Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1071
Views
0
Helpful
6
Replies

Machine authenticatiion not working after upgrade to ISE 1.2

Cristian Popescu
Level 1
Level 1

‎04-20-2015 05:14 AM - edited ‎03-10-2019 10:39 PM

After upgrading to ISE 1.2.0.899 patch 14 we have a problem running machine authentication for a few hosts (30 of about 3000).

Although we can see on the switch that the host presents the hostname, in ISE Operations all we get is the MAC address (for both the Identity and Endpoint ID fields). 

 

On the switch:

show auth sessions int FastEthernet0/1
 Interface:  FastEthernet0/1
 MAC Address:  3c97.0eed.afbc
 IP Address:  Unknown
 User-Name:  host/xxxxxxxxxx
 Status:  Running
 Domain:  UNKNOWN
 Oper host mode:  multi-auth
 Oper control dir:  both
 Session timeout:  N/A
 Idle timeout:  N/A
 Common Session ID:  0AF19F16000138DC11B59C9D
 Acct Session ID:  0x000292EA
 Handle:  0x01000BCA

Runnable methods list:
       Method   State
       mab      Failed over
       dot1x    Running

 

In ISE we see the contents of the attached file.

The workaround we found was to move the host in a different switch, where it will authenticate, and then move it back on the initial switch where it will work now. I know it doesn't make sense but it worked...

Shut / no shut on the switch port or clearing the auth session doesn't work.

Does anybody have any idea about this problem?

 

Thanks in advance!

 

Update:

The issue seems to be related with how the policy servers cache the sessions/auth requests from the network devices. If we point the network device that hosts the problematic machines to another radius server the auth runs as expected. A number of machines have problems with a certain policy server (not always the same) while most machines authenticate correctly. The problem is that if, for whatever reason,a machine fails to auth, that policy server could "decide" to hang to that failed auth result for susequent tries.

Labels:
Preview file
131 KB
0 Helpful
6 Replies 6

Charlie Moreton
Cisco Employee
Cisco Employee

‎04-20-2015 07:50 AM

What are the types (models) of switches and the software versions running on them?

 

 

0 Helpful

Cristian Popescu
Level 1
Level 1
In response to Charlie Moreton

‎04-20-2015 08:42 AM

Catalyst 4500 version 03.04.03.SG

Cisco 2960 version 12.2(46r)SE2

0 Helpful

Charlie Moreton
Cisco Employee
Cisco Employee
In response to Cristian Popescu

‎04-20-2015 01:28 PM

On which switch does the reauthentication work?

 

Either way, it looks like you need to update the switch software:

This is from the ISE 1.2 Compatibility Matrix which can be found here:

https://supportforums.cisco.com/sites/default/files/attachments/discussion/4500.png

 

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

Preview file
8 KB
Preview file
13 KB
0 Helpful

Cristian Popescu
Level 1
Level 1
In response to Charlie Moreton

‎04-20-2015 11:16 PM

We also have a 2960 with the same problem running 15.0(2)SE1

The 4500 looks supported with Version 03.04.03.SG

 

0 Helpful

Charlie Moreton
Cisco Employee
Cisco Employee
In response to Cristian Popescu

‎04-21-2015 08:17 AM

What is the exact model of the 2960?

0 Helpful

Cristian Popescu
Level 1
Level 1
In response to Charlie Moreton

‎04-20-2015 11:33 PM

We also have a 2960 with the same problem running 15.0(2)SE1

The 4500 looks supported with Version 03.04.03.SG

 

0 Helpful
Customers Also Viewed These Support Documents