Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
266
Views
0
Helpful
4
Replies

Cisco ISE - 802.1X User not Found

Go to solution
BlackDiamond71
Level 1
Level 1

‎04-21-2025 09:23 AM

I brand new to ISE and am trying to configure the 802.1X and am having issues getting things going. Essentially, I have an authentication policy set to "All_User_ID_Stores" and set to If Auth Fail, If User not found, If Process Fail all to drop or reject (Image Attached). It seems like the computer name is in the username field and that is what is tripping things up when it is supposed to be the username.

 

Log Details:

Event5440 Endpoint abandoned EAP session and started new
Failure Reason22056 Subject not found in the applicable identity store(s)
ResolutionCheck whether the subject is present in any one of the chosen identity stores. Note that some identity stores may have been skipped due to identity resolution settings or if they do not support the current authentication protocol.
Root causeSubject not found in the applicable identity store(s).
Usernamehost/ComputerName.Domain
Endpoint ID:2A:2C:EF:23:41:E2 (Not the real MAC)

 

24325Resolving identity - host/ComputerName.Domain21
 24313Search for matching accounts at join point - Domain0
 24357Incoming identity was rewritten - from: host/ComputerName.Domain to: ComputerName.Domain0
 24318No matching account found in forest - Domain0
 24322Identity resolution detected no matching account0
 24352Identity resolution failed - ERROR_NO_SUCH_USER0
 24437Machine not found in Active Directory - All_AD_Join_Points0
Preview file
21 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to BlackDiamond71

‎04-23-2025 03:25 PM

When a Windows domain joined computer boots up, and if there is an 802.1X supplicant configured, then the OS will perform a machine authentication (hostname). Then, if you have User/Machine authentication configured in your supplicant, the OS will perform another network auth when you enter creds at the login screen (login username).  Finally, when user logs out, the OS performs another machine authentication (same as during boot up).

Why do you want user network authentication? What are you telling the switch to do as a result of a user logging in?  If you are not making any changes to VLAN or ACL, then rather leave the User auth disabled and rely on Machine auth only.

If you see a MAC address in the Username field then something has gone wrong. It means that the 802.1X was not involved, and that MAB was performed. A MAC address is never involved in 802.1X authentication - the identities provided to the supplicant are usernames or hostnames.

What does you switch config look like? If it's IBNS 2.0 then please share the policy-map

show run | sec radius
show derived interface xxx

View solution in original post

0 Helpful

Go to solution
BlackDiamond71
Level 1
Level 1

‎04-24-2025 06:34 AM

I figured it out, it was the policy set rule and me not realizing it was using MAB. I modified my 802.1X policy and works now. Thanks for your help.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Arne Bier
VIP
VIP

‎04-23-2025 02:10 PM

Have you tried performing a Lookup of that computer on one of your PSN nodes?  You can select any of the nodes that is AD Joined to the appropriate AD Domain, and then perform a Test, Lookup function. That would be a good start. 

By default, ISE has no issues (or configuration trickery) locating a machine object in AD - are you doing EAP-TLS or EAP-PEAP? 

0 Helpful

Go to solution
BlackDiamond71
Level 1
Level 1
In response to Arne Bier

‎04-23-2025 02:24 PM

I redid my switch config. I am using EAP-PEAP and when I login to the user account it shows the username under endpoints, but when I logout it shows the MAC address. I presume the reason is because it thinks the MAC address is the username, such as logs show "Looking up user". I essentially want to create a policy set so if it is a domain joined computer it goes to the next step. Any thoughts on how to set that up? I think going that route would solve my issue.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to BlackDiamond71

‎04-23-2025 03:25 PM

When a Windows domain joined computer boots up, and if there is an 802.1X supplicant configured, then the OS will perform a machine authentication (hostname). Then, if you have User/Machine authentication configured in your supplicant, the OS will perform another network auth when you enter creds at the login screen (login username).  Finally, when user logs out, the OS performs another machine authentication (same as during boot up).

Why do you want user network authentication? What are you telling the switch to do as a result of a user logging in?  If you are not making any changes to VLAN or ACL, then rather leave the User auth disabled and rely on Machine auth only.

If you see a MAC address in the Username field then something has gone wrong. It means that the 802.1X was not involved, and that MAB was performed. A MAC address is never involved in 802.1X authentication - the identities provided to the supplicant are usernames or hostnames.

What does you switch config look like? If it's IBNS 2.0 then please share the policy-map

show run | sec radius
show derived interface xxx
0 Helpful

Go to solution
BlackDiamond71
Level 1
Level 1

‎04-24-2025 06:34 AM

I figured it out, it was the policy set rule and me not realizing it was using MAB. I modified my 802.1X policy and works now. Thanks for your help.

0 Helpful
Customers Also Viewed These Support Documents