Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1079
Views
0
Helpful
3
Replies

ISE Auth Failures After 1.3 Upgrade

wpalumbo06
Level 1
Level 1

‎07-30-2015 08:50 AM - edited ‎03-10-2019 10:56 PM

Hello,


We recently upgraded to from 1.2 patch 14 to 1.3 patch 3 and began to see intermittent auth failures for wireless endpoints.  We use a distributed deployment with two ISE clusters (one per Data Center) and the issue is only occurring in one of the Data Centers - and ONLY affects wireless users...normal 802.1x endpoints (workstations) are not impacted at all.  This is the error that we see in the log for failed authentications:

24304 Communication with global catalog failed-
      server_name1.xxx.net,ERROR_LDAP_SERVER_DOWN
24304 Communication with global catalog failed-
      server_name2.xxx.net,ERROR_LDAP_SERVER_DOWN
24305 Failover threshold has been exceeded
24321 LDAP search in forest failed - xxx.net,ERROR_LDAP_SERVER_DOWN
24322 Identity resolution detected no matching account
      Identity resolution failed
24352 ERROR_NO_SUCH_USER_SOME_DOMAINS_NOT_AVAILABLE

Again, this ONLY happens for wireless users and all affected user accounts are valid.  Next thing we discovered was that the PSNs were intermittently reporting AD connectivity issues in the affected Data Center:

AD status turns red and this message is displayed "A service is not available that is required to process the request"  This alert is sent to the ISE admins:

ISE Alarm : Warning : AD: Machine TGT refresh failed. Domain Name=XXX.NET Error Details=A service is not available that is required to process the request Server=XXXXXXXXpsn2

These errors are intermittent and are affecting all ISE PSNs in the problematic Data Center.  There are no network connectivity issues between the ISE PSNs and AD and AD itself has been verified as OK, again - it is processing normal 802.1x authentications with no issues.

TAC is working this but I wanted to throw this out to a wider group as I am sure I am not the first person to see this issue.  I know the AD connector was changed for 1.3 and I have read that there are some specific AD permissions requirements but I am no AD expert and don't have the access to investigate that side anyway.

Thanks in advance for any assistance!

Bill

 

3 people had this problem
Labels:
0 Helpful
3 Replies 3

mukka
Level 1
Level 1

‎10-22-2015 06:45 AM

Hi Bill,

 

Did you solved this issue ? 

I have a similar issue during the ISE 1.4 deployment. Just some users has faced this behavior.

 

thanks,

 

Murilo

0 Helpful

wpalumbo06
Level 1
Level 1
In response to mukka

‎10-22-2015 06:47 AM

Possibly but 1.4 has it's own issues from what I have read.  Are your PSNs behind an f5 load balancer?

0 Helpful

ajc
Level 7
Level 7
In response to wpalumbo06

‎04-28-2017 08:12 AM

Hi,

I am just testing F5 Loadbalancing on ISE PSN's and now getting this error message as well.

Why did you ask about it? Any suggestions?

thanks

0 Helpful
Customers Also Viewed These Support Documents