Re: ISE MAB Lookup in AD

rasmus.elmholt · ‎01-02-2020

Hi

Could anyone please help me understand this.

I have an ISE setup thats been working for years, and then suddently all MAB authentication stopped working.

I have just taken over the setup from someone else, but I am pretty sure nothing was changed on the ISE side.

MAB is using the AD as an external MAC database, and when I do a lookup against the AD with a MAC "User" is says the account is disabled. and when I look in the AD the Account is disabled.

But is this normal? That a MAB account is disabled in the AD to avoid havind a "working" useraccount?

Test Username           : 00-11-22-33-44-55
ISE NODE                : ISE02.domain.com
Scope                   : Default_Scope
Instance                : domain.com

Authentication Result   : FAILED

Error                   : The account is disabled


Processing Steps:
09:43:03:734: 	Resolving identity - 00-11-22-33-44-55
09:43:03:734: 	Search for matching accounts at join point - domain.com
09:43:03:738: 	Single matching account found in forest - domain.com
09:43:03:738: 	Identity resolution detected single matching account
09:43:03:738: 	Identity resolution failed - ERROR_ACCOUNT_DISABLED

Arne Bier · ‎01-03-2020

This is normal behaviour. When using an ISE AD Join Point, Auth will fail if AD accounts are disabled or have expired passwords. Just enable one and re-test.

If you used LDAP to auth. against the same AD server then perhaps you can get away with looking up a disabled account. I have not tired that myself but it might work.

rasmus.elmholt · ‎01-06-2020

Hi Arne
If I enable the account, everything start to work. But to be honest I would like all the MAB users to be disabled in the AD, to make sure no one can login with these accounts.

andrewswanson · ‎01-03-2020

Hi

Do any of your ISE policies use the IdentityAccessRestricted flag? The documentation below states that this flag would be set if an account was found to be disabled.

hth
Andy

https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html

User Access Restriction
While authenticating or querying a user, Cisco ISE checks for the following:

•Is the user account disabled?
•Is the user locked out?
•Has the user account expired?
•Is the query run outside of the specified login hours?

If the user has one of these limitations, the Active Directory Identifier::IdentityAccessRestricted attribute on the Active Directory dictionary is set to indicate that the user has restricted access. You can use this attribute in all policy rules.

Active Directory identifier is the name that you enter for the Active Directory identity source.

rasmus.elmholt · ‎01-06-2020

Hi Andy
I cant find anywhere IdentityAccessRestriction is matched. This should be visible under my conditions in the policy set, right?
All MAB mappings are done with domain.com-distinguishedName ENDS WITH OU=Printer, OU=MAC, OU=Cisco ISE, DC=DOMAIN.....

andrewswanson · ‎01-06-2020

Hi

The authentication failure should set the IdentityAccessRestriction attribute to "true". You can use this attribute in your authorization rules (have you checked if there are any exemptions in your authroization policy?).

You said that the current setup used to work but has now stopped. What version of ISE are you using and has it been patched recently?

hth
Andy

howon · ‎01-06-2020

Are the endpoints failing MAB or are you just testing this with AD diagnostic tool? The tool will fail even for lookup when the account is disabled, but the actual MAB lookup should work regardless of account disabled status.

rasmus.elmholt · ‎01-08-2020

Hi

Det lookup fails as well and the devices hits the default policy for guest internet access.

Evaluating Identity Policy

Selected identity source sequence - Wired_MAB_ISS

Selected Identity Source - Internal Endpoints

Looking up Endpoint in Internal Endpoints IDStore - 00:20:XX:XX:XX:XX

Found Endpoint in Internal Endpoints IDStore

Authentication Passed

ISE has not confirmed locally previous successful machine authentication for user in Active Directory

Evaluating Authorization Policy

Looking up user in Active Directory - domain.com

Resolving identity - 00-20-XX-XX-XX-XX

Search for matching accounts at join point - domain.com

Single matching account found in forest - domain.com

Identity resolution detected single matching account

Identity resolution failed - ERROR_ACCOUNT_DISABLED

Queried PIP - domain.com.distinguishedName (2 times)

Queried PIP - DEVICE.Location

Queried PIP - sub.domain.com.distinguishedName (2 times)

Queried PIP - domain.com.distinguishedName (5 times)

Queried PIP - sub.domain.com.distinguishedName (2 times)

Selected Authorization Profile - Wired_Guestinternet_Allow_access

Looking up Endpoint in Internal Endpoints IDStore - 00:20:XX-XX-XX-XX

Found Endpoint in Internal Endpoints IDStore

Returned RADIUS Access-Accept

howon · ‎01-08-2020

Looks like ISE is sending back ACCESS-ACCEPT regardless of the ACCOUNT_DISABLED status. Which means it is ignoring it for the MAB lookup as suspected. Can you post screenshot of your policy that you expect to match?

rasmus.elmholt · ‎01-13-2020

The only condition in the policy I want to match is "domain.com-distinguishedName ENDS WITH OU=Printer, OU=MAC, OU=Cisco ISE, DC=DOMAIN....."

howon · ‎01-13-2020

It seems like that condition is not matching, suggest confirming the OU and/or making sure that case also matches. I would also try more lenient condition such as "CONTAINS Printer" and see if you can match it.

rasmus.elmholt · ‎01-14-2020

The Condition matches on the exact OU, and if the AD account is enabled, everything works and it hits the correct authorization policy.

rasmus.elmholt · ‎01-08-2020

Hi
There are no local or global exceptions for the MAB authentication policy.
The version is 2.3.0.298 Patch 7, and it has not been upgraded lately.