cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

181
Views
0
Helpful
2
Replies
Highlighted
Beginner

Strange events after upgrade of Cisco ISE

Hi all,

 

My 802.1x environment consist of 2x Cisco ISE (primary and secondary) units with windows AD. 

 

My AD is configured with GPO which is applied to my users machine to dictate how they would authenticate against my cisco ISE as shown below.

1) using user certificate for authentication for users who are assigned individual PCs.

PC would be authorized to access the network once user cert authentication/authorization succeeds.

 

2) using machine certificate for authentication for machines which are shared among multiple users.

PC would be authorized to access the network once machine cert authentication/authorization succeeds.

 

I have upgraded my cisco ISE (cluster of 2x nodes) from v2.4 patch 8 to v2.4 patch 12 (25th july) and then to v2.6 patch 6 on 1st August.

 

With reference to attached i notice the following peculiar log events in cisco ise that was not there before i embark on my upgrade prior to 25th July.

 

1) My secondary ISE unit ISE02 was never involved in the authentication or authorization as long as my primary unit ISE01 is working.  Ever since the upgrade conducted on 25th July, I started to see "dynamic authorization" by my secondary unit ISE02 in my ISE logs even though ISE01 is working as the active unit. Is this behavior normal?

 

2) The attached logs shows "Dynamic authorization" succeeded for machine authentication but not user authentication. Is this a concern?

 

At this moment my users do not feel any impact (lag or disconnectivity) when they authenticate (be it user or machine cert authentication) to my network through 802.1x against my cisco ISE. Please advise what i should do with regards to the dynamic authorization which starts to appear in my logs ever since upgrading my cisco ISE. TIA!

2 REPLIES 2
Highlighted
VIP Advisor

Re: Strange events after upgrade of Cisco ISE

Start by confirming that your NAD devices aren't sending authentication
requests to ISE02. This can be one of the causes. Also, ensure that both
ISE nodes are having the same system certificates.

If user authentication is failing on ISE02 this will be a problem in case
of the failover (or ISE01 is down) cause users won't be able to connect.

***** please remember to rate useful posts.
Highlighted
Hall of Fame Guru

Re: Strange events after upgrade of Cisco ISE

In an ISE deployment all nodes with the PSN role are active and able to handle authentications. That's independent of which node is in the primary or secondary PAN or MnT role.

Some NADs (e.g. ASAs) will fall back to using the second configured aaa server (= ISE PSN) when it sees a failure of the first one and not fail back unless you manually change it (or it sees a subsequent failure of the second node).