Hello,

I have a distributed ISE deployment as below:

ISE 3.1 patch 6

PSN: 3 physical & 3 VM 

Admin: 1physical & 1VM

MnT: 1physical & 1VM

aaa group server radius ISERadius
server name ISE-VM
server name ISE-physical
ip radius source-interface xx

aaa server radius dynamic-author
client VM server-key 7 xxxx
client physical server-key 7 xxxx

When the radius server to pointed to physical ise server in radius server group, the cert based authentication works as expected but then pointed to aws ise server, it fails. The failure reason changes every time.

Failure reason: Authc fail. Authc failure reason: Cred Fail.

Authentication failed for client (abcd) with reason (No Response from Client) on Interface xx

Authentication failed for client (abcd) with reason (AAA Server Down) on Interface xx

The "Certificate Authentication Profile" is configured using option "Use Identity From" with Cert Attribute as "Subject-Common Name". As some machines are not part of AD so Identity Store option is not configured. I did use Cert Attribute as "Subject-Common Name - DNS" but no luck 

Both physical & VM ise servers have dedicated EAP certificate issued by digicert and their Root & Intermediate certs are present in "Trusted Certificates". The Intermediate cert is trusted for Infrastructure only. Since infrastructure trust is working on physical ise server, I am not sure if ISE VM needs "Trust for client authentication and Syslog" option as well.

I have ran packet captures where the ISE is sending CA chain but its never seen on the switch during radius challenge. The dot1x challenge runs for the configured timer & fails. Sometimes I don't see Authentication tab under ethernet properties & I restart the wired auto config just to manually trigger the authentication although the service is set to start automatically.

I really need to get this issue fixed at earliest and I would appreciate any assistance from experts here.