ISE-switchport session remain authenticated

Similar Messages

• Switchport session remain authenticated

  I am facing a problem during deployment. Customer is using Avaya IP phone. If an autheticated workstation/laptop shift from one phone to another, the old switchport session remain there. The laptop acquire IP from new phone but even fail to ping gateway. If I do old phone reset or do 'clear authen sess interface', then laptop ping gateway. 'Clear arp' or 'clear mac-add table dynam' doesnt solve the issue. How can the ISE detect removal of a workstation to clear the authentication.

  two ways:
  CDP enhancement for second port disconnect (Cisco phones) 
  Proxy EAPoL-Logoff + inactivity timer (non-Cisco phones)
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Dot1X_Deployment/Dot1x_Dep_Guide.html

• ISE 1.2 web authentication problem with wired clients

  Hello,
  i am having problems with centralized web authentication using a Catalyst 3650X with IOS 15.0.2 SE01 and ISE 1.2.
  Redirecting the client works fine, but as soon the client opens a web browser and ISE websites open to authenticate the client, the switch port resets, the authentication process restarts and the session ID changes. After the client enters the credentials a session expired messages appears on the client and i get an 86017 Session Missing message in ISE.
  here the output form the debug aaa coa log.
  Any ideas
  thanks in advanced
  Alex
  ! CLIENT CONNECT TO SWITCHPORT
  ISE-TEST-SWITCH#show authentication sessions interface gi0/3
              Interface:  GigabitEthernet0/3
            MAC Address:  001f.297b.bd82
             IP Address:  10.2.12.45
              User-Name:  00-1F-29-7B-BD-82
                 Status:  Authz Success
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
                ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://nos-ch-wbn-ise1.nosergroup.lan:8443/guestportal/gateway?sessionId=AC1484640000026B28C02CDC&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1484640000026B28C02CDC
        Acct Session ID:  0x0000029C
                 Handle:  0x8C00026C
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  ! CLIENT OPENS INTERNETEXPLORER -> REDIRECTS TO ISE 
  ! SWITCHPORT GOES IN ADMINISTRATIVE DOWN STARTS AUTHENTICATION AGAIN
  ISE-TEST-SWITCH#
  191526: .Jun 24 10:42:24.340 UTC: COA: 10.0.128.38 request queued
  191527: .Jun 24 10:42:24.340 UTC: RADIUS:  authenticator 7F A9 85 AB F6 4A D0 F3 - B4 E6 F2 56 74 C6 2D 33
  191528: .Jun 24 10:42:24.340 UTC: RADIUS:  NAS-IP-Address      [4]   6   172.20.132.100
  191529: .Jun 24 10:42:24.340 UTC: RADIUS:  Calling-Station-Id  [31]  19  "00:1F:29:7B:BD:82"
  191530: .Jun 24 10:42:24.340 UTC: RADIUS:  Acct-Terminate-Cause[49]  6   admin-reset               [6]
  191531: .Jun 24 10:42:24.340 UTC: RADIUS:  Event-Timestamp     [55]  6   1403606529
  191532: .Jun 24 10:42:24.340 UTC: RADIUS:  Message-Authenticato[80]  18
  191533: .Jun 24 10:42:24.340 UTC: RADIUS:   E0 3C B2 8C 89 47 67 A8 69 F5 3D 08 61 FF 53 6E          [ <Ggi=aSn]
  191534: .Jun 24 10:42:24.340 UTC: RADIUS:  Vendor, Cisco       [26]  43
  191535: .Jun 24 10:42:24.340 UTC: RADIUS:   Cisco AVpair       [1]   37  "subscriber:command=bounce-host-port"
  191536: .Jun 24 10:42:24.340 UTC: COA: Message Authenticator decode passed
  191537: .Jun 24 10:42:24.340 UTC:  ++++++ CoA Attribute List ++++++
  191538: .Jun 24 10:42:24.340 UTC: 06D96C58 0 00000001 nas-ip-address(600) 4 172.20.132.100
  191539: .Jun 24 10:42:24.349 UTC: 06D9AC18 0 00000081 formatted-clid(37) 17 00:1F:29:7B:BD:82
  191540: .Jun 24 10:42:24.349 UTC: 06D9AC4C 0 00000001 disc-cause(434) 4 admin-reset
  191541: .Jun 24 10:42:24.349 UTC: 06D9AC80 0 00000001 Event-Timestamp(445) 4 1403606529(53A95601)
  191542: .Jun 24 10:42:24.349 UTC: 06D9ACB4 0 00000081 ssg-command-code(490) 1 33
  191543: .Jun 24 10:42:24.349 UTC:
  191544: .Jun 24 2014 10:42:24.365 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-RELEASE
  191545: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-WAIT
  191546: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT REMOVE
  191547: .Jun 24 2014 10:42:24.390 UTC: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL-OPEN| EVENT DETACH-SUCCESS
  191548: .Jun 24 2014 10:42:26.353 UTC: %LINK-5-CHANGED: Interface GigabitEthernet0/3, changed state to administratively down
  191549: .Jun 24 2014 10:42:27.359 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to down
  ISE-TEST-SWITCH#
  191550: .Jun 24 2014 10:42:36.366 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
  191551: .Jun 24 10:42:40.592 UTC: AAA/BIND(000002A7): Bind i/f
  191552: .Jun 24 2014 10:42:41.129 UTC: %AUTHMGR-5-START: Starting 'dot1x' for client (001f.297b.bd82) on Interface Gi0/3 AuditSessionID AC1484640000026C28C2FA05
  191553: .Jun 24 2014 10:42:42.580 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
  191554: .Jun 24 2014 10:42:43.586 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up
  ! SESSION ID CHANGES, USER ENTERS CREDENTIALS 
  ! ERROR MESSAGE AT CLIENT "YOUR SESSION HAS EXPIRED"
  ! ERROR MESSAGE IN ISE "86017 SESSION MISSING"
  ISE-TEST-SWITCH#show authentication sessions interface gi0/3
              Interface:  GigabitEthernet0/3
            MAC Address:  001f.297b.bd82
             IP Address:  10.2.12.45
                 Status:  Running
                 Domain:  UNKNOWN
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-auth
       Oper control dir:  both
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1484640000026C28C2FA05
        Acct Session ID:  0x0000029D
                 Handle:  0x2C00026D
  Runnable methods list:
         Method   State
         dot1x    Running
         mab      Not run

