Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ISE authentication fail during windows re-logon

Background:

Deployed a Cisco ISE 1.1.2. that is used to authenticate and posture validate for wired users, attached to Cisco IP Phones. Backend database is Microsoft AD.

Problem:

At the first time both, users and IP Phones, pass authentication and posture validation steps successfully. When the user logs off from windows, the log off is done whithout any problem, and I can see it switch.

The problem takes place when the user try to log on again. The ise does not match the configured authenticion rules as in the first time, and put the user directly to default "DenyAccess" policy (rule).

Anyone out there experienced something similar or have any ideas on why this is happening?

Thanks.

8 REPLIES
New Member

ISE authentication fail during windows re-logon

Cisco ISE network enforcement points (switches) may be missing key configuration commands, may be assigning the wrong port (i.e., a port other than 1700), or have an incorrect or incorrectly entered key.

Ensure the following commands are present in the switch configuration file.

aaa server radius dynamic-author

client server-key

Cisco Employee

ISE authentication fail during windows re-logon

Hi

Possible Causes

This could be either a MAB or 802.1X authentication issue.

The authorization profile could be missing the Cisco av-pair=”device-traffic-class=voice” attribute. As a result, the switch does not recognize the traffic on the voice VLAN.

The administrator did not add the endpoint as static identity, or did not allow an unregistered endpoint to pass. create a policy rule to (“Continue/Continue/Continue” upon failure).

Resolution

Verify that the Authorization Policy is framed properly for groups and conditions, and check to see whether the IP phone is profiled as an “IP phone”or as a “Cisco-device.”

Verify the switch port configuration for multidomain and voice VLAN configuration.

Add the continue/continue/continue to allow the endpoint to pass:

Choose Policy > Policy Elements > Results > Authentication > Allowed

Protocols to create a Protocol Policy. MAC authentications use PAP/ASCII and EAP-MD5 protocols. Enable the following MAB Protocols settings:

Process Host Lookup

PAP/ASCII

Detect PAP as Host Lookup

EAP-MD5

Detect EAP-MD5 as Host Lookup

From the main menu, choose Policy > Authentication.

Change the authentication method from Simple to Rule-Based

Use the action icon to create new Authentication Method entries for MAB:

Name: MAB

Condition: IF MAB RADIUS:Service-Type == Call Check

Protocols: allow protocols MAB_Protocols and use

Identity Source: Internal

Hosts: Continue/Continue/Continue

ISE authentication fail during windows re-logon

Please refer to the discussion below

https://supportforums.cisco.com/thread/2188052

ISE authentication fail during windows re-logon

Troubleshooting Steps:

1. Choose Monitor > Authentications.

2. Scroll over and look for the "Failure reason."

Please Look for the details of the failed authentication record and click on the failure reason link under

Details > Resolution for the Authentication. The failure reason should be listed.

Correct the failure reason per the findings that are defined in the Possible Causes.

Cisco Employee

ISE authentication fail during windows re-logon

Check the Cisco ISE dashboard (Monitor > Authentications)  for any indication regarding the nature of RADIUS communication loss.  (Look for instances of your specified RADIUS usernames and scan the  system messages that are associated with any error message entries.)

Log into the Cisco ISE CLI and enter the following command to produce RADIUS attribute output that may aid in debugging connection issues:

test aaa group radius new-code

If this test command is successful, you should see the following attributes:

Connect port

Connect NAD IP address

Connect Policy Service ISE node IP address

Correct server key

Recognized username or password

Connectivity between the NAD and Policy Service ISE node

You can also use this command to help narrow the focus of the potential  problem with RADIUS communication by deliberately specifying incorrect  parameter values in the command line and then returning to the  administrator dashboard (Monitor > Authentications)  to view the type and frequency of error message entries that result  from the incorrect command line. For example, to test whether or not  user credentials may be the source of the problem, enter a username and  or password that you know is incorrect, and then go look for error message entries that are pertinent to that username in the Monitor > Authentications page to see what Cisco ISE is reporting.)

Note This  command does not validate whether or not the NAD is configured to use  RADIUS, nor does it verify whether the NAD is configured to use the new  AAA model.

ISE authentication fail during windows re-logon

Paulo,

Can you tell us more about the policies? Are you doing machine authentication and does your authentication policy for user authentication also include a condition for machine authentication? If you can provide some screenshots of your authorization policies along with the authentication report, that will help troubleshoot your issue much faster.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*

Re: ISE authentication fail during windows re-logon

Hello everyone!

Thank you so much fore your help and attention!

But before changing any policy statement. I preffer try to find a solution/workaround in client machine side.

I've been doing some tests on the LAB environment, and I think that I find out the way to solve the problem.

I'm going to do more consistent tests in production inviroment.

The solution consists in the machine dot1x suplicant side (seet attachement - sorry my windows is in Portuguese).

.

Re: ISE authentication fail during windows re-logon

Hello guys,

The as I metioned before. The I've got the enviromment working fine by enabling only "User Authentication" and "Single Sing On" as showed in picture I sent before.

Thanks every one for helping me.

Paulo Magalhães

*Please rate helpful posts*

550
Views
13
Helpful
8
Replies