Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE 1.2 AuthZ fail because of ‘extra’ AD lookup

Hi,

I have a PoC going with wired 802.1X and MAB, laptops with certificate and AD look up works well. With this I also have printers not in AD that will use both certificates and MAB for authentication.

When I try to do EAP-TLS or MAB on printers it fail on AuthZ because it cant find the “user” in AD. It docent matter were in the policy my printer MAB or EAP-TLS policies are, same result.

If I then disable all other AuthZ policies that also look up in AD my printer get authorised.

If I then enable all policies again at least EAP-TLS for printer works, did not have time to test MAB today.

Anyone seen this?  

Why would ISE trying to do a AD look up here when MAB is only for internal group Printers?

AuthZ policy (made some changes to test MAB here so policies are moved around)

Edited.png

MAB Radius steps  (same for EAP-TLS but with the CN as username)

Steps

      11001    Received RADIUS Access-Request

      11017    RADIUS created a new session

      11027    Detected Host Lookup UseCase (Service-Type = Call Check (10))

      15049    Evaluating Policy Group

      15008    Evaluating Service Selection Policy

      15048    Queried PIP

      15048    Queried PIP

      15004    Matched rule

      15048    Queried PIP

      15048    Queried PIP

      15004    Matched rule

      15041    Evaluating Identity Policy

      15006    Matched Default Rule

      15013    Selected Identity Source - Internal Endpoints

      24209    Looking up Endpoint in Internal Endpoints IDStore - 00:26:73:63:6F:3C

      24211    Found Endpoint in Internal Endpoints IDStore

      22037    Authentication Passed

      15036    Evaluating Authorization Policy

      24432    Looking up user in Active Directory - 00:26:73:63:6F:3C

      24412    User not found in Active Directory

      15004    Matched rule - Default

      15016    Selected Authorization Profile - Deny_Access_Wired

      15039    Rejected per authorization profile

      11003    Returned RADIUS Access-Reject   

Cheers

Everyone's tags (1)
2 REPLIES

Re: ISE 1.2 AuthZ fail because of ‘extra’ AD lookup

First off, please show us your authentication rules, and your interface config on the printer port in the switch.

New Member

Re: ISE 1.2 AuthZ fail because of ‘extra’ AD lookup

Hi,

Forgot to write in this thread, I did a reboot of both ISE servers and after that it works as it should.

Not the best solution but it worked.

Might be something with the AD connection that hang, dont realy know. But I have seen wired errors between ISE and AD before.

Thanks

552
Views
0
Helpful
2
Replies