Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1983
Views
0
Helpful
3
Replies

Troubleshoot ISE

Mikael Gustafsson
Level 5
Level 5

ā€Ž05-31-2012 06:20 AM - edited ā€Ž03-10-2019 07:09 PM

Hi,

I'm having problem with ISE not finding the username in a AD group, in the Authorization Policy.

This applies to a computer as well, other rule and Domain Computers

The last setup is simple:

if X_AD:ExternalGroups EQUALS x.company.se/Users/Domain Users  then Permit_access

The user is in that group but it fails every time.

If I change the Default rule to PermitAccess he gets authorized so the authentication part is working.

I'm trying to read the LDAP debug log, ad_agent.log, but I'm not sure what I'm looking for here.

Is there a good way to test this?

Any troubleshooting tips are welcome.

Thanks

Mikael

Labels:
0 Helpful
3 Replies 3

jrabinow
Level 7
Level 7

ā€Ž05-31-2012 08:23 AM

One thing you can do is the following

- Find the authentication record for your request (Can go to Operations -> Authentiactions)

- when you see the record for your request click on the Details icon for the record

You will see the "Authentication Details" page. In the section "Authentication Details" there is an "Other Attributes" section that should include the list of AD groups that were in fact retrieved for the user and can see if this includes the one you were expecting

0 Helpful

Frederick Reimer
Level 4
Level 4

ā€Ž05-31-2012 06:58 PM

When you are editing the rule, does it say if Any and ..., or do you have an identity group selected?

Sent from Cisco Technical Support iPad App

0 Helpful

Mikael Gustafsson
Level 5
Level 5

ā€Ž06-01-2012 02:01 PM

Looks like the problem is solved for now.

First,  what we did to get the authorization problem was to move from one AD  connection to an other, some indecisions on where to use MSCHAPv2. We  did leave one AD an joined the other one, same authentication and  authorization rules applied. After that it didn't work, like I described  in my original post

I  did an deeper dive in the LDAP debug log, ad_agent.log, and when the  client connect it looks like the ISE policy server tries to do a lookup  against the old AD server and it fails. (See log below.)

I was thinking that I would have to run a application reset-config and start over but the last thing I did yesterday was to force a resync  on all ISE nodes just to have done that. And that did it, this morning  everything worked like a charm.

Should  say that the Replication Status and Sync Status was good (Complete and  Sync completed) before I forced a resync. And we change AD connection 3  days ago so plenty of time to replicat from the admin node to policy  nodes..

------------------------------------

Part of debug log from policy server

Old AD server:  dc02.company.se  /  dc01.company.se

New AD server: sdc02.something.company.se

May 31 14:18:59 isepol1 adclient[2057]: DEBUG network.state DC dc02.company.se(192.168.5.22) answered in 0.003574 secs: Success

May  31 14:18:59 isepol1 adclient[2057]: DEBUG   util.io.connectutil Connected to 192.168.5.22 in 0.000741 seconds

May  31 14:18:59 isepol1 adclient[2057]: DEBUG   util.io.connectutil Connected to 192.168.5.22 in 0.002682 seconds

May  31 14:18:59 isepol1 adclient[2057]: DEBUG   util.io.connectutil Connected to 192.168.5.22 in 0.001521 seconds

May  31 14:18:59 isepol1 adclient[2057]: DEBUG   util.io.connectutil Connected to 192.168.5.22 in 0.002062 seconds

May  31 14:18:59 isepol1 adclient[2057]: DEBUG   util.io.connectutil Connected to 192.168.5.22 in 0.001246 seconds

May  31 14:18:59 isepol1 adclient[2057]: DEBUG   network.state ProbePorts complete for dc02.company.se. Elapsed time  0.011185 secs

May 31 14:18:59 isepol1 adclient[2057]: DEBUG util.settings Setting dc.company.se to dc02.company.se

May  31 14:18:59 isepol1 adclient[2057]: DEBUG   base.bind.healing trying unexpected disconnect reconnect dc01.company.se

May  31 14:18:59 isepol1 adclient[2057]: DIAG    base.bind.ad Attempting connection to domain 'company.SE', server  'dc02.company.se',site ''

May 31 14:18:59 isepol1 adclient[2057]: DEBUG base.bind.ad Connecting to dc02.company.se:389

May 31 14:18:59 isepol1 adclient[2057]: DIAG  base.bind.ldap 192.168.5.22:389 fetch dn="" filter="(objectclass=*)" timeout=11

May 31 14:18:59 isepol1 adclient[2057]: DEBUG lrpc.adobject new object:

May  31 14:18:59 isepol1 adclient[2057]: DEBUG   base.bind.ad Connected root=DC=company,DC=se, domain=company.SE  functionality=4

May 31 14:18:59 isepol1 adclient[2057]: DEBUG base.bind.ad Address of dc02.company.se is 192.168.5.22

May  31 14:18:59 isepol1 adclient[2057]: DEBUG   base.bind.ad Performing LDAP binding with GSSAPI mechanisms to server -  dc02.company.se

May 31 14:18:59 isepol1 adclient[2057]: DEBUG dns.findkdc KDC locator for something.company.SE

May 31 14:18:59 isepol1 adclient[2057]:last message repeated 3 times

May 31 14:18:59 isepol1 adclient[2057]: DEBUG base.osutil Module=Kerberos : SASL bind to ldap/dc02.company.se@company.SE - GSSAPI Mechanism with Kerberos error ": Server not found in Kerberos database" (reference base/adbind.cpp:495 rc: -1765328377)

May 31 14:18:59 isepol1 adclient[2057]: DEBUG base.bind.healing unexpected disconnect reconnect dc02.company.se failed: SASL bind to ldap/dc02.company.se@company.SE - GSSAPI Mechanism with Kerberos error ": Server not found in Kerberos database"

May  31 14:18:59 isepol1 adclient[2057]: DEBUG   util.settings Setting domaincontroller to sdc02.something.company.se

Thanks

  Mikael

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents