Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
628
Views
0
Helpful
3
Replies

ISE Authenticaiton issue

Go to solution
Maurice Ball
Level 3
Level 3

ā€Ž09-28-2023 03:55 AM

Does Cisco ISE use Windows "Pre Windows 2000 Compatible Access" security group in Active Directory to retrieve users and security group information from Active Directory? The reason I am asking is we remove the "Authenticated User's" from the security group "Pre Windows 2000 Compatible Access" and authentication started to fail for users. Note: The ISE nodes are part of the "Authenticated User's" group. We also noticed a error on ISE stating it could no longer retrieve user and group information from Active Directory. We added the nodes back to the "Pre Windows 2000 Compatible Access" individually and restarted the nodes and the issue resolved. I am not sure if it was the restart or the adding the nodes back to the security group is what solve the issue.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

ā€Ž09-28-2023 06:57 AM

By searching the Internet for ISE "Windows 2000 Compatible Access" I found

https://community.cisco.com/t5/network-access-control/ise-2-3-and-active-directory-probe/td-p/3351475 which says it is required in ISE 2.x.

Also, when I search the ISE 3.3 Admin Guide for "pre-windows" I find

Active Directory as an External Identity Source

Cisco ISE uses Microsoft Active Directory as an external identity source to access resources such as users, machines, groups, and attributes. User and machine authentication in Active Directory allows network access only to users and devices that are listed in Active Directory.

After a Cisco ISE node joins Active Directory, in Active Directory, it is a member of the Authenticated Users group. The Authenticated Users group is a member of the Pre-Windows 2000 group by default. If you disable the Pre-Windows 2000 group or remove Authenticated Users from the Pre-Windows 2000 group, authentication failures occur.

We recommend that you do not disable the Pre-windows 2000 group. However, if you must disable this group for any reason, grant the Read Remote Access Information permission to Cisco ISE in AD for the relevant users or users' folders.

 

View solution in original post

0 Helpful

Go to solution
Maurice Ball
Level 3
Level 3
In response to thomas

ā€Ž09-28-2023 08:51 AM

Thanks, this is exactly what I needed to know.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

ā€Ž09-28-2023 04:27 AM

what ISE version - check the compatability matrix :

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/compatibility_doc/b_ise_sdt_31.html

I am not sure if it was the restart or the adding the nodes back to the security group is what solve the issue.

- looks for me some connection broken between which resolved by restart or readd ? (windows restart fix many issue) - (that does not mean ISE have no bugs at all.)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

ā€Ž09-28-2023 06:57 AM

By searching the Internet for ISE "Windows 2000 Compatible Access" I found

https://community.cisco.com/t5/network-access-control/ise-2-3-and-active-directory-probe/td-p/3351475 which says it is required in ISE 2.x.

Also, when I search the ISE 3.3 Admin Guide for "pre-windows" I find

Active Directory as an External Identity Source

Cisco ISE uses Microsoft Active Directory as an external identity source to access resources such as users, machines, groups, and attributes. User and machine authentication in Active Directory allows network access only to users and devices that are listed in Active Directory.

After a Cisco ISE node joins Active Directory, in Active Directory, it is a member of the Authenticated Users group. The Authenticated Users group is a member of the Pre-Windows 2000 group by default. If you disable the Pre-Windows 2000 group or remove Authenticated Users from the Pre-Windows 2000 group, authentication failures occur.

We recommend that you do not disable the Pre-windows 2000 group. However, if you must disable this group for any reason, grant the Read Remote Access Information permission to Cisco ISE in AD for the relevant users or users' folders.

 

0 Helpful

Go to solution
Maurice Ball
Level 3
Level 3
In response to thomas

ā€Ž09-28-2023 08:51 AM

Thanks, this is exactly what I needed to know.

0 Helpful
Customers Also Viewed These Support Documents