Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
222
Views
0
Helpful
0
Replies

Cisco ISE 3.4 ENTRA_ID user/pass auth question

bozo.bogd
Level 1
Level 1

‎09-25-2025 06:07 AM

Hi all,

I know ISE is huge topic worth certification for in order to get to know it but i thought i ll be able to configure with couple of guides read.

User(openvpn) > pfsense > RADIUS PAP > ISE > REST entraID

WIFI client >wlc9800> RADIUS > ISE > > REST entraID

I w read this documentation.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html

 

ISE - Rest ID store can read group and user attributes. I think Azure part is ok

 

==========

Policy set is rather simple : 

RADIUS-NAS-IP address :

Authentication : RestID store

Authorization : Permit access

==============

Test user is active and credentials are good

I have constant fails : 

FW : 

Overview
Event 5400 Authentication failed
Username USERNAME
Endpoint Id
Endpoint Profile
Authentication Policy test-ia-fw01a_entraID >> Default
Authorization Policy test-ia-fw01a_entraID
Authorization Result

Authentication Details
Source Timestamp 2025-09-25 14:31:17.77
Received Timestamp 2025-09-25 14:31:17.77
Policy Server ise01
Event 5400 Authentication failed
Username USERNAME
Authentication Identity Store _TEST_ENTRA_ID
Authentication Method PAP_ASCII
Authentication Protocol PAP_ASCII
Service Type Login
Network Device test-ia-fw01a.dc..eu
Device Type All Device Types#pFsense firewalls
Location All Locations
NAS IPv4 Address 10.179.10.4
Response Time 948 milliseconds

Other Attributes
ConfigVersionId 396
Device Port 37356
DestinationPort 1812
RadiusPacketType AccessRequest
Protocol Radius
NetworkDeviceProfileId b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow false
AcsSessionID ise01/548012987/129
SelectedAuthenticationIdentityStores _TEST_ENTRA_ID
IdentityPolicyMatchedRule Default
ISEPolicySetName test-ia-fw01a_entraID
IdentitySelectionMatchedRule Default
TotalAuthenLatency 948
ClientLatency 0
DTLSSupport Unknown
Network Device Profile Cisco
Location Location#All Locations
Device Type Device Type#All Device Types#pFsense firewalls
IPSEC IPSEC#Is IPSEC Device#No
RADIUS Username USERNAME
NAS-Identifier test-ia-fw01a.dc..eu
Device IP Address 10.179.10.4
CPMSessionID bc5d52decpccYe5jrLzzmEQbU_ST6SVajm6vyNgISWSsI3NgSjc
Called-Station-ID 52:54:00:00:30:70:test-ia-fw01a.dc..eu

Result
RadiusPacketType AccessReject
AuthenticationResult Error


Steps
Step ID Description Latency (ms)
11001 Received RADIUS Access-Request
11017 RADIUS created a new session 0
11117 Generated a new session ID 2
15049 Evaluating Policy Group 1
15008 Evaluating Service Selection Policy 1
15048 Queried PIP - Radius.Called-Station-ID 6
15048 Queried PIP - Radius.NAS-IP-Address 1
15041 Evaluating Identity Policy 10
15013 Selected Identity Source - _TEST_ENTRA_ID 8
25103 Perform plain text password authentication in external REST ID store server - _TEST_ENTRA_ID 2
25100 Connecting to external REST ID store server - _TEST_ENTRA_ID 262
25101 Successfully connected to external REST ID store server - _TEST_ENTRA_ID 651
22059 The advanced option that is configured for process failure is used 1
22061 The 'Reject' advanced option is configured in case of a failed authentication request 1
11003 Returned RADIUS Access-Reject 1

WIFI : 


Cisco ISE
Overview
Event 5400 Authentication failed
Username USERNAME
Endpoint Id F4:6D:3F:E9:69:89
Endpoint Profile
Authentication Policy SSID_-scepman_entraID >> Default
Authorization Policy SSID_-scepman_entraID
Authorization Result

Authentication Details
Source Timestamp 2025-09-25 12:27:33.258
Received Timestamp 2025-09-25 12:27:33.258
Policy Server ise01
Event 5400 Authentication failed
Failure Reason 22064 Authentication method is not supported by any applicable identity store(s)
Resolution The authentication method that was negotiated with the client was not supported by any of the identity stores specified by the authentication policy. Configure the endpoint client to use a different authentication method or change the authentication policy to allow an identity store that supports that authentication method
Root cause Authentication method is not supported by any applicable identity store(s)
Username USERNAME
Endpoint Id F4:6D:3F:E9:69:89
Calling Station Id f4-6d-3f-e9-69-89
Audit Session Id 082EB30A0001E8C48069F8E6
Authentication Method dot1x
Authentication Protocol EAP-TTLS (MSCHAPV1)
Service Type Framed
Network Device vwlc01.dc..eu
Device Type All Device Types#Cisco wireless controllers
Location All Locations
NAS IPv4 Address 10.179.46.8
NAS Port Id capwap_9000012d
NAS Port Type Wireless - IEEE 802.11
Response Time 95 milliseconds

