Guest

Preview Tool

Cisco Bug: CSCun97251 - ISE 1.1.4 cannot find machine with DNS suffix not on DC Groups

Last Modified

Jun 09, 2016

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

1.1(4.218) 1.3(0.626)

Description (partial)

Symptom:
Machine Authentication fails on several clients from time to time. Problem occurs from time to time, in the ISE report we can see "22056 Subject not found in the applicable identity store(s)" and "5411  No response received during 120 seconds on last EAP message sent to the client" as the reason for failure.

Conditions:
Due to a disjoint namespace problem, machine authentication on 802.1x over a AD Server may fail if the SPN being used by the suplicant contains a DNS suffix which does not exist on the Domain Controller Group List.

802.1x machine suplicant sending full qualify hostname during authentication process inclusing a DNS suffix which does not exist on the Domain Controller Groups list.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.