Troubleshooting ISE

Hello

Some extremely general lessons learnt from troubleshooting ise authentication failures:

 

  • get yourself a big cup of coffee
  • read and analyze the policy sets carefully
  • read logs from a failed authentication to compare each condition in the policy set to see why a given authentication does not match the authentication (e.g. the failed auth hits the default rule)
  • stay calm
  • don’t pay attention to the error cause on ISE because they can be misleading. Example? A user was supposed to hit the corporate rule but didn’t, ISE thought he was supposed to be a guest, but the user presented a TLS certificate and the guest authentication assumes password-based authentication. Result? ISE says that wrong authentication method was used (error 22045). Real cause? someone changed Called-Station-ID on the WLC to be its system mac address and in the policy set one of the condition said that the called station id had to include a specific domain suffix…

Tips:

  • check if someone made any changes (if it worked before and now doesn’t) – this would have solved my case above in 5 minutes
  • try to examine the user’s PC for any changes (new certificates? expired certificates? hardware changes?)
  • ask AD people about any changes

Skomentuj

Wprowadź swoje dane lub kliknij jedną z tych ikon, aby się zalogować:

Logo WordPress.com

Komentujesz korzystając z konta WordPress.com. Wyloguj /  Zmień )

Zdjęcie na Google

Komentujesz korzystając z konta Google. Wyloguj /  Zmień )

Zdjęcie z Twittera

Komentujesz korzystając z konta Twitter. Wyloguj /  Zmień )

Zdjęcie na Facebooku

Komentujesz korzystając z konta Facebook. Wyloguj /  Zmień )

Połączenie z %s