  Guest authentication failed: 86017: Session cache entry missing
  try adjusting the UTC timezone during the guest creation in the sponsor portal.
  86017
  Guest
  Session Missing
  Session ID missing. Please contact your System Administrator.
  Info

• How to know if user (session) is authenticated in other application (SSO)

  Hi folks!
  We've deployed various J2EE applications in some OC4J instances. So far the applications used SSO Authentication against OiD (LDAP), but we need a public access application.
  The problem is the following: we need a different behaviour in this last application (without authentication characteristics) depending on one user is authenticated within other application that required SSO login.
  How could check if current user (session) si authenticated against SSO, for example, in ADF-STRUTS DataAction class?
  We tested the gerRemoteUser() method but is only works within the applications requering login.
  Please, anyone could guide me?
  Mike
  Thanks!

  Hi,
  Oracle AS Single Sign ON stores some of the attributes of an authenticated user in a browser cookie - the name of the Cookie is SSO_ID.
  You cannot get any information from this Cookie. The Cookie is avaliable only to the Oracle AS Single Sign ON and is meant to be used only by it. You cannot read any useful information from the Cookie as it is higly encrypted.
  If you need to know the name of the currently logged in user, your application should be a Partner Application or an External Applciation to Oracle AS Single Sign On.
  The reason is simple - you can use your browser to connect to many Websites protected by Oracle AS Single Sign ON. Thus, if your application isn't a Partner or an External Application registered with SSO, your application can't establish a context.
  Hence, your application needs to be registered as a Partner Application or an External Application with SSO.
  An application which is nto registered with SSO cannot get the User information from SSO. The getRemoteUser() method would always return a null in such cases.
  Regards,
  Sandeep

• ABAP WebDynpro - Session remains open....

  Hi Experts,
  We have configured ABAP Webdynpro (SD Order Creation) iView in SAP Portal. When we test it from intranet, everything works fine and session in backend gets terminated when we leave that page on portal. But when we test it from internet, session remains open and not getting closed. How to terminate these onen sessions??
  SAP Portal and backend SAP ECC are on same domain....
  Helpful answer will be respected.....
  Thanks
  PRAMOD

  Hi Parmod,
  are you accessing the application in exactly the same way in the two cases?
  logging into portal from internet?
  One thing that you might need to be wary of is a lack of pop-ups. The portal uses a pop-up window when a user closes the browser to terminate the session.
  I've had plenty of problems with pop-up blockers that have prevented this pop-up from terminating the portal sessions. Sometime these pop-up blockers are configured to operate only on internet sites and not on internal intranet sites. That might be a possible cause.
  Cheers,
  Chris

• ABAP WebDynPro iView: Session remains open in backend.....

