Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
295
Views
0
Helpful
4
Replies

802.1X on wireless Networks

jack samuel
Level 1
Level 1

‎10-19-2015 03:52 AM - edited ‎03-10-2019 11:09 PM

Dears,

I have configured 802.1X on windows machine and i have configured the setting appropriately in the ISE, but still the wireless PC is not able to authenticate,

i want to know how to trace the client as on where it is stucking to authenticate.

we can test a switch connection to the radius server by the test  command but from the controller how we can know the controller is reachable to radius server. i run a diagnostic tool on ISE "evaluate configuration validator" i get bad password and bad username though the username and password are correct.

On controller the layer 2 settings for the WLAN should be WPA WPA2  + 802.1X or ???

Anybody can help me to understand.

thanks

Labels:
0 Helpful
4 Replies 4

Toivo Voll
Level 1
Level 1

‎10-19-2015 06:54 AM

The easiest is probably to enable debug for the client in question on the WLC and see what happens from there.

Alternatively, see if ISE logs anything coming from the WLC.

Or you can always do a packet capture between the WLC and the ISE and see what happens.

Make sure the port numbers for RADIUS match between the WLC and the ISE.

0 Helpful

jack samuel
Level 1
Level 1
In response to Toivo Voll

‎10-19-2015 02:28 PM

Dears

can you share a document which will help to do the below.

"Or you can always do a packet capture between the WLC and the ISE and see what happens."

radius port 1812 for authentication and 1813 for accounting

0 Helpful

jan.nielsen
Level 7
Level 7
In response to jack samuel

‎10-19-2015 05:18 PM

Yes, an 802.1X Enabled SSID, should be WPA+WPA2 and 802.1X enabled. I would refer you to the trustsec design guides, they are a wealth of great technical information about ise/switches/wlcs

http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html

Specifically the one related to wireless controllers, is something you should look through :

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-11-Universal_WLC_Config.pdf

Does ISE not tell you anything about authentication, failures or otherwise when you try to connect to the SSID ?

As for sniffing the traffic, you can actually start a tcpdump on the PSN ISE Server and get the file out for wireshark analysis, you enable it on the ise server you expect the radius packets to be sent to, just to verify if they are reaching the ISE server in question.

Menu : Operations/Troubleshoot/Diagnostic Tools/General Tools/tcpdump

Start it, make some SSID assocs, and stop it again, then download the trace and open in wireshark.

0 Helpful

jack samuel
Level 1
Level 1
In response to jan.nielsen

‎10-20-2015 01:11 PM

Dear Jan

thank for the reply, actually i am not able to torublshoot becz i see lots of MAC address in the authentication logs in the ISE for the SSID which is not used for 802.1X, so how i can stop these MAC address to be displayed in the logs so that i shld not miss the real logs.

As you can see from the HOME page unknown NAD

thanks

 

0 Helpful
Customers Also Viewed These Support Documents