This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Starting today I was getting intermittent authentication failures in ISE. It would say that the user was not found in the selected identity store. The account is there though. At one point I ran a authetication test from the external identity source menu and I got a failure and then the next time a pass. I have no idea why this is happening. I just updated to ISE 1.2 the other day. I'm also seeing what looks like a high level of latency on both of my PSN's. Is this normal? Any ideas?
I would suggest you to check the Network connectivity between devices. Also check the AD id properly connected to ISE and groups are listed in ISE.
I have experienced this same issue very recently. At the time, the AD server to which I was authenticating was being overrun with multicast flows due to a configuration error caused when another engineer was troubleshooting multicast.
Moral of the story: don't just look at ISE as the possible culprit, check out the AD server as well to ensure that it has both the appropriate resources and isn't being adversely affected by another network-related issue.
**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.
Interesting. I have one location that is not having this problem at all. The other is having it somewhat frequently. The PSN's for each location are tied to the local AD servers. I have not had this until we started getting 300-380 PC's connecting. We are a school so we are slowly getting started. It's real random. One user will work then another time they won't. Happens with admin and user. I have notices that with this new version of ISE it is complaining that it is getting accounting updates from the NAS too often, but I have not looked into this because I just installed 1.2 about 3-4 days ago and haven't had time to look into it.
When you say Multicast to you AD...how did you check that? We do use multicast.
I was thinking of trying this, but have not. My though was that it was connected, and most of the time performing authentications.
Check your latency values with ISE bandwith and latency calculator
Minimum bandwidth bt Mnt and PSN 1 Mbps
Minimum bandwidth bt Mnt and Admin 256 Kbps
Minimum bandwidth between Admin and PSN 256 Kbps
test aaa group radius
Check for these to help narrow the focus of the potential problem with RADIUS
• Connect NAD IP address
• Connect Policy Service ISE node IP address
• Correct server key
• Recognized username or password
• Connectivity between the NAD and Policy Service ISE node
Please check whether the subject is present in any one of the chosen identity stores. Note that some identity stores may have been skipped if they do not support the current authentication protocol.
Make sure the authentication policy points to correct identity store. For authentication in a Microsoft Windows network with multiple domains, make sure that the supplicant is appending the domain suffix (For users: email@example.com, for machines: winxp.example.com).
I've also just had where one of multiple AD servers was not working and required a reboot.
Sent from Cisco Technical Support iPhone App