Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE / Active Directory: issue to get users group

Hello,

 

We have a strange issue:

- ISE 1.2 patch 8

- no WLC, autonomous AP

 

In authentication, we check Wireless IEEE 802.11 (radius) and cisco-av-pair (ssid), then we use AD.

We have 3 SSIDs, so 3 rules, one DATA, one GUEST, one for TOIP.

In one more rules to grant authentication from APs to register in WDS: user in local database.

 

In authorization, we check cisco-av-pair (ssid) and AD user group, then we permit access.

(so 3 rules), and one more to authorise the internal base for WDS.

 

We have something strange:

- sometimes users can connect but later they can't: in the logs, the authorization rejects the user because the AD Group is not seen.

 

Exemple:

1- OK:

Authentication Details

Source Timestamp2014-05-15 11:43:19.064
Received Timestamp2014-05-15 11:43:19.065
Policy Serverradius
Event5200 Authentication succeeded 

 

All the GROUPS of user are seen:

 

 false
AD ExternalGroupsxx/users/admexch
AD ExternalGroupsxx/users/glkdp
AD ExternalGroupsx/users/gl revue écriture
AD ExternalGroupsxx/users/pcanywhere
AD ExternalGroupsxx/users/wifidata
AD ExternalGroupsxx/informatique/campus/destinataires/aa informatique
AD ExternalGroupsxx/informatique/campus/destinataires/aa entreprises et cités
AD ExternalGroupsxx/informatique/campus/destinataires/aa campus
AD ExternalGroupsxx/users/aiga_creches
AD ExternalGroupsxx/users/admins du domaine
AD ExternalGroupsxx/users/utilisa. du domaine
AD ExternalGroupsxx/users/groupe de réplication dont le mot de passe rodc est refusé
AD ExternalGroupsxx/microsoft exchange security groups/exchange view-only administrators
AD ExternalGroupsxx/microsoft exchange security groups/exchange public folder administrators
AD ExternalGroupsxx/users/certsvc_dcom_access
AD ExternalGroupsxx/builtin/administrateurs
AD ExternalGroupsxx/builtin/utilisateurs
AD ExternalGroupsxx/builtin/opérateurs de compte
AD ExternalGroupsxx/builtin/opérateurs de serveur
AD ExternalGroupsxx/builtin/utilisateurs du bureau à distance
AD ExternalGroupsxx/builtin/accès dcom service de certificats
RADIUS Usernamexx\cennelin
Device IP Address172.25.2.87
Called-Station-ID00:3A:98:A5:3E:20
CiscoAVPairssid=CAMPUS
ssidcampus 

 

 

2- NO OK later:

Authentication Details

Source Timestamp2014-05-15 16:17:35.69
Received Timestamp2014-05-15 16:17:35.69
Policy Serverradius
Event5434 Endpoint conducted several failed authentications of the same scenario
Failure Reason15039 Rejected per authorization profile
ResolutionAuthorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
Root cause

Selected Authorization Profile contains ACCESS_REJECT attribute 

 

 

.../...

 

Only 3 Groups of the user are seen:

 

 

Other Attributes

ConfigVersionId5
Device Port1645
DestinationPort1812
RadiusPacketTypeAccessRequest
UserNamehost/xxxxxxxxxxxx
ProtocolRadius
NAS-IP-Address172.25.2.80
NAS-Port51517
Framed-MTU1400
State37CPMSessionID=b0140a6f0000C2E15374CC7F;32SessionID=radius/189518899/49890;
cisco-nas-port51517
IsEndpointInRejectModefalse
AcsSessionIDradius/189518899/49890
DetailedInfoAuthentication succeed
SelectedAuthenticationIdentityStoresAD1
ADDomainxxxxxxxxxxx
AuthorizationPolicyMatchedRuleDefault
CPMSessionIDb0140a6f0000C2E15374CC7F
EndPointMACAddress00-xxxxxxxxxxxx
ISEPolicySetNameDefault
AllowedProtocolMatchedRuleMDP-PC-PEAP
IdentitySelectionMatchedRuleDefault
HostIdentityGroupEndpoint Identity Groups:Profiled:Workstation
Model NameCisco
LocationLocation#All Locations#Site-MDP
Device TypeDevice Type#All Device Types#Cisco-Bornes
IdentityAccessRestrictedfalse
AD ExternalGroupsxx/users/ordinateurs du domaine
AD ExternalGroupsxx/users/certsvc_dcom_access
AD ExternalGroupsxx/builtin/accès dcom service de certificats
Called-Station-ID54:75:D0:DC:5B:7C
CiscoAVPairssid=CAMPUS 

 

 

 

If you have an idea, thanks so much,

 

Regards,

 

 

 

 

 

 

Everyone's tags (4)
2 ACCEPTED SOLUTIONS

Accepted Solutions

Possibly , the AD is loosing

Possibly , the AD is loosing it connectivity with ISE

Gold

 To configure debug logs via

 

To configure debug logs via the Cisco ISE user interface, complete the following steps

 

:Step 1 Choose Administration > System > Logging > Debug Log Configuration. The Node List page appears, which contains a list of nodes and their personas.

You can use the Filter button to search for a specific node, particularly if the node list is large.

 

www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_logging.html#wp1059750

 

 

4 REPLIES

Possibly , the AD is loosing

Possibly , the AD is loosing it connectivity with ISE

New Member

Hello, Indeed it is a

Hello,

 

Indeed it is a possibility, and the AP WDS is behind a swith connected in 100Mbs. We are going to move the WDS AP and plug it on the core switch.

 

Do you know the way to get the log to watch connectivity between the ISE and the AD ?

 

Thanks a lot

Gold

 To configure debug logs via

 

To configure debug logs via the Cisco ISE user interface, complete the following steps

 

:Step 1 Choose Administration > System > Logging > Debug Log Configuration. The Node List page appears, which contains a list of nodes and their personas.

You can use the Filter button to search for a specific node, particularly if the node list is large.

 

www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_logging.html#wp1059750

 

 

New Member

Hello, thanks to all.We have

Hello,

 

thanks to all.

We have connected WDS directly on the core switch (where ISE and DC were already connected), we have no more problems - the "backbone" of the lan is at 100Mbs...

 

Thanks,

806
Views
0
Helpful
4
Replies