Other Attributes
ConfigVersionId 385
Device Port 56266
DestinationPort 1812
RadiusPacketType AccessRequest
Protocol Radius
NAS-Port 7
Framed-MTU 1005
State 37CPMSessionID=082EB30A0001E8C48069F8E6;33SessionID=ise01/548012987/124;
undefined-186 00:0f:ac:04
undefined-187 00:0f:ac:04
undefined-188 00:0f:ac:01
MS-CHAP-Response 6d:01:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:20:4a:90:32:2e:f6:8a:73:67:97:2e:4b:f9:48:d1:be:19:21:52:5d:af:16:12:04
MS-CHAP-Challenge 9f:c8:02:92:49:4a:7d:32
NetworkDeviceProfileId b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow false
AcsSessionID ise01/548012987/124
SelectedAuthenticationIdentityStores _TEST_ENTRA_ID
IdentityPolicyMatchedRule Default
EndPointMACAddress F4-6D-3F-E9-69-89
ISEPolicySetName SSID_-scepman_entraID
IdentitySelectionMatchedRule Default
TotalAuthenLatency 335
ClientLatency 240
TLSCipher ECDHE-RSA-AES256-GCM-SHA384
TLSVersion TLSv1.2
TLSSupportedGroups secp521r1
TLSSignatureAlgorithms NONE
DTLSSupport Unknown
Network Device Profile Cisco
Location Location#All Locations
Device Type Device Type#All Device Types#Cisco wireless controllers
IPSEC IPSEC#Is IPSEC Device#No
RADIUS Username USERNAME
NAS-Identifier vwlc01a
Device IP Address 10.179.46.8
CPMSessionID 082EB30A0001E8C48069F8E6
Called-Station-ID 88-9c-ad-3d-27-c0:-scepman
CiscoAVPair service-type=Framed,
audit-session-id=082EB30A0001E8C48069F8E6,
method=dot1x,
client-iif-id=352454714,
vlan-id=100,
cisco-wlan-ssid=-scepman,
wlan-profile-name=-scapman-corp

Result
RadiusPacketType AccessReject
AuthenticationResult NotPerformed

Session Events
2025-09-25 12:27:33.258 Authentication failed

Steps
Step ID Description Latency (ms)
11001 Received RADIUS Access-Request
11017 RADIUS created a new session 0
15049 Evaluating Policy Group 2
15008 Evaluating Service Selection Policy 0
15048 Queried PIP - Radius.Called-Station-ID 7
11507 Extracted EAP-Response/Identity 8
12500 Prepared EAP-Request proposing EAP-TLS with challenge 0
12625 Valid EAP-Key-Name attribute received 0
11006 Returned RADIUS Access-Challenge 1
11001 Received RADIUS Access-Request 37
11018 RADIUS is re-using an existing session 0
12979 Extracted EAP-Response/NAK requesting to use EAP-TTLS instead 1
12983 Prepared EAP-Request proposing EAP-TTLS with challenge 0
12625 Valid EAP-Key-Name attribute received 0
12985 Prepared EAP-Request with another EAP-TTLS challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 38
11018 RADIUS is re-using an existing session 0
12978 Extracted EAP-Response containing EAP-TTLS challenge-response and accepting EAP-TTLS as negotiated 1
61025 Open secure connection with TLS peer 1
12800 Extracted first TLS record; TLS handshake started 1
12805 Extracted TLS ClientHello message 0
12806 Prepared TLS ServerHello message 0
12807 Prepared TLS Certificate message 1
12808 Prepared TLS ServerKeyExchange message 35
12810 Prepared TLS ServerDone message 0
12985 Prepared EAP-Request with another EAP-TTLS challenge 1
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 38
11018 RADIUS is re-using an existing session 0
12971 Extracted EAP-Response containing EAP-TTLS challenge-response 1
12985 Prepared EAP-Request with another EAP-TTLS challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 39
11018 RADIUS is re-using an existing session 0
12971 Extracted EAP-Response containing EAP-TTLS challenge-response 0
12985 Prepared EAP-Request with another EAP-TTLS challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 46
11018 RADIUS is re-using an existing session 0
12971 Extracted EAP-Response containing EAP-TTLS challenge-response 0
12810 Prepared TLS ServerDone message 0
12812 Extracted TLS ClientKeyExchange message 13
12803 Extracted TLS ChangeCipherSpec message 1
12804 Extracted TLS Finished message 0
12801 Prepared TLS ChangeCipherSpec message 0
12802 Prepared TLS Finished message 0
12816 TLS handshake succeeded 0
12985 Prepared EAP-Request with another EAP-TTLS challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 46
11018 RADIUS is re-using an existing session 0
12971 Extracted EAP-Response containing EAP-TTLS challenge-response 1
15041 Evaluating Identity Policy 1
15013 Selected Identity Source - _TEST_ENTRA_ID 11
22043 Current Identity Store does not support the authentication method; Skipping it - _TEST_ENTRA_ID 0
22064 Authentication method is not supported by any applicable identity store(s) 0
22058 The advanced option that is configured for an unknown user is used 0
22061 The 'Reject' advanced option is configured in case of a failed authentication request 0
12976 EAP-TTLS authentication failed 1
61026 Shutdown secure connection with TLS peer 0
11504 Prepared EAP-Failure 1
11003 Returned RADIUS Access-Reject 0
5449 Endpoint failed authentication of the same scenario several times and was rejected 0

Any help or next step for further tshoot would be much appreciated.

Regards

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents