Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1941
Views
0
Helpful
4
Replies

Problem AD with ISE

Ahmed Zniti
Level 1
Level 1

‎11-22-2012 06:18 AM - edited ‎03-10-2019 07:49 PM

           The ISE Version 1.1.1 can't join the AD Domain it dispalys joinedn to domain but disconnected

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎11-22-2012 06:53 AM

First make sure that NTP and DNS works correctly. If there are still problems after that activate and check the ad_agent.log:

Administration -> Logging -> Debug Log Configuration -> Active Directory

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Ahmed Zniti
Level 1
Level 1
In response to Karsten Iwen

‎11-22-2012 11:28 AM

The NTP and DNS are correctly configured the problem persist the following is some debug log

Nov 22 18:51:54 DOTNISE-A adclient[22160]: DEBUG <59 capigetobjectbyname=""> base.adagent findObject: NotFound:radius-user Category:user

Nov 22 18:51:54 DOTNISE-A adclient[22160]: DEBUG <59 capigetobjectbyname=""> base.bind.cache making negative response for Person userPrincipalName="radius-user" (GC=0)

Nov 22 18:51:54 DOTNISE-A adclient[22160]: DEBUG <59 capigetobjectbyname=""> base.cache Cache store ;CN=CENTRIFY NEGATIVE RESPONSE,CN=Person,DC=ORANGETUNISIE,DC=INTRA : update indexes Yes

Nov 22 18:51:54 DOTNISE-A adclient[22160]: DEBUG <59 capigetobjectbyname=""> base.objecthelper 'radius-user' is not a canonical name

Nov 22 18:51:54 DOTNISE-A adclient[22160]: DEBUG <31 capigetobjectbyname=""> base.bind.cache making negative response for Person userPrincipalName="radius-user" (GC=0)

Nov 22 18:51:54 DOTNISE-A adclient[22160]: DIAG <33 capigetobjectbyname=""> base.bind.ldap X.X.X.X:389 search base="DC=OrangeTunisie,DC=intra" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=radius-user-bt))"

Nov 22 18:52:17 DOTNISE-A adinfo[28473]: DEBUG util.except (Timeout) : RecvWait out (reference lrpc/ipc_sockio.cpp:155 rc: 0)

Nov 22 18:52:21 DOTNISE-A adinfo[28450]: DEBUG util.except (Timeout) : RecvWait out (reference lrpc/ipc_sockio.cpp:155 rc: 0)

Nov 22 18:52:21 DOTNISE-A adinfo[28452]: DEBUG util.except (Timeout) : RecvWait out (reference lrpc/ipc_sockio.cpp:155 rc: 0)

Nov 22 19:07:54 DOTNISE-A adinfo[28473]: DEBUG lrpc.session Reconnect to adclient failed: RecvWait out

Nov 22 18:52:21 DOTNISE-A adinfo[28481]: DEBUG util.except (Timeout) : RecvWait out (reference lrpc/ipc_sockio.cpp:155 rc: 0)

Nov 22 18:58:26 DOTNISE-A adinfo[28885]: DEBUG lrpc.session New socket 3 (36451094)

Nov 22 18:55:15 DOTNISE-A adinfo[28814]: DEBUG lrpc.session New socket 3 (36450306)

Nov 22 19:00:15 DOTNISE-A adinfo[28921]: DEBUG lrpc.session New socket 3 (36451586)

Nov 22 19:07:54 DOTNISE-A adinfo[28452]: INFO lrpc.session process authentication request failed: RecvWait out

Nov 22 19:07:54 DOTNISE-A adinfo[28450]: INFO lrpc.session process authentication request failed: RecvWait out

Nov 22 19:07:54 DOTNISE-A adinfo[28473]: INFO lrpc.session process authentication request failed: RecvWait out

Nov 22 19:07:54 DOTNISE-A adinfo[28481]: DEBUG lrpc.session Cannot communicate with adclient: RecvWait out. Rconnecting...

Nov 22 19:07:54 DOTNISE-A adinfo[28481]: DEBUG lrpc.session New socket 3 (36453156)

Nov 22 19:07:54 DOTNISE-A adinfo[28473]: DEBUG lrpc.session New socket 3 (36453157)

Nov 22 19:01:35 DOTNISE-A adinfo[28978]: DEBUG lrpc.session New socket 3 (36451892)

Nov 22 19:00:15 DOTNISE-A adinfo[28918]: DEBUG lrpc.session New socket 3 (36451578)

Nov 22 18:55:15 DOTNISE-A adinfo[28817]: DEBUG lrpc.session New socket 3 (36450314)

Nov 22 18:59:04 DOTNISE-A adinfo[28900]: DEBUG lrpc.session New socket 3 (36451246)

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee
In response to Ahmed Zniti

‎04-30-2013 01:57 AM

This scenario is most commonly caused by  clock drift due to not syncing time via
NTP1 on VMware (if you are using )
This issue can  also arise if the Cisco ISE FQDN2 changes and/or the name of the
certificate  imported on the client machine has changed.

Ensure that your Active Directory domain  and Cisco ISE are aligned to the same
NTP server source.
Shut down or  pause your Active Directory server and try to authenticate an employee
to the  network. try  ISE 1.1.3

0 Helpful

ryan ramandito
Level 1
Level 1
In response to Karsten Iwen

‎05-15-2013 06:15 AM

Hi Ventakesh,

just got this kind of problem and what I do to fix this:

1. make sure no time skew on both AD & ISE

2. Resetting ISE on domain controller (computers > [ise_appliance_name] > reset account)

3. Re-join AD from ISE

Hopefully works for your problem

0 Helpful
Customers Also Viewed These Support Documents