
  15041 Evaluating Identity Policy
  15048 Queried PIP
  15048 Queried PIP
  15048 Queried PIP
  15048 Queried PIP
  22072 Selected identity source sequence
  15013 Selected Identity Source - Internal Endpoints
  24209 Looking up Endpoint in Internal Endpoints IDStore - 48:BA:4E:**:**:**
  24211 Found Endpoint in Internal Endpoints IDStore
  22037 Authentication Passed
  24715 ISE has not confirmed locally previous successful machine authentication for user in Active Directory
  15036 Evaluating Authorization Policy
  15048 Queried PIP
  24432 Looking up user in Active Directory - 48:BA:4E:**:**:**
  24325 Resolving identity
  24313 Search for matching accounts at join point
  24318 No matching account found in forest
  24322 Identity resolution detected no matching account
  24352 Identity resolution failed
  24412 User not found in Active Directory
  15048 Queried PIP
  15048 Queried PIP
  15016 Selected Authorization Profile - DenyAccess
  15039 Rejected per authorization profile
  11003 Returned RADIUS Access-Reject
  5434

Endpoint conducted several failed authentications of the same scenario

 

Authentication Policy Wired Monitor Mode >> Wired_MAB
Authorization Policy Wired Monitor Mode >> Default
Authorization Result DenyAccess

StepData 5= DEVICE.Device Type
StepData 6= DEVICE.Mode
StepData 8= Network Access.EapTunnel
StepData 9= Network Access.EapAuthentication
StepData 10= Network Access.EapTunnel
StepData 11= Normalised Radius.RadiusFlowType
StepData 12=Internal_Endpoint_Sequence
StepData 13=Internal Endpoints
StepData 19= Network Access.EapTunnel
StepData 20= *.ad

 

This is similar to the phones and everything else every time when there is authentication rejected.  I notice half the phones are authenticated and other half is not when checking on the switches.  So what am I doing wrong?

 

Can cisco phones be placed in AD? How do I have it where for now it only views in the Internal_Endpoint?  All I'm trying to do is to correctly have them authenticated now and THEN set up the complicated stuff.

Labels:
0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
hslai
Cisco Employee
Cisco Employee
‎07-28-2018 11:01 AM
‎07-28-2018 11:01 AM

 
  ... ...
  15036 Evaluating Authorization Policy
  15048 Queried PIP
  24432 Looking up user in Active Directory - 48:BA:4E:**:**:**
  ... ...
  5434

Endpoint conducted several failed authentications of the same scenario

 

 

...

 

This is similar to the phones and everything else every time when there is authentication rejected.  I notice half the phones are authenticated and other half is not when checking on the switches.  So what am I doing wrong?

 

Can cisco phones be placed in AD? How do I have it where for now it only views in the Internal_Endpoint?  All I'm trying to do is to correctly have them authenticated now and THEN set up the complicated stuff.

Configuring MAB with LDAP User Device Binding - Cisco shows how to perform MAB against an AD/LDAP store.

Your case seems to use Internal Endpoints only, so it's not optimal to query AD for phones. Ideally, you would want to create a policy set to separate Wired MAB from the others. For example,

Screen Shot 2018-07-28 at 10.59.21 AM.png

Additionally, I would suggest you to check out Advanced ISE Services, Tips and Tricks - BRKSEC-3697

View solution in original post

4 REPLIES 4
RichardAtkin
Participant
Participant
‎07-27-2018 05:43 AM
‎07-27-2018 05:43 AM

Can you post up some screenshots of your configs and a concise description of what it is you're trying to do?  If you can, we can help...  there's not enough detail in the original post to guide you.

0 Helpful
NetEngineerKC15
Beginner
Beginner
In response to RichardAtkin
‎07-27-2018 05:47 AM
‎07-27-2018 05:47 AM

Configurations is what was posted as I am looking at the GUI.  Could you be specific as to what configs you are needing to look at?

0 Helpful
RichardAtkin
Participant
Participant
In response to NetEngineerKC15
‎07-27-2018 05:53 AM
‎07-27-2018 05:53 AM

Screenshots of your Authentication and Authorisation Policies - they're much easier to interpret as screenhots than text and it removes the chance you've mis-typed or mis-represented something when you converted it all to text.

 

It's also not clear what the actual problem is - which of your printers or phones does / does not work?

0 Helpful
hslai
Cisco Employee
Cisco Employee
‎07-28-2018 11:01 AM
‎07-28-2018 11:01 AM

 
  ... ...
  15036 Evaluating Authorization Policy
  15048 Queried PIP
  24432 Looking up user in Active Directory - 48:BA:4E:**:**:**
  ... ...
  5434

Endpoint conducted several failed authentications of the same scenario

 

 

...

 

This is similar to the phones and everything else every time when there is authentication rejected.  I notice half the phones are authenticated and other half is not when checking on the switches.  So what am I doing wrong?

 

Can cisco phones be placed in AD? How do I have it where for now it only views in the Internal_Endpoint?  All I'm trying to do is to correctly have them authenticated now and THEN set up the complicated stuff.

Configuring MAB with LDAP User Device Binding - Cisco shows how to perform MAB against an AD/LDAP store.

Your case seems to use Internal Endpoints only, so it's not optimal to query AD for phones. Ideally, you would want to create a policy set to separate Wired MAB from the others. For example,

Screen Shot 2018-07-28 at 10.59.21 AM.png

Additionally, I would suggest you to check out Advanced ISE Services, Tips and Tricks - BRKSEC-3697

View solution in original post

Latest Contents
ISE as RADIUS server for Password + Smart Card Authenticatio...
Created by deepuvarghese1 on 04-17-2021 06:22 AM
1
10
1
10
The purpose of this document is to demonstrate how ISE authenticate / authorize a user that uses a smart card (PIN + Certificate) and password mechanism to login their system. This document describes the components used for this setup, configuration of IS... view more
Email Security - QuoVadis Root Certificate Decommission Migh...
Created by dmccabej on 03-30-2021 09:32 AM
0
0
0
0
Problem Description For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b... view more
ISE REST APIs Webinar: April 6/7, 2021
Created by thomas on 03-25-2021 07:57 PM
2
5
2
5
  Register Now Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli... view more
FMT 2.3.4 adding ASA migrations of S2S VPN in public beta
Created by William_Hansch on 03-22-2021 08:00 AM
1
10
1
10
The latest iteration (v2.3.4) of the Cisco Secure Firewall Migration Tool adds public beta support for S2S VPN migrations from ASA: Policy-based (crypto map) Pre-Shared key authentication type VPN configuration to Firepower Management Center VP... view more
What's New for Cisco Defense Orchestrator (CDO)
Created by Andrew Mallio on 03-22-2021 04:40 AM
1
40
1
40
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.  We make improvement... view more
Content for Community-Ad