Solved: ISE 5200 authentication failed

palani2010 · ‎01-02-2025

As per ISE Logs, we do see username as USERNAME but user is not prompt for username and password while accessing in SSID

SSID with EAP-TLS configured. Why do we see this behaviour

Cisco ISE Version - 3.2

PSM · ‎01-02-2025

Hi @palani2010 Since it is EAP-TLS authentication it is supposed to use certificate and not username and password. Username is logs is derived from the certificate attributes. You can verify Certificate Authentication Profile setting (Administration >Identity Management > Certificate Authentication Profiles List ) to see what has been configured for ISE to use an identity. If you are using default Certificate Authentication Profile in your policy, default Profile has Subject- Common Name attribute as Identity.

It looks your certificates does not have value in the filed for the attributes selected in certificate authentication profile.

View solution in original post

MHM Cisco World · ‎01-02-2025

are you sure this EAP-TLS ?
also are you sure the Username contain HostName or Mac Address?

MHM

palani2010 · ‎01-02-2025

Yes it is EAP-TLS.

username showing as USERNAME.

PSM · ‎01-02-2025

Hi @palani2010 Since it is EAP-TLS authentication it is supposed to use certificate and not username and password. Username is logs is derived from the certificate attributes. You can verify Certificate Authentication Profile setting (Administration >Identity Management > Certificate Authentication Profiles List ) to see what has been configured for ISE to use an identity. If you are using default Certificate Authentication Profile in your policy, default Profile has Subject- Common Name attribute as Identity.

It looks your certificates does not have value in the filed for the attributes selected in certificate authentication profile.