Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ISE Machine failed machine authentication

Hi, Since we migrated to ISE 1.2 patch 7 we are having problems with our corporate SSID.

We have a rule that basically say :

User is Domain User.

Machine is in domain.

 

But for some reason some workstation are getting denied by this :

24423     ISE has not been able to confirm previous successful machine authentication for user in Active Directory

 

I was wondering if I could force a sync ?

 

  • AAA Identity and NAC
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hmm, you when you restart the

Hmm, you when you restart the machine you should see an authentication entry that starts with " host/ " Let's try this:

1. Uncheck both the "Suppress Anomalous Clients" and "Suppress Repeated Successful Authentications" 

2. Wait 10 minutes 

3. Restart the machine and try again and let us know what happens

20 REPLIES
Silver

Have you tried to rejoin the

Have you tried to rejoin the computer to the domain as some time the machine password gets expired and requires renewal and then do the ISE based authentication if you still gets this error then try to  to roll back to the previous ISE patch if it was working successfully.
 

****Do rate helpful posts*****

Cisco Employee

Are you using EAP-Chaining

Are you using EAP-Chaining (EAP-TEAP) or are you utilizing MAR (machine access restriction)? Can you provide some screen shots of the rules that you have in place? 

New Member

We use MAR.Rule Screenshot

We use MAR.

Rule Screenshot :

AD Settings :

Allow Protocol :

 

I've been workign with ISE for a month now and still trying to understand alot of it so thank you all for your help!

Cisco Employee

OK, thank you for the

OK, thank you for the screenshots. So the machine authentication related to MAR only happens when:

1. The machine first boots up

2. The user logs off and logs back in to the computer

ISE then stores the machine's MAC address  information until the "Aging Time" expires. In your situation that is 8760 hours. Once that timer expires the user will have to either reboot the machine or log off/log back in. In addition, MAR comes with a couple of caveats:

1. The MAR information/state is not replicated between ISE nodes. Thus, if you are load balancing the sessions and/or you have a failover all of the previously MAR authenticated machines would have to either be rebooted or logged off/logged back on. 

2. Since the method uses the MAC address of the machine the authentication process would have to be repeated if authenticating MAC address changes. For instance, a user comes comes to the office, boots the computer and authenticates on the wireless and everything works as expected. However, the user then goes to his/hers desk and connects to a wired port. At that point the machine will need to perform wired authentication, thus, it will be using the MAC address from its wired LAN adapter. That MAC address won't be in ISE's database and the machine will be marked as "not previously authenticated." At this point another restart/logg off/on will be required. The same will apply if the user for some reason uses a docking station. The docking station will have it's own MAC address that will be different than the one from the machine which won't be in the database of ISE. 

Overall, MAR is not be most elegant solution. There are some good alternatives out there. You can take a look at the following document:

http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html

Hope this helps.

 

Thank you for rating!

New Member

Hi,While using MAR to make

Hi,

While using MAR to make sure that corporate users are actually using a domain computer to connect to the network was a discussion topic in several implementations, it was quickly scrapped due to the numerous issues:

- Sleeping computers may not perform machine authentication first

- Users with laptops going from wired to wireless wouldn't perform machine authentication first -> failed user auth

I suggest you try EAP-Chaining with the Anyconnect supplicant.

Cisco Employee

Simon, were we able to solve

Simon, were we able to solve your issue? If not let us know if you need more clarifications. Otherwise, please mark the thread as closed/answered :)

New Member

I am still working on this I

I am still working on this I can't figure out how some PC just won't authenticate (No trace in ISE) I'm waiting on an internal signing request for ISE to see if that would help

Cisco Employee

Hmm, that is interesting. You

Hmm, that is interesting. You should be seeing hits in ISE weather they were for successful or unsuccessful authentications. Did you make sure that all of your NADs (Switches, WLCs) are added to ISE. Also, under Administration > Settings > Protocols > Radius, check and see if you have Suppression enabled. This will prevent ISE from showing up logs for "miss-behaving" clients. You can temporary disable it and troubleshoot the issue. 

New Member

Is this normal ?show radius

Is this normal ?

show radius summary

Authentication Servers
Idx  Type  Server Address    Port    State     Tout  MgmtTout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
---  ----  ----------------  ------  --------  ----  --------  -------  ------------------------------------------------
1    NM    10.1.1.34         1812    Enabled   2     2         Enabled   Disabled - none/unknown/group-0/0 none/none
2    NM    10.4.2.36         1812    Enabled   2     2         Enabled   Disabled - none/unknown/group-0/0 none/none
3    NM    10.8.2.84         1812    Enabled   2     2         Enabled   Disabled - none/unknown/group-0/0 none/none
Accounting Servers
--More or (q)uit current module or <ctrl-z> to abort
Idx  Type  Server Address    Port    State     Tout  MgmtTout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
---  ----  ----------------  ------  --------  ----  --------  -------  ------------------------------------------------
1      N     10.1.1.34         1813    Enabled   2     2         N/A       Disabled - none/unknown/group-0/0 none/none
2      N     10.4.2.36         1813    Enabled   2     2         N/A       Disabled - none/unknown/group-0/0 none/none
3      N     10.8.2.84         1813    Enabled   2     2         N/A       Disabled - none/unknown/group-0/0 none/none

 

1510
Views
40
Helpful
20
Replies
This widget could not be displayed.