Re: Cisco Identity Services Engine (ISE)

Rickey369 · ‎10-23-2018

Hi All,

After deploying ISE , I'm encountering some problem with the few desktop users as the authentication is very slow (1-3 hours) when they connect LAN cable to their desktop.

Is this the probelm with ISE? How can i troubleshoot this? Sometimes i need to continuous restart the desktop to get authenticated to LAN network. ( Ie; to get the proper domain network, I usually get "network 3" or "network 1" instead of getting abc.com (<-- Just an example)

This problem is only with few desktop users. Most of the desktop works fine.

Is this the problem with domain controller ?

or dot1x Authentication issue ( But ISE shows Authentication success)?

Please Help!!

pieterh · ‎10-23-2018

"network 3" or "network 1" instead of getting abc.com

I guess you are not deploying all workstations using central deployment (images /domain-policies)

-> you need to manually configure on those clients that "network 3" and "network 1" (IP-subnets) are also used for known corporate networks and this is not a public or home network.

or you have not added them to active directory sites and services

Rickey369 · ‎10-23-2018

Hi Pieterh,

The users are added in AD, the problem is with Slow authentication, That is the user sometimes get Network 3 or network 2 instead of getting abc.com and take long time to get abc.com or i need to restart the device several times to get abc.com

Leo Laohoo · ‎10-23-2018

What is the exact version of ISE (including patch level)?

FN - 70035 - Cisco Identity Services Engine – Slow Response Time in Administration Web User Interface - Software Upgrade Recommended

Rickey369 · ‎10-23-2018

Hi Leo,

I use 1.2.1.198

Rickey369 · ‎10-23-2018

Hi Leo,

I use 1.2.1.198 with 8 patches.

Leo Laohoo · ‎10-23-2018

@Rickey369 wrote:
I use 1.2.1.198 with 8 patches.

Whao. That is old & buggy. Y'sure you don't want to upgrade to something more recent?

Rickey369 · ‎10-23-2018

Yes Leo. :( But the issue that im facing right now is because of this old version of ISE or is it something else ?
Will this issue be resolved if update the version? if yes, what is the best version that i can update ?

Leo Laohoo · ‎10-23-2018

All I can say is ISE didn't mature until 2.1 and we didn't deploy ISE until it 2.0.

However, I've never seen or heard of anyone taking an hour to login.

Rickey369 · ‎10-23-2018

Oh I see. Thanks leo. I will try updating ISE.

Rickey369 · ‎10-23-2018

But Again , This issue is with few users only. Other user has no problem in getting abc.com . Anyways I will try updating ISE.

Rickey369 · ‎10-23-2018

Hi Leo.

It does not take time to login at all. There is no issue with login. the problem is , it takes time to get the abc.com domain, instead i get network 3 or network 2 . and i need to wait for long time or i need to restart the system many times to get abc.com

The authentication for the users getting network 3 or network 2 is showing success in ISE.

Also this issue is not with all the users. Only few users , i can say 5 users have this issue out of 100 users.

Jurgens L · ‎10-24-2018

You may need to check DNS, verify your end devices get the correct suffix when an IP address is assigned from the DHCP server. If you have a firewall that does AD/LDAP authentication for internet services, also verify that this is successful once connected to the network.

Upgrading from 1.2 to 2.x is a major update, you might consider rather starting up a new ISE node/s and migrate your current nodes over to the new ones to mitigate any risk. The most stable release out at the moment is 2.2.

pieterh · ‎10-24-2018

1) This problem is only with few desktop users

That is the user sometimes get Network 3 or network 2 instead of getting abc.com and take long time to get abc.com or i need to restart the device several times to get abc.com.

-> can you drill this down to specific brand/model/hw-version/OS of the workstation?

I suggest checking the network drivers + configuration on the clients

dot1x should be the first method used when connecting to the network

2) you've given little information about your network and ISE setup

do you use a guest or quarantine vlan? before assigning the corporate vlan after authorization?

3) It looks to me like these clients do not receive IP-address from dhcp-server,

but reuse an address previously assigned at another network while the lease-time is still valid

-> start from the bottom!

- when displaying "network3"does this client have a correct ip-address

- is this acquired from the correct dhcp server?

- are other dhcp information correct?

Rickey369 · ‎10-25-2018

Hi pieter,

I use cisco ISE 1.2.1.198 with 8 patches. I also use dot1x auth . we use windows 10 OS. we have guest vlan ( The problem is only when user connects to with wired Connection ) and quarantine vlan ( The user is in the proper vlan when the issue is encountered ).

1. Is this really the issue because of ISE ? Because most of the user dont have this issue, As i said earlier only 5 out 100 user has this issue.

2. Is this anything to do with Domain controller ? if yes, How can i confirm and trouble shoot this ?