05-24-2021 12:19 AM
Hello All,
We have some WLCs on different locations with SSID set to send all the authentication requests to a centralized Cisco ISE, the ISE is working as a relay to forward all the requests to a Microsoft NPS.
Most of the time, it's working pretty well. However, sometimes, random users will fail to connect to the SSID with "authentication failed" reply from the WLC, we firstly checked the logs on the NPS and there's no log about failures. Then we checked the logs on the ISE and we found the following logs (refer to the attachment).
The situation will last for at least 30 minutes to recover, then the users can connect to the SSID again.
Have you ever faced the same problem?
Thank you.
Solved! Go to Solution.
05-24-2021 12:28 PM
In this scenario, it looks your ISE server is unable to talk with your NPS server for that period of time (it can be ISE or NPS related issue, you will need to collect more info to determine).
For the error in the live log, it fails to contact the server, but also fails to attempt a failover to next available method/server, this part is all about your configuration, it might not be really relevant if you are not expecting a failover.
Gather a packet capture to the NPS (from ISE) when the issue is happening and confirm if ISE is sending the access-requests, in such case, you might need to review further on NPS side.
05-24-2021 06:21 AM
Hi @Sijian ,
please at Administration > Identity Management > Identity Source Sequences, select the Source, check the selected Authentication Search List and also the Advanced Search List Settings configuration.
Do you have more than one source?
Hope this helps !!!
05-24-2021 12:28 PM
In this scenario, it looks your ISE server is unable to talk with your NPS server for that period of time (it can be ISE or NPS related issue, you will need to collect more info to determine).
For the error in the live log, it fails to contact the server, but also fails to attempt a failover to next available method/server, this part is all about your configuration, it might not be really relevant if you are not expecting a failover.
Gather a packet capture to the NPS (from ISE) when the issue is happening and confirm if ISE is sending the access-requests, in such case, you might need to review further on NPS side.
06-01-2021 02:25 PM - edited 06-01-2021 02:26 PM
Please post your actual images or error text using the option in the tool bar in your post.
I'm not going to download and open a random .zip file from a community post.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide