04-22-2019 09:54 AM
Hello,
Requesting help to troubleshoot below authentication fail error messages seen for wireless guest users.
Event 5400 Authentication failed
Failure Reason 22040 Wrong password or invalid shared secret
ISE and WLC shared secret is correct.
Guest user is correctly entering the username and password.
Authentication failed is happening only for Officer and Employee guest types. It not happening for Bronze User and Guest User guest types.
Steps:
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11027 Detected Host Lookup UseCase (Service-Type = Call Check (10))
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15041 Evaluating Identity Policy
15048 Queried PIP - Radius.NAS-Port-Type
15048 Queried PIP - Radius.Service-Type
15013 Selected Identity Source - Internal Endpoints
24209 Looking up Endpoint in Internal Endpoints IDStore - <mac add>
24211 Found Endpoint in Internal Endpoints IDStore
22040 Wrong password or invalid shared secret
22057 The advanced option that is configured for a failed authentication request is used
22061 The 'Reject' advanced option is configured in case of a failed authentication request
11003 Returned RADIUS Access-Reject
Attaching policy set rules and authorization logs from a working client.
Any help is much appreciated.
Regards,
Girish
Solved! Go to Solution.
12-14-2019 09:07 AM
Just to close this thread with the solution,
We did following changes to solve this issue:
ISE Version : 2.4.0.357
WLC Version: 8.5.135.0
04-23-2019 12:27 PM
I would recommend using Smart Conditions that are built into ISE when creating Wireless MAB policy sets. Make that the first step.
Allowed Protocols should only have First checkbox ticked (hosts). Not PAP etc - in your screenshots it shows that a PAP request came in. If you use Allowed Protocls correctly then it will catch this type of thing early on.
The authentication rule will be simple then. Use default “internal endpoints” and set to Continue if user not found.
Authorisation should the make tests about which identity group the user belongs to etc
12-14-2019 09:07 AM
Just to close this thread with the solution,
We did following changes to solve this issue:
ISE Version : 2.4.0.357
WLC Version: 8.5.135.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide