Solved: Strange events after upgrade of Cisco ISE

donnie · ‎08-01-2020

Hi all,

My 802.1x environment consist of 2x Cisco ISE (primary and secondary) units with windows AD.

My AD is configured with GPO which is applied to my users machine to dictate how they would authenticate against my cisco ISE as shown below.

1) using user certificate for authentication for users who are assigned individual PCs.

PC would be authorized to access the network once user cert authentication/authorization succeeds.

2) using machine certificate for authentication for machines which are shared among multiple users.

PC would be authorized to access the network once machine cert authentication/authorization succeeds.

I have upgraded my cisco ISE (cluster of 2x nodes) from v2.4 patch 8 to v2.4 patch 12 (25th july) and then to v2.6 patch 6 on 1st August.

With reference to attached i notice the following peculiar log events in cisco ise that was not there before i embark on my upgrade prior to 25th July.

1) My secondary ISE unit ISE02 was never involved in the authentication or authorization as long as my primary unit ISE01 is working. Ever since the upgrade conducted on 25th July, I started to see "dynamic authorization" by my secondary unit ISE02 in my ISE logs even though ISE01 is working as the active unit. Is this behavior normal?

2) The attached logs shows "Dynamic authorization" succeeded for machine authentication but not user authentication. Is this a concern?

At this moment my users do not feel any impact (lag or disconnectivity) when they authenticate (be it user or machine cert authentication) to my network through 802.1x against my cisco ISE. Please advise what i should do with regards to the dynamic authorization which starts to appear in my logs ever since upgrading my cisco ISE. TIA!

thomas · ‎08-11-2020

"Dynamic Authorization" is referring to the RADIUS CoA process.

I did a quick Excel Pivot Table with your CSV and found that all of the failures are happening on ISE02 with your NAD @ 192.168.210.51.

	Fail	Pass
192.168.164.95	1	21
Authentication failed	1	0
ISE01	1	0
Authentication succeeded	0	21
ISE01	0	21
192.168.210.51	70	0
Dynamic Authorization failed	70	0
ISE02	70	0

I would suggest verifying your NAD configs match with respect to RADIUS CoA:

aaa server radius dynamic-author
 client {ISE01_IP} server-key {key} 
 client {ISE02_IP} server-key {key

View solution in original post

Mohammed al Baqari · ‎08-02-2020

Start by confirming that your NAD devices aren't sending authentication
requests to ISE02. This can be one of the causes. Also, ensure that both
ISE nodes are having the same system certificates.

If user authentication is failing on ISE02 this will be a problem in case
of the failover (or ISE01 is down) cause users won't be able to connect.

***** please remember to rate useful posts.

Marvin Rhoads · ‎08-03-2020

In an ISE deployment all nodes with the PSN role are active and able to handle authentications. That's independent of which node is in the primary or secondary PAN or MnT role.

Some NADs (e.g. ASAs) will fall back to using the second configured aaa server (= ISE PSN) when it sees a failure of the first one and not fail back unless you manually change it (or it sees a subsequent failure of the second node).

donnie · ‎08-03-2020

Hi Marvin,

With reference to my attached logs, there were no failure of any kind for my primary node. But "dynamic authorization failed" is still seen on my secondary node which is puzzling.

thomas · ‎08-11-2020

"Dynamic Authorization" is referring to the RADIUS CoA process.

I did a quick Excel Pivot Table with your CSV and found that all of the failures are happening on ISE02 with your NAD @ 192.168.210.51.

	Fail	Pass
192.168.164.95	1	21
Authentication failed	1	0
ISE01	1	0
Authentication succeeded	0	21
ISE01	0	21
192.168.210.51	70	0
Dynamic Authorization failed	70	0
ISE02	70	0

I would suggest verifying your NAD configs match with respect to RADIUS CoA:

aaa server radius dynamic-author
 client {ISE01_IP} server-key {key} 
 client {ISE02_IP} server-key {key