User's Wireless Session Failed - Appears to be ISE Issue - 24458 Not all Active Directory attributes...

Therwick1 · ‎07-24-2020

On July 21, a user on an apple device lost connectivity in the middle of an important Zoom meeting. I know wireless is never perfect, but it looks like we may have an ISE authentication issue here, and if so, I'd like to fix it. Unfortunately I can only view today's authentication attempt on the ISE server. It appears he was able to auth today, but I'm still seeing this error - 24458 Not all Active Directory attributes are retrieved successfully - UMHS-Level-2.

Here is my log from today --

11001Received RADIUS Access-Request
11017RADIUS created a new session
15049Evaluating Policy Group
15008Evaluating Service Selection Policy
15048Queried PIP - DEVICE.Location
15048Queried PIP - Radius.Called-Station-ID
15048Queried PIP - DEVICE.Device Type
11507Extracted EAP-Response/Identity
12500Prepared EAP-Request proposing EAP-TLS with challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12502Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800Extracted first TLS record; TLS handshake started
12805Extracted TLS ClientHello message
12806Prepared TLS ServerHello message
12807Prepared TLS Certificate message
12808Prepared TLS ServerKeyExchange message
12809Prepared TLS CertificateRequest message
12505Prepared EAP-Request with another EAP-TLS challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12504Extracted EAP-Response containing EAP-TLS challenge-response
12505Prepared EAP-Request with another EAP-TLS challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12504Extracted EAP-Response containing EAP-TLS challenge-response
12505Prepared EAP-Request with another EAP-TLS challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12504Extracted EAP-Response containing EAP-TLS challenge-response
12505Prepared EAP-Request with another EAP-TLS challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12504Extracted EAP-Response containing EAP-TLS challenge-response
12505Prepared EAP-Request with another EAP-TLS challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12504Extracted EAP-Response containing EAP-TLS challenge-response
12505Prepared EAP-Request with another EAP-TLS challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12504Extracted EAP-Response containing EAP-TLS challenge-response
12505Prepared EAP-Request with another EAP-TLS challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12504Extracted EAP-Response containing EAP-TLS challenge-response
12505Prepared EAP-Request with another EAP-TLS challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12504Extracted EAP-Response containing EAP-TLS challenge-response
12505Prepared EAP-Request with another EAP-TLS challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12504Extracted EAP-Response containing EAP-TLS challenge-response
12571ISE will continue to CRL verification if it is configured for specific CA - certificate for Users
12571ISE will continue to CRL verification if it is configured for specific CA - certificate for UMHS-CA
12811Extracted TLS Certificate message containing client certificate
12812Extracted TLS ClientKeyExchange message
12813Extracted TLS CertificateVerify message
12804Extracted TLS Finished message
12801Prepared TLS ChangeCipherSpec message
12802Prepared TLS Finished message
12816TLS handshake succeeded
12509EAP-TLS full handshake finished successfully
12505Prepared EAP-Request with another EAP-TLS challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12504Extracted EAP-Response containing EAP-TLS challenge-response
61025Open secure connection with TLS peer
15041Evaluating Identity Policy
15048Queried PIP - CERTIFICATE.Subject - Common Name
15048Queried PIP - CERTIFICATE.Issuer - Common Name
15048Queried PIP - CERTIFICATE.Subject Alternative Name
22072Selected identity source sequence - Wireless_1x_ID_Source_Sequence
22071Identity name is taken from AD account Implicit UPN
15013Selected Identity Source - UMHS-Level-2
24432Looking up user in Active Directory - UMHS-Level-2
24325Resolving identity - CN=smerage,CN=Users,DC=umhs,DC=med,DC=umich,DC=edu, smerage, Users, smerage@med.umich.edu, smerage@med.umich.edu, Managed-BYOD-OSX
24313Search for matching accounts at join point - umhs.med.umich.edu
24359Incoming identity was not rewritten - CN=smerage,CN=Users,DC=umhs,DC=med,DC=umich,DC=edu
24359Incoming identity was not rewritten - smerage
24359Incoming identity was not rewritten - Users
24359Incoming identity was not rewritten - smerage@med.umich.edu (2 times)
24359Incoming identity was not rewritten - Managed-BYOD-OSX
24319Single matching account found in forest - umhs.med.umich.edu
24367Skipping unusable domain - ronet.med.umich.edu,Domain trust is one-way
24323Identity resolution detected single matching account
24700Identity resolution by certificate succeeded - UMHS-Level-2
22037Authentication Passed
12506EAP-TLS authentication succeeded
24715ISE has not confirmed locally previous successful machine authentication for user in Active Directory
15036Evaluating Authorization Policy
15048Queried PIP - Network Access.UserName
15048Queried PIP - InternalUser.Name
24432Looking up user in Active Directory - UMHS-Level-2
24355LDAP fetch succeeded - umhs.med.umich.edu
24416User's Groups retrieval from Active Directory succeeded - UMHS-Level-2
24355LDAP fetch succeeded - umhs.med.umich.edu
24458Not all Active Directory attributes are retrieved successfully - UMHS-Level-2
24100Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes - UMHS-Level-2
15048Queried PIP - UMHS-Level-2.distinguishedName
15048Queried PIP - InternalUser.Name (7 times)
15048Queried PIP - MDM.DeviceRegisterStatus
15048Queried PIP - InternalUser.Name (2 times)
15048Queried PIP - CERTIFICATE.Subject Alternative Name - DNS
15016Selected Authorization Profile - PermitAccess
22081Max sessions policy passed
22080New accounting session created in Session cache
11503Prepared EAP-Success
24432Looking up user in Active Directory - UMHS-Level-2
24355LDAP fetch succeeded - umhs.med.umich.edu
24416User's Groups retrieval from Active Directory succeeded - UMHS-Level-2
24355LDAP fetch succeeded - umhs.med.umich.edu
24458Not all Active Directory attributes are retrieved successfully - UMHS-Level-2
24100Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes - UMHS-Level-2
11002Returned RADIUS Access-Accept

Any insights would be appreciated.

Thank You,

Tom

User's Wireless Session Failed - Appears to be ISE Issue - 24458 Not all Active Directory attributes are retrieved successfully - UMHS-Level-2