Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2014
Views
65
Helpful
4
Replies

Endpoints are hitting default rule even though the policies are there

Go to solution
aravikumar
Level 1
Level 1

‎03-02-2022 10:29 PM

Hi

 

We have more than 20000 endpoints in our customer environment. All the endpoints are hitting the default rule even though 

it used to hit the correct rule. After doing a reauth manually from ISE live sessions or from switch level the endpoint is hitting the right rule. To remediate this we have enabled Reauth in global CoA settings and also have reauth pushed in the Catch-All rule (Default rule in our scenario here). But still we see endpoints hitting the default rule and the count keep increasing. In the last two days it has gone from 900 to 1500 endpoints. Any suggestions to troubleshoot this scenario will be appreciated. We are running ISE 2.7 patch 5 and also have the hotfixes for log4j installed. All are 3695 physical appliances.

 

Thanks,

 

Aravind Ravikumar

 

 

1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-05-2022 02:07 PM

Clearly it is not matching your authorization rules.

However you have not provided any policy nor authentication details to review.

See How to Ask The Community for Help  for advice next time.

Call TAC and they will step you through the things to look for in troubleshooting.

View solution in original post

4 Replies 4

Go to solution
Arne Bier
VIP
VIP

‎03-03-2022 01:27 PM

What has changed to cause this anomalous behaviour?  Did you apply an ISE patch, upgrade your NAS/NAD software , or made some global changes in ISE? 

You need to capture some of these RADIUS Access-Requests and analyse in Wireshark whether the packet is structured as you'd expect - e.g. is the Service-Type correct? Or how does the User-Name field look?

Have you tried application stop/start of your PSN's in case this is an internal ISE fault?

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-05-2022 02:07 PM

Clearly it is not matching your authorization rules.

However you have not provided any policy nor authentication details to review.

See How to Ask The Community for Help  for advice next time.

Call TAC and they will step you through the things to look for in troubleshooting.

Go to solution
aravikumar
Level 1
Level 1
In response to thomas

‎03-06-2022 08:58 PM - edited ‎03-06-2022 09:00 PM

Hi Thomas,

 

We would not be able to post the authorization rule details here. The authentications are both MAB based and 802.1x based and authorizations are PEAP MS-CHAP for dot1x and Identity groups for MAB. but it requires from port level to make the endoint hit the correct authz rule. There are around 100-150 authz rules. I do understand that it is a top down approach when it comes to ISE assigning  the authz policies post authentication but it does not make actual sense for an endpoint which was authorizing with the right authorization rule to move to default rule with no changes being made to the ISE or NAD configuration (Note: This happens whether CoA reauth is enabled or not globally). We should not be relying on clear auth sessions command on the switch to make the endpoint authorize in the correct profile again. Will reach to TAC about this.

 

Thanks,

 

Aravind.

 

Go to solution
rezaalikhani
Level 3
Level 3
In response to aravikumar

‎03-07-2022 01:08 AM

The defined Policy Set should be MAB OR 802.1X (not MAB AND 802.1X). Can you confirm that?

Customers Also Viewed These Support Documents