Cisco ISE 1.3 failed to authenticate wireless endpoint

Dear all,
I recently have a big problem of my ISE after upgraded from version 1.2 to 1.3, the original plan is follow for wireless laptop authenticate to our network.
There are 2 SSID, REG and INT, when the user and laptop first time use the WIFI, they need to request a user certificate from CA, and they need to login to the REG SSID with AD username and password. The Wireless controller 2504 will pass the packet to ISE, the use will use 802.1x authen method with PEAP to request for cert. if the authentication successful, the user need to open a web browser and the NSP page of ISE will shown up for user to register, and the CA will generate the user cert to user. Then the SSID will switch to INT and using EAP/TLS to authenticate the user cert with the CA.
That was fine when working in ISE 1.2. However, after upgrade to 1.3 because of the proxy setting in 1.3 allow to input username and password which our proxy server required and cannot be changed. Under 1.3 the authentication failed even in the first step of authentication policy of ISE, the policy will check if the laptop using 802.1x and login by AD account, then it will pass to authorization policy. But when I check the log, there is always have the error message 5411 Supplicant stopped responding to ISE , 12930 Supplicant stopped responding to ISE after sending it the first PEAP message , 5440 Endpoint abandoned EAP session and started new
I have search long time in the Internet but without any help, appreciate if any expert can help me. I have also upload the debug message from our ISE for reference.
Thank you
Best Regards,
Terry Chow

Hi Terry,
Just wondering if you got an answer to your problem?
I am deploying a new solution with ISE 1.3 and I was having a similar problem with my wireless users when I tried to enable it last night
Cheers,
John

Similar Messages

  • Cisco ISE 1.1.4 Patch 7 (Internal Endpoint Mac Addresses Getting Disppeared)

    Hi Folks,
    I am having issue that mac addresses which we are trying to add under Internal Endpoint Group for MAB getting disappear automatically after few minutes. We tried multiple mac addresses but result same. We can see the mac address which we added earlier but new mac address getting disappear. Is there any limit to add mac address under Internal Endpoint. We have following licenses.
    L-ISE-ADV-1K-M=  Cisco ISE 1000 EndPoint Advanced + Base Migration License
    Thanks

    Tabish,
    We'll update the latest patch and then look for the work around from any one of our Cisco experts

  • Cisco ISE Guest Authentication Failed : 86020: Unknown exception

    Hi,
    I would like to check what may be causing the error message 86020:unknown exception for ise when guest user authenticates via wireless using CWA? I have also attached a screen capture of the error and after the authenitcation logs change to autheorization only succeed after a repeated trying. Based on user feedback for failed login, When guest user gets conected to wirless and login in to guest  portal with credential after putting credential  then its again redirect  to same login page wihout successful login prompt; not too sure if there may be any settings that may be looked into and the reason for the unknown exception error?
    Any suggestion/recommendation is appreciated.

    Hi Tarik,
    Not too sure if i understand on the static hostname for redirection; there are 2 PSNs for the deployment however they are acting as active/secondary for the wireless (This is done from the wlan on the wlc to set the primary/secondary radius server). From the guest redirection; it is always hitting the primary radius server defined on the wlan/wlc. The ise is running version 1.1.4 with patch 8 applied.
    Not  too sure if there may be any settings that may be looked into for the guest authentication/redirection and the reason for the unknown exception error?
    Thanks.

  • Cisco ISE and Authentication Failed VLAN

    I am trying to setup ISE to assign a VLAN to unauthorized computers. I tried using "authentication event fail action authorize vlan 666" command but unfortunately I'm using multi-auth because we have users with bridged VMs and Cisco does not support it (http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1454875).
    Is there a way to make an Authorization/Authentication profile within ISE to assign the VLAN to failed devices?

    You can set endpoint protection status to quarantine, and establish policies  that assign different
    authorization profiles, depending on the status of the  endpoint.
    Quarantine essentially moves an endpoint from its default VLAN to a  specified Quarantine VLAN. The
    The Quarantine VLAN must be previously defined  by a network administrator and supported on the
    same NAS as the endpoint.  Unquarantine reverses the quarantine action, returning the endpoint to  its
    original VLAN.
    The quarantine and unquarantine actions are performed  as a result of established Authorization Rules
    that are defined to check for  EPSStatus
    http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_eps.html#wp1219979

  • Cisco ISE protocols for ldap and Windows wireless client

    Only the protocols below are supported by ise in combination with ldap identity sources.
    EAP-GTC, PAP, EAP-TLS, PEAP-TLS.
    Mac OS devices seem to be able to use these but Windows users seem to be having problems. How should windows users connect with ise that only uses ldap?

