Cisco ISE authentications failure

Hi, I'm new to wireless and was wondering if we can know on wich AP a client is trying to connect.
Here's the problem, a user is getting locked in AD because a device keeps trying to connect to the corporate wireless with a bad password.
The only information I can find in ISE are the AD account name,Mac and controller(5500)
Anyone have any idea what I could do ?

Hi, 
Just take the MAC address, paste it into the WLC (you can get this from the ISE), and it should tell you the AP the client is trying to associate with. I am not sure there is a way to view which AP, using the ISE - but I am open to be corrected! 
HTH
Mike
Mike

Similar Messages

  • Cisco ISE authentication failed because client reject certificate

    Hi Experts,
    I am a newbie in ISE and having problem in my first step in authentication. Please help.
    I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :
    Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
    I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.
    Regards,
    Ratna

    Certificate-Based User Authentication via Supplicant Failing
    Symptoms or
    Issue
    User authentication is failing on the client machine, and the user is receiving a
    “RADIUS Access-Reject” form of message.
    Conditions (This issue occurs with authentication protocols that require certificate validation.)
    Possible Authentications report failure reasons:
    • “Authentication failed: 11514 Unexpectedly received empty TLS message;
    treating as a rejection by the client”
    • “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
    the client rejected the Cisco ISE local-certificate”
    Click the magnifying glass icon from Authentications to display the following output
    in the Authentication Report:
    • 12305 Prepared EAP-Request with another PEAP challenge
    • 11006 Returned RADIUS Access-Challenge
    • 11001 Received RADIUS Access-Request
    • 11018 RADIUS is reusing an existing session
    • 12304 Extracted EAP-Response containing PEAP challenge-response
    • 11514 Unexpectedly received empty TLS message; treating as a rejection by the
    client
    • 12512 Treat the unexpected TLS acknowledge message as a rejection from the
    client
    • 11504 Prepared EAP-Failure
    • 11003 Returned RADIUS Access-Reject
    • 11006 Returned RADIUS Access-Challenge
    • 11001 Received RADIUS Access-Request
    • 11018 RADIUS is re-using an existing session
    • 12104 Extracted EAP-Response containing EAP-FAST challenge-response
    • 12815 Extracted TLS Alert message
    • 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
    Cisco ISE local-certificate
    • 11504 Prepared EAP-Failure
    • 11003 Returned RADIUS Access-Reject
    Note This is an indication that the client does not have or does not trust the Cisco
    ISE certificates.
    Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
    The client machine is configured to validate the server certificate, but is not
    configured to trust the Cisco ISE certificate.
    Resolution The client machine must accept the Cisco ISE certificate to enable authentication.

  • Cisco ISE authenticating Ip Phone 7942

    Hello,
    I am installing Cisco ISE soon and have a question. Why can't I authenticate Cisco IP phone model 7942 using 802.1x? I see that the phone has this option (it is not enabled). I am told that Cisco IP Phones must be authenticated on ISE by using profiling or MAB. This uses a costly advanced license to accomplish this.
    Has anybody had any luck in this area?
    Thank you,
    Bob

    I have successfully deployed 802.1x for wireless IP phones using MIC. The only real problem I have with this approach is the inability of ISE to authenticate the username from certificate against anything but an external database. As a result I have been forced to use a static endpoint group for the MAC addresses of the allowed phones to meet the organisation's security stance. Just wish EAP-TLS could go against an internal database.

  • Cisco ISE authentication failed for Win XP SP3

    Hello,
    I have some trouble this Win XP wired Client authentication. With Win7 everything works well.
    ISE 1.2 (patch 4)
    Switch: 2960 / 2960S (15.0.(2)SE2)
    Authentication details:
    Event:
    5400 Authentication failed:
    Failure Reason
    11514 Unexpectedly received empty TLS message; treating as a rejection by the client
    Resolution
    Ensure that the client's supplicant does not have any known compatibility issues and that it is properly configured. Also ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!
    Root cause While trying to negotiate a TLS handshake with the client, ISE expected to receive a non-empty TLS message or TLS alert message, but instead received an empty TLS message. This could be due to an inconformity in the implementation of the protocol between ISE and the supplicant. For example, it is a known issue that the XP supplicant sends an empty TLS message instead of a non-empty TLS alert message. It might also involve the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.
    I try to disable validate server certificates on Win XP Clients, but it won´t work for me.
    Add ISE self-sign certificate to clients trusted root certification authorities and enable validate server certificates also won´t work.
    Any idea?
    thanks

