×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Intermittent AD Authentication failures in ISE 1.2

Unanswered Question
Sep 4th, 2013
User Badges:

          Starting today I was getting intermittent authentication failures in ISE. It would say that the user was not found in the selected identity store. The account is there though. At one point I ran a authetication test from the external identity source menu and I got a failure and then the next time a pass. I have no idea why this is happening. I just updated to ISE 1.2 the other day. I'm also seeing what looks like a high level of latency on both of my PSN's. Is this normal?  Any ideas?



Thanks


Jef

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Ravi Singh Wed, 09/04/2013 - 18:25
User Badges:
  • Cisco Employee,

I would suggest you to check the Network connectivity between devices. Also check the AD id properly connected to ISE and groups are listed in ISE.

Kevin P Sheahan Wed, 09/04/2013 - 19:09
User Badges:
  • Bronze, 100 points or more

I have experienced this same issue very recently. At the time, the AD server to which I was authenticating was being overrun with multicast flows due to a configuration error caused when another engineer was troubleshooting multicast.


Moral of the story: don't just look at ISE as the possible culprit, check out the AD server as well to ensure that it has both the appropriate resources and isn't being adversely affected by another network-related issue.



Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

jcarrabine1 Thu, 09/05/2013 - 03:46
User Badges:

Interesting. I have one location that is not having this problem at all. The other is having it somewhat frequently. The PSN's for each location are tied to the local AD servers. I have not had this until we started getting 300-380 PC's connecting. We are a school so we are slowly getting started. It's real random. One user will work then another time they won't. Happens with admin and user. I have notices that with this new version of ISE it is complaining that it is getting accounting updates from the NAS too often, but I have not looked into this because I just installed 1.2 about 3-4 days ago and haven't had time to look into it.


When you say Multicast to you AD...how did you check that? We do use multicast.

Saurav Lodh Thu, 09/05/2013 - 00:02
User Badges:
  • Gold, 750 points or more

Please try rejoining the ISE with AD, hope it helps

jcarrabine1 Thu, 09/05/2013 - 03:48
User Badges:

I was thinking of trying this, but have not. My though was that it was connected, and most of the time performing authentications.

Venkatesh Attuluri Thu, 09/05/2013 - 04:24
User Badges:
  • Cisco Employee,

Check your latency values with ISE bandwith and latency calculator


Minimum bandwidth bt Mnt and PSN 1 Mbps

Minimum bandwidth bt Mnt and Admin 256 Kbps

Minimum bandwidth between Admin and PSN 256 Kbps


test aaa group radius new-code


Check for these  to help narrow the focus of the potential problem with RADIUS

   Connect port

• Connect NAD IP address

• Connect Policy Service ISE node IP address

• Correct server key

• Recognized username or password

• Connectivity between the NAD and Policy Service ISE node

Muhammad Munir Wed, 09/11/2013 - 20:16
User Badges:
  • Cisco Employee,

Hi

Please check whether the subject is present in any one of the chosen identity stores. Note that some identity stores may have been skipped if they do not support the current authentication protocol.

Make sure the authentication policy points to correct identity store. For authentication in a Microsoft Windows network with multiple domains, make sure that the supplicant is appending the domain suffix (For users: [email protected], for machines: winxp.example.com).

Jacob Snyder Sat, 09/14/2013 - 11:15
User Badges:
  • Bronze, 100 points or more

I've also just had where one of multiple AD servers was not working and required a reboot.

Sent from Cisco Technical Support iPhone App

Actions

This Discussion