cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

401
Views
15
Helpful
3
Replies
Highlighted
Beginner

ISE 2.6 RADIUS Live Log Display Issue

hello gentlemen, I appreciate your assist and time, please I need your help 

I think I have a bug/issue in ISE 2.6

The Live Logs are not displaying the system name of the remote device,  The first screenshots  2.4 ISE node show two records for 802.1x authentications.  The Identity field is filled with the system name.

Screenshot (71).png

the second screenshot for 2.6 ISE the identity field filled but not with the system name. 

 

Screenshot (72).png

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

As I suspected, your clients using 2.4 are authenticating using EAP-Chaining (EAP-FAST) which allows ISE to see both the machine and user credentials together.  With VPN and PAP, there is no way to do that since you are only authenticating the user.  Even if you were to authenticate the machine and user on VPN, there is no way for both of those pieces of information to be tied together in the same authentication request.

View solution in original post

3 REPLIES 3
Highlighted
Collaborator

Looks like your 2.4 system and clients are using EAP-Chaining and your 2.6 system and clients are not.  Compare the details between two successful authentications and walk through on the right side of the details step by step to see what is different.  Are these the same clients using both systems?

Highlighted
Beginner

thank you Colby for your time and response, 

actually, NO, not the same clients, 2.4 system clients are using :

Authentication ProtocolEAP-FAST (EAP-MSCHAPv2)
Authentication Methoddot1x

and accessing the network by wired method at the same network,

but for 2.6 system clients, they are remote users (VPN users) and using :

Authentication MethodPAP_ASCII
Authentication ProtocolPAP_ASCII

 

Is there any configuration needed for the posture to push to get the system name? I appreciate your time to help 

thanks in advance  

Highlighted

As I suspected, your clients using 2.4 are authenticating using EAP-Chaining (EAP-FAST) which allows ISE to see both the machine and user credentials together.  With VPN and PAP, there is no way to do that since you are only authenticating the user.  Even if you were to authenticate the machine and user on VPN, there is no way for both of those pieces of information to be tied together in the same authentication request.

View solution in original post