    Mathieu,
    Take a look at the user guide for NAM -
    http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac04namconfig.html
    You will see the protocols support like GTC that should allow you not to have to deploy certs.
    Thanks.
    Tarik Admani
    *Please rate helpful posts*

  • Cisco ise on vm Failed to start database

    vmware 4.1 (or maybe 4.0.1)
    configured with 2 core minimum freq 3.6Ghz
    200Gb HD on single physical drive (minimum requirement),
    no thin provisioning
    datastore vmfs 3, 2Mb block size,
    ethernet : flexible network adapter
    ram 4Gb
    Scsi controller
    setup......
    bum
    ISE Database listener not ready yet. Seconds left before timeout: 0
    error:[cpminitialsetup.sh]
    ERROR: FAILED TO START DB!
    Database is not available within timeout of 240 seconds.
    This could be the result of incorrect network interface configuration,
    or lack of resources on the appliance or VM.  Please fix the issue and
    run the following CLI to re-prime database:
    'application reset-config ise'
    error:[cpminitialsetup.sh]
    Any advice?

    Hi Tarik,
    I am getting the same error message:
    Starting ISE database processes...
    ERROR: FAILED TO START DB!
    Database is not available within timeout of 240 seconds.
    This could be the result of incorrect network interface configuration,
    or lack of resources on the appliance or VM. Please fix the issue and
    run the following CLI to re-prime database:
    'application reset-config ise'
    This happend when i did command 'application reset-config ise' on a 3395 appliance running 1.1.1.268 code
    i appreciate your assistance

  • Inline Posture between Cisco ISE and Wireless LAN Controller

    Hi,
    I was looking into Cisco ISE solution for deploying NAC.
    I have a question about the network topology.
    In  the user guide documents of cisco ISE, it is written that for Wireless  LAN Controllers (WLC) and VPN devices, an additional server, Inline Posture, is needed.
    However, in the following integration document, there is not an inline posture between WLC and Cisco ISE server.
    https://supportforums.cisco.com/docs/DOC-18121
    I  want to know if Inline Posture is a requirement, if not a  requirement, what are the benefits of having it between Cisco ISE Server  and WLC.
    Thanks & Regards
    Sinan

    Hello,
    Please go through below mentioned links which might be helpful for you.
    http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ipep_deploy.html
    http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_deploy.html
    Best Regards,

