01-02-2020 01:45 AM
Hi
Could anyone please help me understand this.
I have an ISE setup thats been working for years, and then suddently all MAB authentication stopped working.
I have just taken over the setup from someone else, but I am pretty sure nothing was changed on the ISE side.
MAB is using the AD as an external MAC database, and when I do a lookup against the AD with a MAC "User" is says the account is disabled. and when I look in the AD the Account is disabled.
But is this normal? That a MAB account is disabled in the AD to avoid havind a "working" useraccount?
Test Username : 00-11-22-33-44-55 ISE NODE : ISE02.domain.com Scope : Default_Scope Instance : domain.com Authentication Result : FAILED Error : The account is disabled Processing Steps: 09:43:03:734: Resolving identity - 00-11-22-33-44-55 09:43:03:734: Search for matching accounts at join point - domain.com 09:43:03:738: Single matching account found in forest - domain.com 09:43:03:738: Identity resolution detected single matching account 09:43:03:738: Identity resolution failed - ERROR_ACCOUNT_DISABLED
01-03-2020 01:07 AM
This is normal behaviour. When using an ISE AD Join Point, Auth will fail if AD accounts are disabled or have expired passwords. Just enable one and re-test.
If you used LDAP to auth. against the same AD server then perhaps you can get away with looking up a disabled account. I have not tired that myself but it might work.
01-06-2020 01:05 AM
01-03-2020 02:11 AM
Hi
Do any of your ISE policies use the IdentityAccessRestricted flag? The documentation below states that this flag would be set if an account was found to be disabled.
hth
Andy
https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html
User Access Restriction
While authenticating or querying a user, Cisco ISE checks for the following:
•Is the user account disabled?
•Is the user locked out?
•Has the user account expired?
•Is the query run outside of the specified login hours?
If the user has one of these limitations, the Active Directory Identifier::IdentityAccessRestricted attribute on the Active Directory dictionary is set to indicate that the user has restricted access. You can use this attribute in all policy rules.
Active Directory identifier is the name that you enter for the Active Directory identity source.
01-06-2020 01:15 AM
01-06-2020 01:58 AM
Hi
The authentication failure should set the IdentityAccessRestriction attribute to "true". You can use this attribute in your authorization rules (have you checked if there are any exemptions in your authroization policy?).
You said that the current setup used to work but has now stopped. What version of ISE are you using and has it been patched recently?
hth
Andy
01-06-2020 06:50 AM
Are the endpoints failing MAB or are you just testing this with AD diagnostic tool? The tool will fail even for lookup when the account is disabled, but the actual MAB lookup should work regardless of account disabled status.
01-08-2020 01:14 AM
Hi
Det lookup fails as well and the devices hits the default policy for guest internet access.
Evaluating Identity Policy Selected identity source sequence - Wired_MAB_ISS Selected Identity Source - Internal Endpoints Looking up Endpoint in Internal Endpoints IDStore - 00:20:XX:XX:XX:XX Found Endpoint in Internal Endpoints IDStore Authentication Passed ISE has not confirmed locally previous successful machine authentication for user in Active Directory Evaluating Authorization Policy Looking up user in Active Directory - domain.com Resolving identity - 00-20-XX-XX-XX-XX Search for matching accounts at join point - domain.com Single matching account found in forest - domain.com Identity resolution detected single matching account Identity resolution failed - ERROR_ACCOUNT_DISABLED Queried PIP - domain.com.distinguishedName (2 times) Queried PIP - DEVICE.Location Queried PIP - sub.domain.com.distinguishedName (2 times) Queried PIP - domain.com.distinguishedName (5 times) Queried PIP - sub.domain.com.distinguishedName (2 times) Selected Authorization Profile - Wired_Guestinternet_Allow_access Looking up Endpoint in Internal Endpoints IDStore - 00:20:XX-XX-XX-XX Found Endpoint in Internal Endpoints IDStore Returned RADIUS Access-Accept
01-08-2020 08:39 AM
Looks like ISE is sending back ACCESS-ACCEPT regardless of the ACCOUNT_DISABLED status. Which means it is ignoring it for the MAB lookup as suspected. Can you post screenshot of your policy that you expect to match?
01-13-2020 02:15 AM
01-13-2020 09:07 AM
It seems like that condition is not matching, suggest confirming the OU and/or making sure that case also matches. I would also try more lenient condition such as "CONTAINS Printer" and see if you can match it.
01-14-2020 06:13 AM
01-08-2020 01:00 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide