Hi

Possible Causes

• This could be either a MAB or 802.1X authentication issue.

• The authorization profile could be missing the Cisco av-pair=”device-traffic-class=voice” attribute. As a result, the switch does not recognize the traffic on the voice VLAN.

• The administrator did not add the endpoint as static identity, or did not allow an unregistered endpoint to pass. create a policy rule to (“Continue/Continue/Continue” upon failure).

Resolution

• Verify that the Authorization Policy is framed properly for groups and conditions, and check to see whether the IP phone is profiled as an “IP phone”or as a “Cisco-device.”

• Verify the switch port configuration for multidomain and voice VLAN configuration.

• Add the continue/continue/continue to allow the endpoint to pass:

Choose Policy > Policy Elements > Results > Authentication > Allowed

Protocols to create a Protocol Policy. MAC authentications use PAP/ASCII and EAP-MD5 protocols. Enable the following MAB Protocols settings:

– Process Host Lookup

– PAP/ASCII

– Detect PAP as Host Lookup

– EAP-MD5

– Detect EAP-MD5 as Host Lookup

• From the main menu, choose Policy > Authentication.

• Change the authentication method from Simple to Rule-Based

• Use the action icon to create new Authentication Method entries for MAB:

– Name: MAB

– Condition: IF MAB RADIUS:Service-Type == Call Check

– Protocols: allow protocols MAB_Protocols and use

– Identity Source: Internal

– Hosts: Continue/Continue/Continue

Please refer to the discussion below

https://supportforums.cisco.com/thread/2188052

Troubleshooting Steps:

1. Choose Monitor > Authentications.

2. Scroll over and look for the "Failure reason."

Please Look for the details of the failed authentication record and click on the failure reason link under

Details > Resolution for the Authentication. The failure reason should be listed.

Correct the failure reason per the findings that are defined in the Possible Causes.

Check the Cisco ISE dashboard (Monitor > Authentications)  for any indication regarding the nature of RADIUS communication loss.  (Look for instances of your specified RADIUS usernames and scan the  system messages that are associated with any error message entries.)

Log into the Cisco ISE CLI and enter the following command to produce RADIUS attribute output that may aid in debugging connection issues:

test aaa group radius new-code

If this test command is successful, you should see the following attributes:

•Connect port

•Connect NAD IP address

•Connect Policy Service ISE node IP address

•Correct server key

•Recognized username or password

•Connectivity between the NAD and Policy Service ISE node

You can also use this command to help narrow the focus of the potential  problem with RADIUS communication by deliberately specifying incorrect  parameter values in the command line and then returning to the  administrator dashboard (Monitor > Authentications)  to view the type and frequency of error message entries that result  from the incorrect command line. For example, to test whether or not  user credentials may be the source of the problem, enter a username and  or password that you know is incorrect, and then go look for error message entries that are pertinent to that username in the Monitor > Authentications page to see what Cisco ISE is reporting.)

Note This  command does not validate whether or not the NAD is configured to use  RADIUS, nor does it verify whether the NAD is configured to use the new  AAA model.

Paulo,

Can you tell us more about the policies? Are you doing machine authentication and does your authentication policy for user authentication also include a condition for machine authentication? If you can provide some screenshots of your authorization policies along with the authentication report, that will help troubleshoot your issue much faster.

Thanks,

Tarik Admani
*Please rate helpful posts*

Hello everyone!

Thank you so much fore your help and attention!

But before changing any policy statement. I preffer try to find a solution/workaround in client machine side.

I've been doing some tests on the LAB environment, and I think that I find out the way to solve the problem.

I'm going to do more consistent tests in production inviroment.

The solution consists in the machine dot1x suplicant side (seet attachement - sorry my windows is in Portuguese).

.