Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3582
Views
15
Helpful
2
Replies

Cisco ISE Dotx1 Authentication failed - Misconfigured Supplicant

Go to solution
laurathaqi
Level 3
Level 3

‎05-11-2021 06:55 AM

Dear community, 

 

Hope all good at your side. 

 

I am working on the configuration of Cisco ISE 3.0 802.1x  in a project and during the process I am facing an issue with Authorization.

Cisco ISE shows: 1 Misconfigured Supplicant. The details of this Misconfigured Supplicants are to general as following: 

Failure Reason: Rejected per Authorization Profile; 

Resolution: Selected Authorization Profile contains ACCESS_REJECT Attribute. Authorization Profile with Access_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results. 

 

The behavior of the RADIUS logs are: three successful AuthZ followed with two failed AuthZ logs. 

Configuration on the supplicant have been applied with the following idea: 

Authentication protocol to be used: PEAP. Configurations for PEAP, wiredAutoConfig have been applied as described in almost all blogs online. 

 

The one thing I am unsure about it the ROOT cert that needs to be imported in the supplicant. This cause, on ISE trusted CAs I have the organization public CA imported. Meanwhile I have generated a Subordinate Cert and Signed it for the Distributed Deployment of ISE1 and ISE2. Now I remember the subordinate was checked to be used for EAP Authentication. 

Do you guys know if this is the Rootcert I need to push  into the Supplicant Trusted CAs. And if yes, do you know how I can download this Subordinate Cert directly from ISE and import it in the Supplicant Trusted CAs Store? 

 

Other than that, I have enabled debug in Switch, but no logs showing there. The show auth sess int g0/1 dot1x shows running and than failed. 

The unclear thing is that it does not fail to MAB even though its listed as a secondary protocol to be used.  

 

At the end, what I did was the default policy, selected it to allow any. And this is when it failed to MAB. Meanwhile dot1x PEAP still not working. 

 

I am after troubleshooting forms, more logs and a way to see what is happening in the background of the process. 

 

Any guide, recommendation of though would be highly appreciated.

 

Thank you,

Laura 

1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎05-11-2021 06:45 PM

image-19.jpg

need for PEAP CA of Server to auth itself to client.

View solution in original post

2 Replies 2

Go to solution
MHM Cisco World
VIP
VIP

‎05-11-2021 06:45 PM

image-19.jpg

need for PEAP CA of Server to auth itself to client.

Go to solution
laurathaqi
Level 3
Level 3
In response to MHM Cisco World

‎05-12-2021 03:10 AM

Hi @MHM Cisco World 

 

I have installed the Root Cert of CA into the Supplicant. 

The behavior of the logs and the authentication process is as following: 

Authentication passed, Authorization passed, DACL downloaded, AuthZ rejected due to access-reject attribute. This meaning that I have three logs with success status, and then it fail at the end. 

I am also getting the following: Endpoint abandoned EAP session and started new but not all the time. 

 

The really bad thing is that logs do not show in NAD! so I am getting to work only with Cisco ISE radius Logs visibility currently.

 

Looking forward to hearing back for suggestions. 

 

Thank you,

Laura  

0 Helpful
Customers Also Viewed These Support Documents