  • Cisco ISE AD (Windows Server 2013) Authentication Problem

    Background:
    Deployed two Cisco ISE 1.1.3. ISE will be used to authenticate wireless users, admin access to WLC and switches. Backend database is Microsoft AD running on Windows Server 2012. Existing Cisco ACS 4.2 still running and authenticating users. There are two Cisco WLCs version 7.2.111.3.
    Wireless users authenticates to AD through ACS 4.2 works. Admin access to WLC and switches to AD through ISE works. Wireless authentication using PEAP-MSCHAPv2 and admin access wtih PAP/ASCII.
    Problem:
    Wireless users cannot authenticate to AD through ISE. The below is the error message "11051 RADIUS packet contains invalid state attribute" & "24444 Active Directory operation has failed because of an unspecified error in the ISE".
    Conducted a detailed test of AD from ISE. The test was successful and the output seems all right except for the below:
    xxdc01.xx.com (10.21.3.1)
    Pinged:0 Mins Ago
    State:down
    xxdc02.xx.com (10.21.3.2)
    Pinged:0 Mins Ago
    State:down
    xxdc01.xx.com
    Last Success:Thu Jan  1 10:00:00 1970
    Last Failure:Mon Mar 11 11:18:04 2013
    Successes:0
    Failures:11006
    xxdc02.xx.com
    Last Success:Mon Mar 11 09:43:31 2013
    Last Failure:Mon Mar 11 11:18:04 2013
    Successes:25
    Failures:11006
    Domain Controller: xxdc02.xx.com:389
        Domain Controller Type: Unknown DC Functional Level: 5
        Domain Name:            xx.COM
        IsGlobalCatalogReady:   TRUE
        DomainFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
        ForestFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
    Action Taken:
    Log on to Cisco ISE and WLC using AD credentials. This rules out AD connection, clock and AAA shared secret as the problem.
    2)     Tested wireless authentication using EAP-FAST but same problem occurs.
    3)     Detailed error message shows the below. This rules out any authentication and authorization polices. Before even hitting the authentication policy, the AD lookup fails.     
    12304  Extracted EAP-Response containing PEAP challenge-response
    11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
    Evaluating Identity Policy
    15006  Matched Default Rule
    15013  Selected Identity Store - AD1
    24430  Authenticating user against Active Directory
    24444  Active Directory operation has failed because of an unspecified error in the ISE
    4)     Enabled AD debugging logging and had a look at the logging. Nothing significant and no clues to the problem.
    5)     Tested wireless on different laptos and mobile phones with same error
    6)     Delete and add again AAA Client/Devices on both Cisco ISE and WLC
    7)     Restarted ISE services
    8)     Rejoin domain on Cisco ISE
    9)     Checked release notes of ISE 1.1.3 and WLC 7.2.111.3 for any open caveats. Nothing found related to this problem.
    10)    There are two ISE and two WLC deployed. Tested different combination of ISE1 to WLC1, ISE1 to WLC2 etc. This rules out hardware issue of WLC.
    Other possibilities/action:
    1)     Test it out on a different WLC version. Will have to wait outage approval to upgrade WLC software.
    2)     Incompatibility of Cisco ISE and AD running on Microsoft Windows Server 2012
    Anyone out there experienced something similar of have any ideas on why this is happening?
    Thanks.
    Update:
    1) Built another Cisco ISE 1.1.3 sever in another datacentre that uses the same domain but different domain controller. Thais domain controller is running Windows Server 2008. This works and authentication successful.
    2) My colleague tested out in a lab environment of Cisco ISE 1.1.2 with Windows Server 2012. He got the same problem as described.
    This leads me to think there is a compatibility issue of Cisco ISE with Windows Server 2012.

    Does anyone know if ISE 1.1.3 p1 supports AD DCs running 2012, if not which patch is required ot version?
    Worryingly when ISE joins a 2012 DC it states it's connected successfully, and if another 2003 DC is available in that datacentre it will perform the auths against that DC whilst actually advertising (Connections in the GUI) that it's connected to the 2012 DC. We ended up mapping 8 PSN IP’s to another datacentre which has one Win2003 servers whilst the old 2003 DC is being promoted back, the 8 ISE servers started working, even though they still advertised they were connected to the 2012 DCs in the original datacentre - I performed a leave and join on one PSN and only then did it advertise that the node was connected to a DC in a different datacentre

  • Cisco ISE - Reauthentication of client if server becomes alive again

    Dears,
    I have this case where Cisco ISE server is used to authenticate & authorize clients on the network.
    I configured the switch port to authorize the client in case the ISE server is dead (or not reachable).
    The thing is that I want to reauthenticate the client once the ISE server becomes alive again but I am not able to.. ("Additional Information is needed to connect to this network" bullet is not appearing and the client PC remains authenticated and assigned to the VLAN.
    Below is the switch port configuration:
    interface FastEthernet0/5
    switchport access vlan 240
    switchport mode access
    switchport voice vlan 156
    authentication event server dead action authorize vlan 240
    authentication event server alive action reinitialize
    authentication host-mode multi-domain
    authentication order dot1x mab
    authentication priority mab
    authentication port-control auto
    mab
    dot1x pae authenticator
    spanning-tree portfast
    Anyone can help?
    Regards,

    Please check whether the switch is dropping the connection or the server.
    Symptoms or Issue
     802.1X and MAB authentication and authorization are successful, but the switch is dropping active sessions and the epm session summary command does not display any active sessions.
    Conditions
     This applies to user sessions that have logged in successfully and are then being terminated by the switch.
    Possible Causes
     •The preauthentication ACL (and the subsequent DACL enforcement from Cisco ISE) on the NAD may not be configured correctly for that session.  
    •The preauthentication ACL is configured and the DACL is downloaded from Cisco ISE, but the switch brings the session down.  
    •Cisco ISE may be enforcing a preposture VLAN assignment rather than the (correct) postposture VLAN, which can also bring down the session.
    Resolution
     •Ensure the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.  
    •Check to see whether or not the DACL name in Cisco ISE contains a blank space (possibly around or near a hyphen "-"). There should be no space in the DACL name. Then ensure that the DACL syntax is correct and that it contains no extra spaces.  
    •Ensure that the following configuration exists on the switch to interpret the DACL properly (if not enabled, the switch may terminate the session):  
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server vsa send accounting
    radius-server vsa send authentication

  • Cisco ISE - Not use FQDN in url-redirect parameter

    Hi,
    I am using Cisco ISE Central Web Authentication for Guest Wireless. Clients are redirected for web authentication to: https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa as it is specified by the url-redirect parameter in the Authorization Profile.
    The “ip” field in the url is now replaced by the FQDN of the Cisco ISE, but I want to use the IP address instead of the FQDN. Is there any way to do that?
    As far as I know in version 1.2 you can use the “ip host/no ip host” command to indicate what you want to use in the URL. However my Cisco ISE is running version 1.1.1.268.
    Thank you very much.
    Joana.

    Available in 1.2, and available as a "bit of a bodge" in 1.1.x  (read "a lot of a bodge")
    If you only have one PSN then you may be able to get it to work, but after that you lose the ability to get the session to be pointed automatically at whichever PSN they hit initially so it would break.
    Copy the settings that are applied when you use CWA, then create your own based on the same settings but using the ip address pasted in there instead.

  • Cisco ISE v1.1

    I'm looking for Cisco ISE v1.1 to use the following licensing feature.
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.htmlEndpoint is dynamically profiled by Cisco ISE and assigned  dynamically or statically to an endpoint identity group. Cisco ISE authorization  rules do not use this endpoint identity group.
    End result: As of Cisco ISE 1.0, one license from  Base package is used up and one license from Advanced package is used up. By  Cisco ISE 1.1 scenario this scenario will be fixed to use up only one license  from Base package. Because profiled identity group is not used in the  Authorization Policy, no Advanced license is consumed.
    Last time I heard, v1.1 is due in first week of December, I would like to know if that is true.
    Thanks,
    Vijay

    There is a release that may include some relevant functionality for this licensing issue
    Version on CCO is ise-appbundle-1.0.4.573.i386.tar.gz
    See http://www.cisco.com/en/US/partner/docs/security/ise/1.0.4/release_notes/ise104_rn.html#wp207280
    text from release notes reads as follows:
    The Cisco ISE, Release 1.0.4 implements a change that Cisco ISE cannot consume advanced licenses when endpoints are statically assigned to a profile. The number of endpoints that are dynamically profiled can only be compared against the limit of the advanced licenses. The endpoints that are statically assigned to a profile are now excluded from utilizing licenses included in the advanced license package, but they are still compared against the limit of base licenses. Earlier in the Cisco ISE, Release 1.0, it compares the total number of concurrent endpoints across the entire deployment against the limit of the advanced licenses.

  • Did Cisco ISE have limitation for policy setting?

    Deat All,
    Did anyone know about Cisco ISE limitation about policy setting?
    Right now my setting for windows posture policy around 200 windows patch checking, did ISE have limitation such as maximum windows patching policy line?
    Thanks you
    Best Regards

    Here is the nswer for your first question.
    Cisco ISE profiler collects a significant amount of endpoint data from the network in a short period of time. It causes Java Virtual Machine (JVM) memory utilization to go up due to accumulated backlog when some of the slower Cisco ISE components process the data generated by the profiler, which results in performance degradation and stability issues.
    To ensure that the profiler does not increase the JVM memory utilization and prevent JVM to go out of memory and restart, limits are applied to the following internal components of the profiler:
    Endpoint Cache—Internal cache is limited in size that has to be purged periodically (based on least recently used strategy) when the size exceeds the limit.
    Forwarder—The main ingress queue of endpoint information collected by the profiler.
    Event Handler—An internal queue that disconnects a fast component, which feeds data to a slower processing component (typically related to a database query).
    For more information go through :
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html#12624

  • Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

    Hi,
    Since we implemented Cisco ISE we receive the following failure on several Notebooks:
    Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
    This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
    The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
    Why is this happening?
    Thanks,
    Marc