  Hi Experts,
  We have configured ABAP Webdynpro (SD Order Creation) iView in SAP Portal. When we test it from intranet, everything works fine and session in backend gets terminated when we leave that page on portal. But when we test it from internet, session remains open and not getting closed. How to terminate these onen sessions??
  SAP Portal and backend SAP ECC are on same domain....
  Helpful answer will be respected.....
  Thanks
  PRAMOD

  Hi Arun,
  Thanks for the comment.
  Let me try this and will get back with result.
  Regards,
  PRAMOD

• ISE and central web authentication

  Hello all,
  I have followed the steps in this document in detail:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
  however, my central authentication does not work. I get to the guest portal, i get authenticated through the guest portal,
  but then the "second" MAB authenticatino doesn't happen.
  In the last screencapture of the document, you get a green "Dynamic Authorization" line (third line from below). On my system
  this is a red line with the error message "11213 No response received from Network Access Device".
  (i have a successfull guest authentication in my ise logs, but it seems ise is unable to bounce or initiate the second MAB....)
  Any ideas ?
  regards,
  Geert

  By the way, i feel the document example is a bit too general. For example, if you implement the document, ISE will do web authentication and redirection even when you are using a 802.1X client and are authenticated (and you have no other rules in your Autorization sequence table)
  I managed to prevent this by adding an additional condition to the first rule "MAC not known" that has the CentralWebAuth policy. Only do webautentication if MAC not known AND Wired_MAB is being used.

• GnomeUI-WARNING While connecting to session manager:Authentication Rejected

  Hi:
  I was running Oracle eBusiness Suite R1211 on Enterprise Linux 5.3.
  When I try to run HelloWorld on OA Framework tutorial I got the following error
  (Gecko:6415): GnomeUI-WARNING **: While connecting to session manager: Authentication Rejected
  Does any one has idea how to resolve the problem?
  Please help
  sem

  Check the DBC file is updated one & are the connection is working or not.
  Thanks
  --Anil                                                                                                                                                                                       

• Cisco ISE 1.3 MAB authentication.. switch drop packet

  Hello All,
  I have C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE9, RELEASE SOFTWARE (fc1) switch..
  and ISE 1.3 versoin..
  MAB authentication is working perfectly at ISE end.. but while seeing the same at switch end.. I am seeing switch is droping packet on some ports..
  while some ports are working perfectly..
  Same switch configuration is working perfectly on another switch without any issue..
  Switch configuration for your suggestion..!!
  aaa new-model
  aaa authentication fail-message ^C
  **** Either ACS or ISE is DOWN / Use ur LOCAL CREDENTIALS / Thank You ****
  ^C
  aaa authentication login CONSOLE local
  aaa authentication login ACS group tacacs+ group radius local
  aaa authentication dot1x default group radius
  aaa authorization config-commands
  aaa authorization commands 0 default group tacacs+ local
  aaa authorization commands 1 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  aaa authorization network default group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+ group radius
  aaa server radius dynamic-author
   client 172.16.95.x server-key 7 02050D480809
   client 172.16.95.x server-key 7 14141B180F0B
  aaa session-id common
  clock timezone IST 5 30
  system mtu routing 1500
  ip routing
  no ip domain-lookup
  ip domain-name EVS.com
  ip device tracking
  epm logging
  dot1x system-auth-control
  interface FastEthernet0/1
   switchport access vlan x
   switchport mode access
   switchport voice vlan x
   authentication event fail action next-method
   --More--         authentication host-mode multi-auth
   authentication order mab dot1x
   authentication priority mab dot1x
   authentication port-control auto
   authentication violation restrict
   mab
   snmp trap mac-notification change added
   snmp trap mac-notification change removed
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  ip tacacs source-interface Vlan10
  ip radius source-interface Vlan10 vrf default
  logging trap critical
  logging origin-id ip
  logging 172.16.5.95
  logging host 172.16.95.x transport udp port 20514
  logging host 172.16.95.x transport udp port 20514
  snmp-server group SNMP-Group v3 auth read EVS-view notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F access 15
  snmp-server view EVS-view internet included
  snmp-server community S1n2M3p4$ RO
  snmp-server community cisco RO
  snmp-server trap-source Vlan10
  snmp-server source-interface informs Vlan10
  snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
   --More--         snmp-server enable traps tty
  snmp-server enable traps cluster
  snmp-server enable traps entity
  snmp-server enable traps cpu threshold
  snmp-server enable traps vtp
  snmp-server enable traps vlancreate
  snmp-server enable traps vlandelete
  snmp-server enable traps flash insertion removal
  snmp-server enable traps port-security
  snmp-server enable traps envmon fan shutdown supply temperature status
  snmp-server enable traps config-copy
  snmp-server enable traps config
  snmp-server enable traps bridge newroot topologychange
  snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
  snmp-server enable traps syslog
  snmp-server enable traps mac-notification change move threshold
  snmp-server enable traps vlan-membership
  snmp-server host 172.16.95.x version 2c cisco
  snmp-server host 172.16.95.x version 2c cisco
  snmp-server host 172.16.5.x version 3 auth evsnetadmin
  tacacs-server host 172.16.5.x key 7 0538571873651D1D4D26421A4F
  tacacs-server directed-request
   --More--         tacacs-server key 7 107D580E573E411F58277F2360
  tacacs-server administration
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 25 access-request include
  radius-server host 172.16.95.y auth-port 1812 acct-port 1813 key 7 060506324F41
  radius-server host 172.16.95.x auth-port 1812 acct-port 1813 key 7 110A1016141D
  radius-server host 172.16.95.y auth-port 1645 acct-port 1646 key 7 110A1016141D
  radius-server host 172.16.95.x auth-port 1645 acct-port 1646 key 7 070C285F4D06
  radius-server timeout 2
  radius-server key 7 060506324F41
  radius-server vsa send accounting
  radius-server vsa send authentication
  line con 0
   exec-timeout 5 0
   privilege level 15
   logging synchronous
   login authentication CONSOLE
  line vty 0 4
   access-class telnet_access in
   exec-timeout 0 0
   logging synchronous
   --More--         login authentication ACS
   transport input ssh

   24423  ISE has not been able to confirm previous successful machine authentication  
  Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
  first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
  log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

• ISE Wired Central Web Authentication no url redirect

  We are setting up ISE for wired guest accest but are having trouble with the client being redirected.  The switch gets the download from ISE and shows that it should use the URL redirect with the correct ACL.
  ISEtest3560#show authentication sessions interface fastEthernet 0/2
              Interface:  FastEthernet0/2
            MAC Address:  001d.09cb.78bd
             IP Address:  Unknown
              User-Name:  00-1D-09-CB-78-BD
                 Status:  Authz Success
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
             Vlan Group:  N/A
                ACS ACL:  xACSACLx-IP-ISE-Only-52434fbe
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://REMOVED.Domain.corp:8443/guestportal/gateway?sessionId=0A0003E600000039064485B1&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A0003E600000039064485B1
        Acct Session ID:  0x00000293
                 Handle:  0x95000039
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  From the client pc I can get name resolution for anything I ping.  I also can ping the ise server by name.  The ACL that is downloaded it as follows:
  Extended IP access list xACSACLx-IP-ISE-Only-52434fbe (per-user)
      10 permit udp any eq bootpc any eq bootps
      20 permit udp any any eq domain
      30 permit ip any host 10.4.37.91
      40 deny ip any any log
  Extended IP access list ACL-WEBAUTH-REDIRECT
      10 deny udp any eq bootpc any eq bootps
      20 deny udp any any eq domain
      30 deny ip any host 10.4.37.91
      40 permit tcp any any eq www (13 matches)
      50 permit tcp any any eq 443
      51 permit tcp any any eq 8443
      60 deny ip any any
  The machine passes the Authentication with MAB and hits the CWA Authorization profile, ISE shows the cient as "Pending" then the next entry above that is the log is the dACL getting pushed to the switch.  Could part of the issue be that the device shows Unknown for IP address?  The command ip device tracking is in the swtich:
  ISEtest3560#show running-config | include tracking
  ip device tracking
  ISEtest3560#
  We have 802.1x clients working and the IP address for those do show up..
  Please advise,
  Thanks,
  Joe

  ISEtest3560#show ip access-lists interface fastEthernet 0/2       
  ISEtest3560#
  Doesn't appear the dacl is being applied. 
  interface FastEthernet0/2
  switchport access vlan 11
  switchport mode access
  ip access-group ACL-DEFAULT in
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 999
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication open
  authentication order dot1x mab webauth
  authentication priority dot1x mab webauth
  authentication port-control auto
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  spanning-tree guard root
  Extended IP access list ACL-DEFAULT
      10 permit udp any eq bootpc any eq bootps
      20 permit udp any any eq domain
      30 permit icmp any any
      40 permit udp any any eq tftp
      41 permit ip any host 10.4.37.91
      50 deny ip any any log (1059 matches)
  Could the dACL being causing the issue with the Unknown, or is the Unknow causing the issue with the dACL?
  Thanks,
  Joe

• Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

  Hi,
  Since we implemented Cisco ISE we receive the following failure on several Notebooks:
  Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
  This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
  The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
  Why is this happening?
  Thanks,
  Marc

  The possible causes of this error message are:
  1.] If the end user entered an incorrect username.
  2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
  3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
  In your cases, the 3rd option seems to be the most closest one.
  Jatin Katyal
  - Do rate helpful posts -

• ISE 1.3 Disallow authentication to network based on group

  ISE 1.3
  MS AD 2008R2
  Two Groups: All Employees , All Students
  Problem: Students connecting to the employee network
  I have two wireless networks STUDENTS and EMPLOYEES. In ISE I have two authorization policies for these networks. In a prior effort to keep students from connecting to the employee network, I set the authorization policy to:
  Employee: If (Wireless_802.1X AND AD1:ExternalGroups EQUALS mydomain/User Accounts/All Employees AND AD1:ExternalGroups NOT_EQUALS mydomain/Students/All Students) then: Employee_Profile
  Unfortunately this did not work. Students have their own username and password in AD and so does each faculty/staff member. I have verified that the students are using their credentials and connecting to the employee network. Conversely, I can connect to the student network using an employee's credentials. The main issue is that with the students connecting to the employee network, they are using up all of the addresses in the applicable DHCP scope.
  I need to disallow connection to the employee network by students and the student network by employees.
  Any help would be appreciated!
  Kevin

  Hi Kevin-
  A couple of questions/suggestions:
  - Is there a chance that the students are also part of the employee AD group? I know it is a silly question but I must ask :) In fact, when a successful authentication happens, you can open the "detailed authentication screen" for that session and you can see all of the AD groups that the user is member of
  - Have you tested this yourself? For instance, you can create a test account in each group and then try it for yourself
  - Another silly question but can you confirm that each SSID has a unique interface in the WLC, thus going to a different subnet/DHCP scope
  - I would make your authorization rule a bit simpler. I would like you to remove the: 
  "AD1:ExternalGroups NOT_EQUALS mydomain/Students/All Students"
  When it comes to AD groups, ISE would process them in a "top-down" fashion and as soon as a match occurs, ISE would stop looking. I don't think this is the issue in your case but still worth the try. 
  - If the main issue is lack of DHCP addresses then why not address that? :) For instance, you can:
  1. Expand the DHCP scope (From let's say /24 to a /23)
  2. Assign a "secondary IP" address to the L3 interface, thus giving it more subnets
  3. Utilize "Interface Groups" in the WLC, that way you can have multiple subnets tied to the same SSID
  Thank you for rating helpful posts! 

• Cisco ISE Machine failed machine authentication

  Hi, last week we migrated to ISE 1.2 Patch 7 and since then we are having trouble with our corporate SSID.
  We have a rule that says :
  1) User is domain user.
  2) Machine is authenticated.
  But for some reason that I can't figure out some machine(I would say around 200/1000) can't seem to authenticate.
  This is the message I found in the "steps"
  24423     ISE has not been able to confirm previous successful machine authentication for user in Active Directory
  I was wondering if I could force something on the controller or on ISE directly.
  EDIT : In the operation > Authentication I can see that some host/MachineName are getting authenticated.
  Would I be able to force this as a step in my other rule.

