Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5328
Views
0
Helpful
2
Replies

ISE - BYOD Authentication Issue - username populating as 'USERNAME' after registration

Go to solution
McUK1939
Level 1
Level 1

‎06-24-2020 01:39 AM

Hi there, I have encountered a very strange problem with ISE over the last couple of weeks.

 

We are currently running ISE as our BYOD solution with AD auth as credentials for users. The current version we are running (a 2.4 install) has been running like a dream for the last couple of years we have had it.

 

A small handful of users (7-8, all range of devices) seem to be having issues connecting to WiFi after registering their devices with ISE through our registration portal. Once devices are registered, and they then attempt to connect to WiFi SSID to gain access, their credentials are being rejected.

 

Having looked through the ISE logs, I can see at the very last step, the devices are being rejected connection with the error message '12322 PEAP failed SSL/TLS handshake after a client alert'. I notice that credentials registered by the user changes to 'USERNAME' (all caps) automatically in ISE, which seems to be stopping users from authenticating using their AD credentials.

 

Very strange, as we have only seen this problem crop up in the last couple of weeks after almost 2 years of running ISE with no issues.

 

Any ideas as to what might be causing this would be greatly appreciated :)

 

 

2 people had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎06-24-2020 08:50 PM

The credential showing 'USERNAME' is likely a result of the default disabled setting for 'Disclose invalid usernames' in the Administration > System > Settings > Protocols > RADIUS page. This is a result of the username not being found in the respective identity store.

Screen Shot 2020-06-25 at 1.43.20 pm.png

 

Enabling the setting will show the true credential in the log, but this would not be the root cause of the failure. You would need to investigate further to find the root cause (try an AD lookup using the Test User tool, check certificate trust on the client side, check certificate expiry, etc).

View solution in original post

0 Helpful

Go to solution
Craig Sawyer
Level 1
Level 1

‎03-01-2021 12:14 PM

We had a similar issue with Android, we resolved it by modifying the clients. When adding the network (Settings app, select Network & Internet, then select Wi-Fi.) under "CA certificate" select "Use system certificates" then type your domain.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎06-24-2020 08:50 PM

The credential showing 'USERNAME' is likely a result of the default disabled setting for 'Disclose invalid usernames' in the Administration > System > Settings > Protocols > RADIUS page. This is a result of the username not being found in the respective identity store.

Screen Shot 2020-06-25 at 1.43.20 pm.png

 

Enabling the setting will show the true credential in the log, but this would not be the root cause of the failure. You would need to investigate further to find the root cause (try an AD lookup using the Test User tool, check certificate trust on the client side, check certificate expiry, etc).

0 Helpful

Go to solution
Craig Sawyer
Level 1
Level 1

‎03-01-2021 12:14 PM

We had a similar issue with Android, we resolved it by modifying the clients. When adding the network (Settings app, select Network & Internet, then select Wi-Fi.) under "CA certificate" select "Use system certificates" then type your domain.

0 Helpful
Customers Also Viewed These Support Documents