    The possible causes of this error message are:
    1.] If the end user entered an incorrect username.
    2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
    3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
    In your cases, the 3rd option seems to be the most closest one.
    Jatin Katyal
    - Do rate helpful posts -

  • Cisco ISE authentication failed because client reject certificate

    Hi Experts,
    I am a newbie in ISE and having problem in my first step in authentication. Please help.
    I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :
    Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
    I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.
    Regards,
    Ratna

    Certificate-Based User Authentication via Supplicant Failing
    Symptoms or
    Issue
    User authentication is failing on the client machine, and the user is receiving a
    “RADIUS Access-Reject” form of message.
    Conditions (This issue occurs with authentication protocols that require certificate validation.)
    Possible Authentications report failure reasons:
    • “Authentication failed: 11514 Unexpectedly received empty TLS message;
    treating as a rejection by the client”
    • “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
    the client rejected the Cisco ISE local-certificate”
    Click the magnifying glass icon from Authentications to display the following output
    in the Authentication Report:
    • 12305 Prepared EAP-Request with another PEAP challenge
    • 11006 Returned RADIUS Access-Challenge
    • 11001 Received RADIUS Access-Request
    • 11018 RADIUS is reusing an existing session
    • 12304 Extracted EAP-Response containing PEAP challenge-response
    • 11514 Unexpectedly received empty TLS message; treating as a rejection by the
    client
    • 12512 Treat the unexpected TLS acknowledge message as a rejection from the
    client
    • 11504 Prepared EAP-Failure
    • 11003 Returned RADIUS Access-Reject
    • 11006 Returned RADIUS Access-Challenge
    • 11001 Received RADIUS Access-Request
    • 11018 RADIUS is re-using an existing session
    • 12104 Extracted EAP-Response containing EAP-FAST challenge-response
    • 12815 Extracted TLS Alert message
    • 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
    Cisco ISE local-certificate
    • 11504 Prepared EAP-Failure
    • 11003 Returned RADIUS Access-Reject
    Note This is an indication that the client does not have or does not trust the Cisco
    ISE certificates.
    Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
    The client machine is configured to validate the server certificate, but is not
    configured to trust the Cisco ISE certificate.
    Resolution The client machine must accept the Cisco ISE certificate to enable authentication.

  • Cisco ISE - Computer and User Authenticiation on AD for Wireless Clients.

    Hello all,
    I am trying to configure Cisco ISE to authenticate/authorize Wireless access with PEAP MsChapv2.
    The AD user authorization works fine, but I cannot see on the logs a challenge for the computer verification (it must be a domain member).
    I have found an attribute I would use for this action, but I cannot use it, because I don't see the challenge for the computer challenge.
    Can you explain me if this fact is involved by the ISE configuration or by the client configuration ?
    Thanks a lot for your help.
    The followings screenshots show the logs appearing in the ISE :  
    Kind regards, Emeric.

    This is a great question and I wanted to add my input and I have a question as well. My understanding in order to do both Machine and User EAP-Chaining is required, which used EAP-FAST. 
    In my testing, when a domain box is configured for computer/user authentication. When the laptop started up it will authenticate with a host/ and sid in the log.
    When the user logs in you then see the user ID.
    For my benefit when rule are you talking about ?
    Thank you 

Maybe you are looking for

  • Re: How to see transfer structure in sap r/3 system

    Hi All, In generic extraction I have created extract structure ,in the extract structure I have 6 fields but I am trasferring only 4 fields to the BW system ,So it will creates transfer structure in BW System with the 4 fields but when the Transfer s

  • ITunes 8 will not launch

    I've installed iTunes 8 but whatever I try it just won't launch, can anyone help??

  • Account determination procedure for cash billing & payment cards

    HI experts i want to know know what are the configuration steps of account determination procedure for cash billing & payment cards

  • Issue adding Query to My Menu

    I am trying to add a Query to a user's My Menu and I get an error The procedure I am using to add the Query is 1) Open Query Manager 2) Select the query I want to add to the menu 3) Go to Tools > My Menu > Add to My Menu > Highlight the Folder I want

  • JAVA SP level of BW System??

    Hello All,               Our BW ABAP Support Pack level is 18,I need to confirm JAVA Support Pack level.How Can I do it?When I am trying to login to the portal of BW ---System Information I am getting the following error: Error - Unable to read compo