Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ISE 1.2 - 24492 Machine authentication against AD has failed

Currently experiencing a machine authentication problem between ISE 1.2 patch 2 and a customer AD installation.

AuthZ policy is set to match agains /Users/Domain Computers and /Users Domain Users.  User authentication works, machine auth doesnt.

Machine authentication box is ticked.

If you try to disable an AD machine, or try a machine not in the domain you get the appropriate different response in the ISE logs which sugests it has the right access into AD to check this info.

This happens on all computers, both WinXP and Win7 corporate builds.

I know its not an ISE policy configuration as I have resorted to testing the same ISE against a vanilla lab AD environment with the same AD domain name (just by changing the DNS servers ISE uses) and the computer lookup works!

Anybody got any ideas?

thanks.

Everyone's tags (5)
8 REPLIES
New Member

ISE 1.2 - 24492 Machine authentication against AD has failed

TAC think we might have hit a bug like this: CSCui55934, ACS 5.4 Centrify cannot find machine with DNS suffix not on DC Groups.  As ISE and ACS5 both use the same Centrify clients

ISE 1.2 - 24492 Machine authentication against AD has failed

Can you post a screenshot and an example of how this is failing, are you using eap-tls or peap for machine authentication?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ISE 1.2 - 24492 Machine authentication against AD has failed

Using PEAP, will post screenshot.

New Member

ISE 1.2 - 24492 Machine authentication against AD has failed

New Member

ISE 1.2 - 24492 Machine authentication against AD has failed

TACs latest update is that this isnt the split domain issue as listed in the above posted bug number, but possibly a new bug.  Awaiting a call with TAC for full update.

Bronze

ISE 1.2 - 24492 Machine authentication against AD has failed

Can you tell me the TAC case number you have this issue under so that my TAC engineer can investigate as well?

I am in the process of upgrading from 1.1.2.145 patch-3 to 1.2 patch-3 and we're also using machine authentication integrating with AD.  This really freaks me out.

New Member

ISE 1.2 - 24492 Machine authentication against AD has failed

The situation has evolved.  It looks like the output error of 24492 is not appropriate.  It is not authentication (as that happened above) but getting attributes for the host for use in authorization.  The AD get group/attrib action invokes a root domain Global Catalgue query.  This query fails due to 1) the centrify query process and/or error handling isnt ideal, 2) the clients DNS servers arent providing responses to all possible GC queries.

Still ongoing, but, it has a big dose of "Keep it simple stupid" all over this one ;-)

New Member

ISE 1.2 - 24492 Machine authentication against AD has failed

24492External-Active-DirectoryMachine   authentication against Active Directory has failedMachine   authentication against Active Directory has failed.Error

Please check NTP is in sync or not  ISE

1013
Views
0
Helpful
8
Replies
CreatePlease to create content