  Hi shertica, and thank you for the explanation. I started working with ISE a month ago and still getting familiarized but I think the problem is the relationship between the Machine and the user because I can't find any Host/MachineName fail in the last 24 hour and I can't seem to have any log further than that.
  Failure Reason
  15039 Rejected per authorization profile
  Resolution
  Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
  Steps
  11001
  Received RADIUS Access-Request
  11017
  RADIUS created a new session
  15049
  Evaluating Policy Group
  15008
  Evaluating Service Selection Policy
  15048
  Queried PIP
  15048
  Queried PIP
  15048
  Queried PIP
  15004
  Matched rule
  11507
  Extracted EAP-Response/Identity
  12300
  Prepared EAP-Request proposing PEAP with challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12302
  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
  12318
  Successfully negotiated PEAP version 0
  12800
  Extracted first TLS record; TLS handshake started
  12805
  Extracted TLS ClientHello message
  12806
  Prepared TLS ServerHello message
  12807
  Prepared TLS Certificate message
  12810
  Prepared TLS ServerDone message
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12318
  Successfully negotiated PEAP version 0
  12812
  Extracted TLS ClientKeyExchange message
  12804
  Extracted TLS Finished message
  12801
  Prepared TLS ChangeCipherSpec message
  12802
  Prepared TLS Finished message
  12816
  TLS handshake succeeded
  12310
  PEAP full handshake finished successfully
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12313
  PEAP inner method started
  11521
  Prepared EAP-Request/Identity for inner EAP method
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  11522
  Extracted EAP-Response/Identity for inner EAP method
  11806
  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  11808
  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
  15041
  Evaluating Identity Policy
  15006
  Matched Default Rule
  15013
  Selected Identity Source - IdentityStore_AD_liadom01
  24430
  Authenticating user against Active Directory
  24402
  User authentication against Active Directory succeeded
  22037
  Authentication Passed
  11824
  EAP-MSCHAP authentication attempt passed
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  11810
  Extracted EAP-Response for inner method containing MSCHAP challenge-response
  11814
  Inner EAP-MSCHAP authentication succeeded
  11519
  Prepared EAP-Success for inner EAP method
  12314
  PEAP inner method finished successfully
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  24423
  ISE has not been able to confirm previous successful machine authentication for user in Active Directory
  15036
  Evaluating Authorization Policy
  24432
  Looking up user in Active Directory - LIADOM01\lidoex
  24416
  User's Groups retrieval from Active Directory succeeded
  15048
  Queried PIP
  15048
  Queried PIP
  15048
  Queried PIP
  15048
  Queried PIP
  15048
  Queried PIP
  15004
  Matched rule - AuthZBlock_DOT1X
  15016
  Selected Authorization Profile - DenyAccess
  15039
  Rejected per authorization profile
  12306
  PEAP authentication succeeded
  11503
  Prepared EAP-Success
  11003
  Returned RADIUS Access-Reject
  Edit : I found a couple of these :
  Event
  5400 Authentication failed
  Failure Reason
  24485 Machine authentication against Active Directory has failed because of wrong password
  Resolution
  Check if the machine is present in the Active Directory domain and if it is spelled correctly. Also check whether machine authentication is configured properly on the supplicant.
  Root cause
  Machine authentication against Active Directory has failed because of wrong password.
  Username
  host/MachineName
  I also have an alarming number of : Misconfigured Supplicant Detected(3714)

• ISE: time profile for authenticated usergroup access

  Hi forumers'
  I would like to setup a session condition like what ACS can do. This is using for the user after authentication, then they were authorize with the time allotment profile for them to accessing the resources on the network.
  Can i do this over ISE, beside guest manamgent >  sponsor group's time profile?
  What if current ISE not ready for this, how's the high level design would be for time profile for usergroup access look like?
  Example
  a. trusted full time employee, accessbile 24x7x365
  b. not confirm, internship employee, with only accessbile right of 8x5 per day
  Thanks
  Noel

  Thanks for the reply, but I'm really seeking the feature of prevent multiple self registration for the same user, and I don't think that it is available right now.
  The only working idea here is blocking the MAC address for the machine doing the registration because everytime the user will be able to register with new email address or mobile phone.
  Also one feature can be interested here, that the user can do self registration with Phone mandatory so the ISE will send SMS to the user with the credentails to use.
  Thanks.
  Ahmad.

• Automatic disconnection from AP when timed out (session or authentication) from captive portal

  Captive portal implementation permits/blocks web traffic. When a user is timed out (authentication & session) it still occupies a channel as seen in the clients list. How can we disconnect a host that is timed out?

  There is NO Failed Authenticated list.These are the only available tabs in the lapac1200Captive Portal Global Configuration  Portal Profiles  Local User  Local Group  Web Customization  Profile Association  Client Information