Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
291
Views
0
Helpful
1
Replies

ISE 1.2 patch 6 - All Authentications begin failing after about 20 minutes

Stephen McBride
Level 1
Level 1

‎04-15-2014 09:16 PM - edited ‎03-10-2019 09:38 PM

Hi all,

Another strange one I am throwing out to the forum. Basically I have a 5 node deployment (1 x Primary Admin, 1 x Primary Monitoring, 1 x Secondary Admin/Monitoring and 2 x Policy Nodes). The primary authentication method is EAP-TLS or PEAP for wireless only. The deployment in question has been in pilot for about 3 weeks with no issues what so ever.

As of this morning we rolled into production and all seemed well - about 100 users successfully authed against PSN1 (PSN2 is configured in the WLC as a secondary radius). About 30 minutes after the production rollout authentications began failing for the exact same reason (see attached radius log). I checked all of the certificates as recommended in the log but this was a matter of course in that everything is as it should be.

My next step was to essentially stop PSN1 (application stop ise) to see if the issue was a problem on the second PSN. All authentications were now succeeding via PSN2. I left it this way for 30 minutes with no drama. I started PSN1 again and authentications began to work....20 minutes later the issue was back. I replicated this issue again to be sure.

At this point I decided to deregister PSN1 and application reset the node before rejoining with the ISE deployment. Authentications worked well until about 30 minutes later when the issue reappeared. At this point I reloaded all nodes in the ISE deployment to see if this made a difference but the issue still remained.

Currently I have PSN1 shutdown and all is functioning well - anyone have any ideas??

Labels:
Preview file
7 KB
0 Helpful
1 Reply 1

Stephen McBride
Level 1
Level 1

‎04-28-2014 10:35 PM

I got this fixed via TAC. Basically the following is the bug but it is worth noting that this deployment was a fresh build of 1.2

https://tools.cisco.com/bugsearch/bug/CSCuj17272/?reffering_site=dumpcr

Symptom:
all auth fails when using the existing identity source sequences after upgrade from 1.1.3 to 1.2.

Conditions:
upgrade from 1.1.3 to 1.2 build 899 breaks all auth using identity sequences.

 

Basically the fix was to recreate my ID sequences and reapply to the authentication policy. This fixed the issue on the policy node in question.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents