Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2403
Views
0
Helpful
3
Replies

AAA Authentication Failed with ISE & NPS

Go to solution
Sijian
Level 1
Level 1

‎05-24-2021 12:19 AM

Hello All,

 

We have some WLCs on different locations with SSID set to send all the authentication requests to a centralized Cisco ISE, the ISE is working as a relay to forward all the requests to a Microsoft NPS.

 

Most of the time, it's working pretty well. However, sometimes, random users will fail to connect to the SSID with "authentication failed" reply from the WLC, we firstly checked the logs on the NPS and there's no log about failures. Then we checked the logs on the ISE and we found the following logs (refer to the attachment).

 

The situation will last for at least 30 minutes to recover, then the users can connect to the SSID again.

 

Have you ever faced the same problem?

 

Thank you.

 
1.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
lrojaslo
Cisco Employee
Cisco Employee

‎05-24-2021 12:28 PM

In this scenario, it looks your ISE server is unable to talk with your NPS server for that period of time (it can be ISE or NPS related issue, you will need to collect more info to determine).

 

For the error in the live log, it fails to contact the server, but also fails to attempt a failover to next available method/server, this part is all about your configuration, it might not be really relevant if you are not expecting a failover.

 

Gather a packet capture to the NPS (from ISE) when the issue is happening and confirm if ISE is sending the access-requests, in such case, you might need to review further on NPS side. 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marcelo Morais
VIP
VIP

‎05-24-2021 06:21 AM

Hi @Sijian ,

 please at Administration > Identity Management > Identity Source Sequences, select the Source, check the selected Authentication Search List and also the Advanced Search List Settings configuration.

 Do you have more than one source?

 

Hope this helps !!!

0 Helpful

Go to solution
lrojaslo
Cisco Employee
Cisco Employee

‎05-24-2021 12:28 PM

In this scenario, it looks your ISE server is unable to talk with your NPS server for that period of time (it can be ISE or NPS related issue, you will need to collect more info to determine).

 

For the error in the live log, it fails to contact the server, but also fails to attempt a failover to next available method/server, this part is all about your configuration, it might not be really relevant if you are not expecting a failover.

 

Gather a packet capture to the NPS (from ISE) when the issue is happening and confirm if ISE is sending the access-requests, in such case, you might need to review further on NPS side. 

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎06-01-2021 02:25 PM - edited ‎06-01-2021 02:26 PM

Please post your actual images or error text using the image.pngoption in the tool bar in your post.

I'm not going to download and open a random .zip file from a community post.

0 Helpful
Customers Also Viewed These Support Documents