ISE - Since enabling Profiling, authentication to Internal User DB fails

aceandy79 · ‎03-27-2017

Hi,

I have a policy rule that to permit access to a device matching a specific device type, which then used a local Identity from the Internal Users DB for authentication.

This was working fine until I enabled Profiling service (RADIUS) on the PSN. The logs show the auth attempt is still matching the rule but now fails authentication because for some reason it does not select the configured identity source. When looking at the specific log detail, the steps are identical up until '15041 Evaluating Identity Policy'. When it was working this step was followed by '15006 Matched Default Rule', and ' 15013
Selected Identity Source - Internal Users'.

Now it's failing instead it skips the middle step, and goes straight to '15013 Selected Identity Source - DenyAccess'

Disabling Profiling service has not fixed this, it seems turning it on in the first place has done some lasting damage! It is only this rule that has stopped working. Other rules using external identity stores are working fine. Has anyone used Profiling before and had similar issues?

Thanks.

jahamilton1 · ‎03-28-2017

If I may ask pls what version of ise did you deploy?

Can I also request for the screenshot of the left report screen ( the left screen side of both the failing and passed screenshot)

Thanks.

aceandy79 · ‎03-28-2017

Hi, thanks for your reply. We are on 2.2

I have attached a couple more screenshots, but with a few details removed (they were the same in both shots).

jahamilton1 · ‎03-28-2017

1st step to troubleshoot is to look at why authentication failed cause without authentication, authorization cant be made.

confirm the internal store, (users added to the identity stores and their password) contains the identity you are trying to authenticate and ensure it is enabled (green).

If this can be fixed, authorization should be fine.

aceandy79 · ‎03-28-2017

Hi, yes this is what I am trying to do, work out why authentication is suddenly failing when previously it was working. I haven't looked at authorisation yet, as it's failing before that at the authentication stage.

The only change I made to the configuration was to enable the Profiling service on the PSN.

The user account is enabled (green), and the password hasn't changed. From the screenshot where it is failing, ISE is for some reason no longer checking the username against the Internal Users store, even though this is what the policy rule tells it to do. The screenshot from before I enabled Profiling, shows this working just fine.

Thanks.

jahamilton1 · ‎03-29-2017

hi aceandy,

are you fine now?

aceandy79 · ‎03-29-2017

Hi, no sadly not. Have not been able to get to the bottom of why this is failing when previously working. As it's a local user account it should be so simple! As far as I can tell from logs it just makes no attempt to check the Internal Users DB, like the policy rule tells it to do.

Thanks.

chatataridge · ‎03-29-2017

Can you confirm that the internal store is included in the identity source sequence being used by this policy set?

aceandy79 · ‎03-29-2017

Hi,

Yes I can confirm the policy rule is set to use Internal Users. Please see screenshot from my opening message named 'icinga.png'.

Thanks.

aceandy79 · ‎03-29-2017

Well, it seems this is now fixed, again without explanation. Failed over to other admin node and failed back again. Authentication is now working! Go figure.

Thanks for everyone's suggestions, but this seems to be a case of turn it off and on again.