Troubleshooting ISE

Hello

Some extremely general lessons learnt from troubleshooting ise authentication failures:

• get yourself a big cup of coffee
• read and analyze the policy sets carefully
• read logs from a failed authentication to compare each condition in the policy set to see why a given authentication does not match the authentication (e.g. the failed auth hits the default rule)
• stay calm
• don’t pay attention to the error cause on ISE because they can be misleading. Example? A user was supposed to hit the corporate rule but didn’t, ISE thought he was supposed to be a guest, but the user presented a TLS certificate and the guest authentication assumes password-based authentication. Result? ISE says that wrong authentication method was used (error 22045). Real cause? someone changed Called-Station-ID on the WLC to be its system mac address and in the policy set one of the condition said that the called station id had to include a specific domain suffix…

Tips:

• check if someone made any changes (if it worked before and now doesn’t) – this would have solved my case above in 5 minutes
• try to examine the user’s PC for any changes (new certificates? expired certificates? hardware changes?)
• ask AD people about any changes