    The ISE use a self-signed certificate. I add this self-signed certificate to the clients "trusted root certification authorities", enable validate server certificates at the eap properties and select the added certificate from the trust list. But if I uncheck validate server certificates, I see the same error message as well.
    Are there any differences between xp client config and win7 client config?
    thanks,

  • Cisco ISE (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out)

    Hi,
    I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
    Error is enclosed & here is the port configuration.
    Port Configuration.
    interface GigabitEthernet0/2
    switchport access vlan 120
    switchport mode access
    switchport voice vlan 121
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 120
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication order mab dot1x
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 60
    spanning-tree portfast
    ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
    switchport access vlan 120
    switchport mode access
    switchport voice vlan 121
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 120
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication order mab dot1x
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 60
    spanning-tree portfast
    ip dhcp snooping limit rate 30
    Please help.

    The error message means that Active Directory server Reject the authentication attempt
    as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
    Event Logs why did the user account got locked.
    Under Even Viewers, You can find it out
    Regards
    Minakshi (Do rate the helpful posts)

  • Cisco ISE - Authentication Bullet Not Appearing on a Starting Windows Machine Connected to IP Phone

    Dears,
    I have this case and I would be very thankful if someone has the answer for !
    When Wired AutoConfig service is enabled on a Windows XP (or 7) station that is connected to an IP phone, the "Additional Information is needed to connect to this network" popup bullet successfully appears when the UTP cable is unplugged and then plugged back in the network card or the network adapter is disabled and re-enabled or the switchport configured with Dot1x had a shut no shut.
    However, the "Additional Information is needed to connect to this network" does not appear when the Windows workstation reboots and it gets unauthenticated!
    Our customer finds it a hard task to instruct his "non IT employees" to unplug the UTP cable and then plug it back or do any of the above methods in order for the authentication bullet to appear.
    Does anyone know how to configure the Windows machine so that the authentication popup bullet automatically appears upon machine startup?
    Best Regards,

    Hello Neno,
    I am using PEAP and below is the dot1x config under the switchport:
    interface GigabitEthernet0/4
    switchport access vlan 107
    switchport mode access
    switchport voice vlan 156
    authentication event server dead action authorize vlan 107
    authentication host-mode multi-domain
    authentication order dot1x mab
    authentication priority mab
    authentication port-control auto
    mab
    dot1x pae authenticator
    dot1x timeout quiet-period 180
    spanning-tree portfast
    Please note that the authentication bullet appears on a Windows PC directly connected to the switch.
    The problem is when the PC is connected to an IP phone or takes too long to boot.

  • Cisco ip phones authenticate 802.1x with cisco ise 1.3

    Dear all,
    I want to configure cisco ise 1.3 with 802.1x , to authenticate cisco ip phones ( CUCM 10.5.2 ) with LSC certificate. 
    How I have to configure cisco ise authentication rules for 802.1x with cisco ip phones? Are there any configuration examples ? 
    Thanks

    following are ISE 802.1x  sample authentication rules..you can change the protocol (Policy -> policy elements - > results -> authentication and you can select the proctocal)

  • Cisco ISE - multiple AD - trust relationships

    Hello,
    I have a customer who has multple AD forests and an ISE deployment running 1.1.3.
    The customer scenario is as follows - there is an Internal AD forest (internal users) and an External AD forest (external users such as consultants). The objective is to use Cisco ISE to authenticate and authorize the users in both AD forests. CIsco ISE is connected to the Internal AD forest.
    We know that multiple AD support is coming in 2014 with versioon 1.3 - other options such as LDAP/EAP-TLS are not a viable option for the customer.
    1.       Currently  – the Internal AD forest has an External, Non-transitive – one-way trust with the External Forest
         a.       The objective here is to use a feature called Selective Authentication  in order to filter the outgoing requests from the External Forest to the Internal Forest – this is a selective trust feature that can be used to control access to specific resources in Internal Forest and for authentication between Internal/External Forest via Cisco ISE
         b.      Preliminary testing has shown that a one way trust seems to work for Cisco ISE authentication/authorization
         c.       Further testing is underway to test the Selective Authentication feature (ie restrict access to specific resources etc…)
    Question : has any one used this and is this a supported method by Cisco (I know they mention a mutual trust relationship is required)?
    2.       We are exploring a second scenario - the Internal AD forest will have an External, Non-transitive – two-way trust with the External Forest
         a.       Same objectives as in  1 – we would attempt to use the Selective Authentication in the following fashion (this is an example)
              i.      External Forest has outgoing filter to allow access to specific resources in Internal Forest, and for authentication
              ii.      Internal Forest has incoming filter to deny access to all resources in External Forest
    In this case we would filter so it resembles a 1 way trust relationship - anyone try this, anyone know if this would be a supported method by Cisco?
    Thanks in advance for your replies.
    Robert C.

    Cisco has published a nice new guide on Active Directory integration with ISE 1.3. As noted there:
    "Cisco ISE can connect with multiple Active Directory domains that do not have a two-way trust or have zero trust between them. Active Directory multi-domain join comprises a set of distinct Active Directory domains with their own groups, attributes, and authorization policies for each join."
    I've setup one such deployment just recently and found it quite simple to just add the second domain and use it an en external identity source accordingly.

  • Cisco ISE with EAP-FAST and PAC provisioning

    Hi,
    I have search with no result on this topic. So, Does anyone have implemented Cisco ISE authentication with EAP-FAST and PAC provisioning ?
    Since I have an issue with internal proxy, user required to authenticate with an internal proxy before granting access to the internet.
    If you have any documents, it would be appreciated for me.
    Thanks,
    Pongsatorn

    From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
    Is that what you are trying to get clarification on.
    Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
    Sent from Cisco Technical Support iPad App

  • Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

    Hi,
    Since we implemented Cisco ISE we receive the following failure on several Notebooks:
    Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
    This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
    The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
    Why is this happening?
    Thanks,
    Marc

    The possible causes of this error message are:
    1.] If the end user entered an incorrect username.
    2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
    3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
    In your cases, the 3rd option seems to be the most closest one.
    Jatin Katyal
    - Do rate helpful posts -

  • Cisco ISE AD (Windows Server 2013) Authentication Problem

    Background:
    Deployed two Cisco ISE 1.1.3. ISE will be used to authenticate wireless users, admin access to WLC and switches. Backend database is Microsoft AD running on Windows Server 2012. Existing Cisco ACS 4.2 still running and authenticating users. There are two Cisco WLCs version 7.2.111.3.
    Wireless users authenticates to AD through ACS 4.2 works. Admin access to WLC and switches to AD through ISE works. Wireless authentication using PEAP-MSCHAPv2 and admin access wtih PAP/ASCII.
    Problem:
    Wireless users cannot authenticate to AD through ISE. The below is the error message "11051 RADIUS packet contains invalid state attribute" & "24444 Active Directory operation has failed because of an unspecified error in the ISE".
    Conducted a detailed test of AD from ISE. The test was successful and the output seems all right except for the below:
    xxdc01.xx.com (10.21.3.1)
    Pinged:0 Mins Ago
    State:down
    xxdc02.xx.com (10.21.3.2)
    Pinged:0 Mins Ago
    State:down
    xxdc01.xx.com
    Last Success:Thu Jan  1 10:00:00 1970
    Last Failure:Mon Mar 11 11:18:04 2013
    Successes:0
    Failures:11006
    xxdc02.xx.com
    Last Success:Mon Mar 11 09:43:31 2013
    Last Failure:Mon Mar 11 11:18:04 2013
    Successes:25
    Failures:11006
    Domain Controller: xxdc02.xx.com:389
        Domain Controller Type: Unknown DC Functional Level: 5
        Domain Name:            xx.COM
        IsGlobalCatalogReady:   TRUE
        DomainFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
        ForestFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
    Action Taken:
    Log on to Cisco ISE and WLC using AD credentials. This rules out AD connection, clock and AAA shared secret as the problem.
    2)     Tested wireless authentication using EAP-FAST but same problem occurs.
    3)     Detailed error message shows the below. This rules out any authentication and authorization polices. Before even hitting the authentication policy, the AD lookup fails.     
    12304  Extracted EAP-Response containing PEAP challenge-response
    11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
    Evaluating Identity Policy
    15006  Matched Default Rule
    15013  Selected Identity Store - AD1
    24430  Authenticating user against Active Directory
    24444  Active Directory operation has failed because of an unspecified error in the ISE
    4)     Enabled AD debugging logging and had a look at the logging. Nothing significant and no clues to the problem.
    5)     Tested wireless on different laptos and mobile phones with same error
    6)     Delete and add again AAA Client/Devices on both Cisco ISE and WLC
    7)     Restarted ISE services
    8)     Rejoin domain on Cisco ISE
    9)     Checked release notes of ISE 1.1.3 and WLC 7.2.111.3 for any open caveats. Nothing found related to this problem.
    10)    There are two ISE and two WLC deployed. Tested different combination of ISE1 to WLC1, ISE1 to WLC2 etc. This rules out hardware issue of WLC.
    Other possibilities/action:
    1)     Test it out on a different WLC version. Will have to wait outage approval to upgrade WLC software.
    2)     Incompatibility of Cisco ISE and AD running on Microsoft Windows Server 2012
    Anyone out there experienced something similar of have any ideas on why this is happening?
    Thanks.
    Update:
    1) Built another Cisco ISE 1.1.3 sever in another datacentre that uses the same domain but different domain controller. Thais domain controller is running Windows Server 2008. This works and authentication successful.
    2) My colleague tested out in a lab environment of Cisco ISE 1.1.2 with Windows Server 2012. He got the same problem as described.
    This leads me to think there is a compatibility issue of Cisco ISE with Windows Server 2012.

    Does anyone know if ISE 1.1.3 p1 supports AD DCs running 2012, if not which patch is required ot version?
    Worryingly when ISE joins a 2012 DC it states it's connected successfully, and if another 2003 DC is available in that datacentre it will perform the auths against that DC whilst actually advertising (Connections in the GUI) that it's connected to the 2012 DC. We ended up mapping 8 PSN IP’s to another datacentre which has one Win2003 servers whilst the old 2003 DC is being promoted back, the 8 ISE servers started working, even though they still advertised they were connected to the 2012 DCs in the original datacentre - I performed a leave and join on one PSN and only then did it advertise that the node was connected to a DC in a different datacentre

  • Intermittent AD Authentication failures in ISE 1.2

              Starting today I was getting intermittent authentication failures in ISE. It would say that the user was not found in the selected identity store. The account is there though. At one point I ran a authetication test from the external identity source menu and I got a failure and then the next time a pass. I have no idea why this is happening. I just updated to ISE 1.2 the other day. I'm also seeing what looks like a high level of latency on both of my PSN's. Is this normal?  Any ideas?
    Thanks
    Jef

    Interesting. I have one location that is not having this problem at all. The other is having it somewhat frequently. The PSN's for each location are tied to the local AD servers. I have not had this until we started getting 300-380 PC's connecting. We are a school so we are slowly getting started. It's real random. One user will work then another time they won't. Happens with admin and user. I have notices that with this new version of ISE it is complaining that it is getting accounting updates from the NAS too often, but I have not looked into this because I just installed 1.2 about 3-4 days ago and haven't had time to look into it.
    When you say Multicast to you AD...how did you check that? We do use multicast.

  • Multiple domains authentication on Cisco ISE

    Hi,
    Does the current Cisco ISE supports for authenticating on multiple Active Directories ?
    I can only set Cisco ISE to join on single active directory and LDAP
    Does anyone have set Cisco ISE to support EAP-FAST with WPAD or PAC provisioning ?
    Thanks
    Pongsatorn

    Hi,
    We are into a situation where we need to authenticate users of two domains and these two domains are completely independent (no common DNS server). ISE is not able to resolve one of the domain using the DNS server settings and Adding a host entry for the domain name is not sufficient since Kerberos, GC and LDAP SRVs need to be resolvable as well.
    From what I know ISE 1.3 should supports disjointed domains and there is no requirement for ISE to have 2 way trust relationship with domains.
    Please share your experience if someone has faced similar situation before.
    Regards,
    Akhtar

  • ISE 1.2 Authentication Failures at First time Connection

    Hi,
     I have a trouble with ISE 1.2 when trying to authenticate for first time an end-device, this device might be either a Workstation or IP Phone or Printer,etc. it fails or staying in running mode. The result is the same it can not access the network.  hopefully I'm still in open mode :)
    As i described in the beginning everything has status Running or Authz Failed. and after a time of period usually one day finally succeeds.
    This happens mostly for workstations and printers, but in case of phones does not have the same behavior. I unplug plug the phones or I shut/ no shut the ports in order to trigger it to succeed. For some phones worked but other obstinately declined.
    The phones which are not Cisco phones authenticated with MD5 (a simple username and pass  ) i think the problem should not related with the auth protocol.
    Below are some logs from one phone. For me coming to a short conclusion this must be related with the switches which are 3750e (15.02 SE 4 IOS)
    or with the same the ISE, why because i have almost the same behavior for all end-devices.
    I kindly remain your comments...
    2169669: Apr 16 18:02:20.573 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to up
    2169670: Apr 16 18:02:20.783 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5E8855C01DE
    2169671: Apr 16 18:02:20.791 EEST: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5E8855C01DE
    S301#
    2169672: Apr 16 18:02:20.992 EEST: %AUTHMGR-5-START: Starting 'dot1x' for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5F0855DE0EF
    2169673: Apr 16 18:02:21.580 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to up
    S301#
    2169674: Apr 16 18:02:24.289 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to down
    S301#
    2169675: Apr 16 18:02:25.288 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to down
    2169676: Apr 16 18:02:26.269 EEST: %AUTHMGR-5-START: Starting 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169677: Apr 16 18:02:26.294 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169678: Apr 16 18:02:26.294 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169679: Apr 16 18:02:26.303 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169680: Apr 16 18:02:26.303 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169681: Apr 16 18:02:26.319 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169682: Apr 16 18:02:26.319 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169683: Apr 16 18:02:26.319 EEST: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169684: Apr 16 18:02:26.319 EEST: %AUTHMGR-5-START: Starting 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169685: Apr 16 18:02:26.328 EEST: %MAB-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169686: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169687: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169688: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    S301#
    2169689: Apr 16 18:02:26.336 EEST: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    S301#
    2169690: Apr 16 18:02:27.737 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to up
    2169691: Apr 16 18:02:28.744 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to up
    Regards
    T.C

    I'm not using authentication method with certificates for none end-devices
    Workstations with the windows default authentication protocol EAP/MSCHAPv2
    In front of them there are non Cisco IP-phones with auth. method EAP/MD5
    Finally I also have some printers again with option EAP/MD5
    For all of these devices I received the same behavior, after many hours finally the authenticated with ISE. But is this the expected behavior?
    What I understand is that if the devices finally authenticated then it means that there isn’t anything wrong with the method.
    The misunderstanding points are 3
    Why there is so much delay for all devices to authenticate?
    Why some devices, mostly IP phones (not all) continuing to fail to the authentication method. All my devices are identical with the same software / patch, same model etc.
    I have noticed randomly some devices one moment to succeed and the next moment to failed
    So for my understanding there is an abnormal behavior and i cannot find the way /pattern to correct it or to understand the reason :)
    Port config
    switchport access vlan xxx
     switchport mode access
     switchport voice vlan yyy
     ip access-group ACL-ALLOW in
     authentication event fail action next-method
     authentication event server dead action reinitialize vlan xxx
     authentication event server dead action authorize voice
     authentication event server alive action reinitialize
     authentication host-mode multi-domain
     authentication open
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     authentication violation restrict
     mab
     dot1x pae authenticator
     no cdp enable
     spanning-tree portfast
    result template
    Switch#sh auth sess int g1/0/46
                Interface:  GigabitEthernet1/0/46
              MAC Address:  xxxx.xxxx.xxxx
               IP Address:  xx.xxx.xx.xxx
                User-Name:  xxxxxxxxxxxx
                   Status:  Authz Failed
                   Domain:  DATA
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  multi-domain
         Oper control dir:  both
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A114D0A00001972016208E1
          Acct Session ID:  0x00001BB7
                   Handle:  0x6D0009B6
    Runnable methods list:
           Method   State
           dot1x    Failed over
           mab      Failed over

  • Cisco ISE 1.1.2.145 Admin Authentication using LDAP

    I have configured the LDAP and able to retrive our LDAP directory structure. Now, I am trying to point the 'Admin Access' authentication to "External Identity" Source which is the new LDAP IS I created. But I couldn't find an option to authenticate locally if for any reason the LDAP configuration doesn't work. I learnt that ISE can automatically revert to local auth provided the External Idenitity sources are unreachable. How can I test the LDAP authentication with out breaking our Admin Access? I thought of opening two parallel sessions, one with Super Admin Local Account and the other with Domain account. But I noticed that ISE communication is smart enough to logoff/login any other sessions in different browsers so basically I can't open two parallel sessions from same machine to do the tests. Suggestions? or Am I missing something here?
    Many thanks in advance.

    Hi Srinivas,
    Even if you set up LDAP as an External Identity source for admin access, you can still fallback to Internal without getting locked out. As per the ISE user guide :
    During operation, Cisco ISE is designed to "fall  back" and attempt to perform authentication from the internal identity  database, if communication with the external identity store has not been  established or if it fails. In addition, whenever an administrator for  whom you have set up external authentication launches a browser and  initiates a login session, the administrator still has the option to  request authentication via the Cisco ISE local database by choosing  "Internal" from the Identity Store drop-down selector in the login dialog.
    http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_identities.html#wp1351543
    Please refer to the attached screenshot from my lab ISE:
    I have configured admin authentication against AD, but I still see both "Internal" and "AD" at the time of login.
    Hope this helps.
    Thanks,
    Aastha

Maybe you are looking for