10-24-2013 12:12 AM - edited 03-10-2019 09:01 PM
i have starnge issue but i think it is related to windows machines , i just want to know if any one faced it in ISE deployment.
the ISE authentication logging receive the machine name(identity) as "mac address" then when ISE ask AD for it , it will not find it and then drop the machine.
i tried to disjoin the pc from domain and join it again the issue resolved for some time but appeared again after several days.
Thanks,
Ibrahim
10-24-2013 09:25 PM
Ibrahim,
Is this an 802.1x request or is this a mab request? You may have to look at your authenticaiton policies to see which database the wired MAB requests are pointing to and also check the dot1x timers on the port to see how long it waits before the mab process starts.
Thanks,
Tarik Admani
*Please rate helpful posts*
10-30-2013 10:21 AM
Configuring Active Directory as an External Identity Source:
• Ensure that Cisco ISE hostnames are 15 characters or less in length. Active Directory does not validate hostnames
larger than 15 characters.
• Ensure that the Microsoft Active Directory server does not reside behind a network address translator and does not
have a Network Address Translation (NAT) address.
• Ensure that the Microsoft Active Directory administrator account is valid, which is used for the join operation and it is
not configured with Change Password on Next Login in Microsoft Active Directory.
• To perform the following task, you must be a Super Admin or System Admin.
Note:
Even when Cisco ISE is connected to Active Directory, there may still be operation issues. To identify them refer to
the Authentication Report under Operations > Reports.
You must complete the following tasks to configure Active Directory as an external identity source.
• Connecting to the Active Directory Domain
• Enabling Password Changes, Machine Authentications, and Machine Access Restrictions
• Configuring Active Directory User Groups
Please check the below guide which may be helpful for you
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_id_stores.html#wp1316139
11-02-2013 11:46 PM
there are machines working properly , but others face this issue.
i can see at the time of the issue , the switch (NAS) display the MAC address of the machine in "show auth sess int fa x/x".
also i tried strange workaround , when i dis-join the PC from Domain and re-join it again the issue disappeared !!
but i am not sure if this action is related.
11-04-2013 02:08 AM
i found the below link about hotfixes for windows 7:
http://robert.penz.name/555/list-of-ieee-802-1x-hotfixes-for-windows-7/
any one test them?
11-06-2013 01:09 PM
debug radius
debug authentication all
on the switch will show you if 802.1X or MAB is happening
11-07-2013 02:39 AM
it appeared as mab.
11-07-2013 12:25 PM
But inspect the debugs to determine what happened with 802.1X.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: