cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2131
Views
5
Helpful
4
Replies

Strange events after upgrade of Cisco ISE

donnie
Level 1
Level 1

Hi all,

 

My 802.1x environment consist of 2x Cisco ISE (primary and secondary) units with windows AD. 

 

My AD is configured with GPO which is applied to my users machine to dictate how they would authenticate against my cisco ISE as shown below.

1) using user certificate for authentication for users who are assigned individual PCs.

PC would be authorized to access the network once user cert authentication/authorization succeeds.

 

2) using machine certificate for authentication for machines which are shared among multiple users.

PC would be authorized to access the network once machine cert authentication/authorization succeeds.

 

I have upgraded my cisco ISE (cluster of 2x nodes) from v2.4 patch 8 to v2.4 patch 12 (25th july) and then to v2.6 patch 6 on 1st August.

 

With reference to attached i notice the following peculiar log events in cisco ise that was not there before i embark on my upgrade prior to 25th July.

 

1) My secondary ISE unit ISE02 was never involved in the authentication or authorization as long as my primary unit ISE01 is working.  Ever since the upgrade conducted on 25th July, I started to see "dynamic authorization" by my secondary unit ISE02 in my ISE logs even though ISE01 is working as the active unit. Is this behavior normal?

 

2) The attached logs shows "Dynamic authorization" succeeded for machine authentication but not user authentication. Is this a concern?

 

At this moment my users do not feel any impact (lag or disconnectivity) when they authenticate (be it user or machine cert authentication) to my network through 802.1x against my cisco ISE. Please advise what i should do with regards to the dynamic authorization which starts to appear in my logs ever since upgrading my cisco ISE. TIA!

1 Accepted Solution

Accepted Solutions

thomas
Cisco Employee
Cisco Employee

"Dynamic Authorization" is referring to the RADIUS CoA process.

I did a quick Excel Pivot Table with your CSV and found that all of the failures are happening on ISE02 with your NAD @ 192.168.210.51

 

Fail

Pass

192.168.164.95

1

21

  Authentication failed

1

0

    ISE01

1

0

  Authentication succeeded

0

21

    ISE01

0

21

192.168.210.51

70

0

  Dynamic Authorization failed

70

0

    ISE02

70

0

 

I would suggest verifying your NAD configs match with respect to RADIUS CoA:

aaa server radius dynamic-author
 client {ISE01_IP} server-key {key} 
client {ISE02_IP} server-key {key

 

View solution in original post

4 Replies 4

Start by confirming that your NAD devices aren't sending authentication
requests to ISE02. This can be one of the causes. Also, ensure that both
ISE nodes are having the same system certificates.

If user authentication is failing on ISE02 this will be a problem in case
of the failover (or ISE01 is down) cause users won't be able to connect.

***** please remember to rate useful posts.

Marvin Rhoads
Hall of Fame
Hall of Fame

In an ISE deployment all nodes with the PSN role are active and able to handle authentications. That's independent of which node is in the primary or secondary PAN or MnT role.

Some NADs (e.g. ASAs) will fall back to using the second configured aaa server (= ISE PSN) when it sees a failure of the first one and not fail back unless you manually change it (or it sees a subsequent failure of the second node).

 

Hi Marvin,

 

With reference to my attached logs, there were no failure of any kind for my primary node. But "dynamic authorization failed" is still seen on my secondary node which is puzzling. 

thomas
Cisco Employee
Cisco Employee

"Dynamic Authorization" is referring to the RADIUS CoA process.

I did a quick Excel Pivot Table with your CSV and found that all of the failures are happening on ISE02 with your NAD @ 192.168.210.51

 

Fail

Pass

192.168.164.95

1

21

  Authentication failed

1

0

    ISE01

1

0

  Authentication succeeded

0

21

    ISE01

0

21

192.168.210.51

70

0

  Dynamic Authorization failed

70

0

    ISE02

70

0

 

I would suggest verifying your NAD configs match with respect to RADIUS CoA:

aaa server radius dynamic-author
 client {ISE01_IP} server-key {key} 
client {ISE02_IP} server-key {key

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: