Showing results for 
Search instead for 
Did you mean: 

Apple iPhones not authenticating properly to ISE

Level 1
Level 1


A very unusual situation has started here in regards to our company owned Apple iPhones and the way they authenticate onto our wireless network using Cisco ISE (1.2 patch 17).

We have over 400 iPhones currently authenticating to our network through ISE with no problems. When we try to add a new phone (or wipe clean an older phone) and then try to authenticate to the network ISE issues a failed authentication response with a reason, "24408 User authentication against Active Directory failed since user has entered the wrong password."

After three failed attempts the user's account is locked in Active Directory (as is our default setting).

The unusual part of this is that the user is not attempting to make the authentication (by entering username/password). The attempts show up in the ISE Authentications screen, though.

Can someone explain this to me?

Here is more information. We are using MobileIron to manage our company owned iPhones. We push policies out to the phones so that they can attach to our exchange server and network automatically. We have not changed our MobileIron profiles in about 16 months and they have always worked in the past. This issue began to happen within the last 6 weeks. I have not made any changes to ISE. It does not seem to matter which iPhone IOS we are using.

If we do not push the MobileIron profiles out to the iPhone and instead select the wireless network manually we can then attach to the wireless network without a problem. I know this makes it sound like our MobileIron profiles may be corrupt but our group that handles the MobileIron package has verified they are not at fault.

I welcome your ideas and thoughts.

2 Replies 2

Cisco Employee
Cisco Employee

This does sound like an MDM issue if joining the device manually works fine. But just to confirm, the flow is like this:

New Phone > MDM Registration > MDM pushes settings to phone > Phone tries to connect.

If this is correct, then I am suspecting that the MDM is pushing an incorrect configuration to the phones. Otherwise, a new/wiped clean phone would not know what credentials to use when joining a 802.1x enabled network. 

On the other hand, if you are doing Client-Provisioning through ISE, I can see how ISE could be the problem here but from what I understood that is not the case.

Thank you for rating helpful posts! 

We are not using ISE to provision the clients. In this case ISE is simply authenticating the device for wireless network usage. We are also investigating the MDM configuration that is pushed to the phones.

I will keep this forum updated with what we find. Maybe it can help others in the future.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: