cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
846
Views
0
Helpful
7
Replies

ISE 1.2 with AD

ibrahim_hassan
Level 1
Level 1

                   i have starnge issue but i think it is related to windows machines , i just want to know if any one faced it in ISE deployment.

the ISE authentication logging receive the machine name(identity) as "mac address" then when ISE ask AD for it , it will not find it and then drop the machine.

i tried to disjoin the pc from domain and join it again the issue resolved for some time but appeared again after several days.

Thanks,

Ibrahim

7 Replies 7

Tarik Admani
VIP Alumni
VIP Alumni

Ibrahim,

Is this an 802.1x request or is this a mab request? You may have to look at your authenticaiton policies to see which database the wired MAB requests are pointing to and also check the dot1x timers on the port to see how long it waits before the mab process starts.

Thanks,

Tarik Admani
*Please rate helpful posts*

aqjaved
Level 3
Level 3

Configuring Active Directory as an External Identity Source:

• Ensure that Cisco ISE hostnames are 15 characters or less in length. Active Directory does not validate hostnames

  larger than 15 characters.

• Ensure that the Microsoft Active Directory server does not reside behind a network address translator and does not

  have a Network Address Translation (NAT) address. 

• Ensure that the Microsoft Active Directory administrator account is valid, which is used for the join operation and it is

  not configured with Change Password on Next Login in Microsoft Active Directory. 

• To perform the following task, you must be a Super Admin or System Admin.

Note:

        Even when Cisco ISE is connected to Active Directory, there may still be operation issues. To identify them refer to

        the Authentication Report under Operations > Reports.

You must complete the following tasks to configure Active Directory as an external identity source. 

• Connecting to the Active Directory Domain 

• Enabling Password Changes, Machine Authentications, and Machine Access Restrictions 

• Configuring Active Directory User Groups

Please check the below guide which may be helpful for you

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_id_stores.html#wp1316139

there are machines working properly , but others face this issue.

i can see at the time of the issue , the switch (NAS) display the MAC address of the machine in "show auth sess int fa x/x".

also i tried strange workaround , when i dis-join the PC from Domain and re-join it again the issue disappeared !!

but i am not sure if this action is related.

i found the below link about hotfixes for windows 7:

http://robert.penz.name/555/list-of-ieee-802-1x-hotfixes-for-windows-7/

any one test them?

debug radius

debug authentication all

on the switch will show you if 802.1X or MAB is happening

it appeared as mab.

But inspect the debugs to determine what happened with 802.1X.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: