Hello
Some extremely general lessons learnt from troubleshooting ise authentication failures:
- get yourself a big cup of coffee
- read and analyze the policy sets carefully
- read logs from a failed authentication to compare each condition in the policy set to see why a given authentication does not match the authentication (e.g. the failed auth hits the default rule)
- stay calm
- don’t pay attention to the error cause on ISE because they can be misleading. Example? A user was supposed to hit the corporate rule but didn’t, ISE thought he was supposed to be a guest, but the user presented a TLS certificate and the guest authentication assumes password-based authentication. Result? ISE says that wrong authentication method was used (error 22045). Real cause? someone changed Called-Station-ID on the WLC to be its system mac address and in the policy set one of the condition said that the called station id had to include a specific domain suffix…
Tips:
- check if someone made any changes (if it worked before and now doesn’t) – this would have solved my case above in 5 minutes
- try to examine the user’s PC for any changes (new certificates? expired certificates? hardware changes?)
- ask AD people about any changes