×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ISE 1.2 with AD

Unanswered Question
Oct 24th, 2013
User Badges:

                   i have starnge issue but i think it is related to windows machines , i just want to know if any one faced it in ISE deployment.

the ISE authentication logging receive the machine name(identity) as "mac address" then when ISE ask AD for it , it will not find it and then drop the machine.

i tried to disjoin the pc from domain and join it again the issue resolved for some time but appeared again after several days.


Thanks,

Ibrahim

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Tarik Admani Thu, 10/24/2013 - 21:25
User Badges:
  • Green, 3000 points or more

Ibrahim,


Is this an 802.1x request or is this a mab request? You may have to look at your authenticaiton policies to see which database the wired MAB requests are pointing to and also check the dot1x timers on the port to see how long it waits before the mab process starts.


Thanks,

Tarik Admani
*Please rate helpful posts*

aqjaved Wed, 10/30/2013 - 10:21
User Badges:
  • Bronze, 100 points or more

Configuring Active Directory as an External Identity Source:

• Ensure that Cisco ISE hostnames are 15 characters or less in length. Active Directory does not validate hostnames

  larger than 15 characters.

• Ensure that the Microsoft Active Directory server does not reside behind a network address translator and does not

  have a Network Address Translation (NAT) address. 

• Ensure that the Microsoft Active Directory administrator account is valid, which is used for the join operation and it is

  not configured with Change Password on Next Login in Microsoft Active Directory. 

• To perform the following task, you must be a Super Admin or System Admin.

Note:

        Even when Cisco ISE is connected to Active Directory, there may still be operation issues. To identify them refer to

        the Authentication Report under Operations > Reports.

You must complete the following tasks to configure Active Directory as an external identity source. 

• Connecting to the Active Directory Domain 

• Enabling Password Changes, Machine Authentications, and Machine Access Restrictions 

• Configuring Active Directory User Groups

Please check the below guide which may be helpful for you

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_id_stores.html#wp1316139

ibrahim_hassan Sat, 11/02/2013 - 23:46
User Badges:

there are machines working properly , but others face this issue.

i can see at the time of the issue , the switch (NAS) display the MAC address of the machine in "show auth sess int fa x/x".


also i tried strange workaround , when i dis-join the PC from Domain and re-join it again the issue disappeared !!

but i am not sure if this action is related.

Peter Koltl Wed, 11/06/2013 - 13:09
User Badges:
  • Silver, 250 points or more
  • Community Spotlight Award,

    Member's Choice, March 2016

debug radius

debug authentication all

on the switch will show you if 802.1X or MAB is happening

Peter Koltl Thu, 11/07/2013 - 12:25
User Badges:
  • Silver, 250 points or more
  • Community Spotlight Award,

    Member's Choice, March 2016

But inspect the debugs to determine what happened with 802.1X.

Actions

This Discussion