10-19-2015 03:52 AM - edited 03-10-2019 11:09 PM
Dears,
I have configured 802.1X on windows machine and i have configured the setting appropriately in the ISE, but still the wireless PC is not able to authenticate,
i want to know how to trace the client as on where it is stucking to authenticate.
we can test a switch connection to the radius server by the test command but from the controller how we can know the controller is reachable to radius server. i run a diagnostic tool on ISE "evaluate configuration validator" i get bad password and bad username though the username and password are correct.
On controller the layer 2 settings for the WLAN should be WPA WPA2 + 802.1X or ???
Anybody can help me to understand.
thanks
10-19-2015 06:54 AM
The easiest is probably to enable debug for the client in question on the WLC and see what happens from there.
Alternatively, see if ISE logs anything coming from the WLC.
Or you can always do a packet capture between the WLC and the ISE and see what happens.
Make sure the port numbers for RADIUS match between the WLC and the ISE.
10-19-2015 02:28 PM
Dears
can you share a document which will help to do the below.
"Or you can always do a packet capture between the WLC and the ISE and see what happens."
radius port 1812 for authentication and 1813 for accounting
10-19-2015 05:18 PM
Yes, an 802.1X Enabled SSID, should be WPA+WPA2 and 802.1X enabled. I would refer you to the trustsec design guides, they are a wealth of great technical information about ise/switches/wlcs
http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html
Specifically the one related to wireless controllers, is something you should look through :
http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-11-Universal_WLC_Config.pdf
Does ISE not tell you anything about authentication, failures or otherwise when you try to connect to the SSID ?
As for sniffing the traffic, you can actually start a tcpdump on the PSN ISE Server and get the file out for wireshark analysis, you enable it on the ise server you expect the radius packets to be sent to, just to verify if they are reaching the ISE server in question.
Menu : Operations/Troubleshoot/Diagnostic Tools/General Tools/tcpdump
Start it, make some SSID assocs, and stop it again, then download the trace and open in wireshark.
10-20-2015 01:11 PM
Dear Jan
thank for the reply, actually i am not able to torublshoot becz i see lots of MAC address in the authentication logs in the ISE for the SSID which is not used for 802.1X, so how i can stop these MAC address to be displayed in the logs so that i shld not miss the real logs.
As you can see from the HOME page unknown NAD
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide