Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1998
Views
5
Helpful
4
Replies

Sync Issue between ISE and AD when AD User Change Password

sreng
Level 1
Level 1

‎06-06-2022 11:58 PM

Hi Team,

I would like to seek some help on an issue when AD users change their password, ISE does not get synced and therefore, users are not able to log in to Windows.

Some users are able to log in to Windows but after a while, an AD credential input pops up from AnyConnect (this is also an issue where users report it as a phishing attempt), put in the credential, and still not work.

My workaround on this issue so far has been:
-CoA : Reauth (not work)

-Manually delete endpoint profile from context visibility page (it works) 

The connection between AD and ISE is working normally.
I am stuck on how to solve this issue permanently without having to workaround every time users change their passwords.

I would really appreciate it if anyone can give some insight or face similar issues.

Thanks and Best Regards,
Sreng

0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎06-07-2022 12:21 AM

@sreng how are the users changing their passwords? Ctrl-Alt-Del on their computer?

Are you using PEAP/MSCHAPv2?

Is the computer domain joined and the 802.1x authentication credentials passed through?

0 Helpful

sreng
Level 1
Level 1
In response to Rob Ingram

‎06-07-2022 12:45 AM

Hi @Rob Ingram , 

Thanks for your response.

  • Yes, users mostly change via Ctrl-Alt-Del
  • Users in my environment are authenticated with 2 steps:
    • 1. Machine certificate
    • 2. MSCHAPv2
  • Computers are domain-joined.
  • 802.1x credentials are in 2 scenarios:
    • They passed through but AD input pops up after a while (users try to input the credential but failed)
    • They do not pass through windows logon and after multiple attempts, the account is locked.

On ISE dashboard, everything looks actually look fine.

0 Helpful

Rob Ingram
VIP
VIP
In response to sreng

‎06-07-2022 12:59 AM

@sreng if you are using Machine Certificate and MSCHAPv2 are you using AnyConnect NAM or TEAP for EAP Chaining?

Perhaps the supplicant could be misconfigured?

0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎06-07-2022 12:43 AM

Hi Sreng,

In addition to the questions from Rob, I suggest checking your AD
deployment. ISE will not sync passwords from AD. Everytime users
authenticate, ISE will send a fresh authentication request to AD. If the
user password isn't updated in AD (i.e. ISE sending the new password for
authentication but AD NTDS.dat is still having the old password),
authentication will fail.

Also, when the users change their password, they have to logoff and login
from the machine to update the password hash stored in LSASS. This is how
windows work with or without ISE. Are they doing this? If not, it's not
expected for the new password to work successfully until they do.

**** please remember to rate useful posts
Customers Also Viewed These Support Documents