Solved: Re: Authentication ISE special characters

SupportAC · ‎12-17-2018

We have an authentication problem with the users that have the letter "ñ", The clients do not correctly send the correct user to the ISE to authenticate. As a consequence they do not connect. We are thinking that it could be a switch issue. Its like switch is not taking the "ñ" properly.
We will need a solution / windows7 for the PCs to correctly send the username to the ISE. (eg: supplicant ..... (?) as work around). Any workaround?

hslai · ‎12-19-2018

At this point, please engage Cisco TAC to troubleshoot further. Please note that what I tested is an internal user and yours appear an AD user.

View solution in original post

hslai · ‎12-17-2018

niño is working fine for me on a Windows 7 SP1 test client using the Windows native supplicant and a Cisco 3650 as the wired NAD.

Nadav · ‎12-17-2018

Mind showing the details for the failed authentication?

SupportAC · ‎12-17-2018

We can see this:

1719680: Dec 10 14:10:41.504: RADIUS: User-Name [1] 17 "DOMAIN\ANuC1ez"

C1=ñ

Its like switch is not taking fine the character "ñ".

C2960X:

1720407: Dec 10 14:10:50.106: RADIUS(00000000): Send Access-Request to1812 onvrf(0) id 1645/55, len 472
1720408: Dec 10 14:10:50.106: RADIUS: authenticator 82
1720409: Dec 10 14:10:50.109: RADIUS: User-Name [1] 17 "DOMAIN\ANuC1ez"
1720410: Dec 10 14:10:50.109: RADIUS: Service-Type [6] 6 Framed [2]
1720411: Dec 10 14:10:50.109: RADIUS: Vendor, Cisco [26] 27
1720412: Dec 10 14:10:50.109: RADIUS: Cisco AVpair [1] 21 "service-type=Framed"
1720413: Dec 10 14:10:50.109: RADIUS: Framed-MTU [12] 6 1500

%DOT1X-5-FAIL: Authentication failed for client on Interface Gi2/0/32 AuditSessionID

SupportAC · ‎12-18-2018

switch is:

Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.2(4)E6, RELEASE SOFTWARE (fc4)

just in case that the issue in on the switch

hslai · ‎12-18-2018

Our switch showed similar output but the authentication went fine in ISE. Please post the auth detail report from ISE or engage Cisco TAC to troubleshoot.

Below was the output from our lab switch:
3k-access#show authentication sessions mac 0050.5687.ea65 details
Interface: GigabitEthernet1/0/1
IIF-ID: 0x1071F400000006B
MAC Address: 0050.5687.ea65
IPv6 Address: Unknown
IPv4 Address: 10.1.50.202
User-Name: niC1o
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A01640100000FB4A003CF1E
Acct Session ID: 0x00000FAA
Handle: 0x45000005
Current Policy: POLICY_Gi1/0/1

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:

Method status list:
Method State

mab Stopped
dot1x Authc Success

Nadav · ‎12-18-2018

Note that authentication succeed even though IOS-XE shows the user-name thus:

"User-Name: niC1o"

So it may just be an encoding issue for the show command and not a functional issue of the switch.

SupportAC · ‎12-19-2018

the authentication with user "niño" is not working, but if we use "nino" is working fine. So it seems any issue with character "ñ". Do you know any issue about this?

hslai · ‎12-19-2018

At this point, please engage Cisco TAC to troubleshoot further. Please note that what I tested is an internal user and yours appear an AD user.