cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2293
Views
0
Helpful
2
Replies
McUK1939
Beginner

ISE - BYOD Authentication Issue - username populating as 'USERNAME' after registration

Hi there, I have encountered a very strange problem with ISE over the last couple of weeks.

 

We are currently running ISE as our BYOD solution with AD auth as credentials for users. The current version we are running (a 2.4 install) has been running like a dream for the last couple of years we have had it.

 

A small handful of users (7-8, all range of devices) seem to be having issues connecting to WiFi after registering their devices with ISE through our registration portal. Once devices are registered, and they then attempt to connect to WiFi SSID to gain access, their credentials are being rejected.

 

Having looked through the ISE logs, I can see at the very last step, the devices are being rejected connection with the error message '12322 PEAP failed SSL/TLS handshake after a client alert'. I notice that credentials registered by the user changes to 'USERNAME' (all caps) automatically in ISE, which seems to be stopping users from authenticating using their AD credentials.

 

Very strange, as we have only seen this problem crop up in the last couple of weeks after almost 2 years of running ISE with no issues.

 

Any ideas as to what might be causing this would be greatly appreciated :)

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Greg Gibbs
Cisco Employee

The credential showing 'USERNAME' is likely a result of the default disabled setting for 'Disclose invalid usernames' in the Administration > System > Settings > Protocols > RADIUS page. This is a result of the username not being found in the respective identity store.

Screen Shot 2020-06-25 at 1.43.20 pm.png

 

Enabling the setting will show the true credential in the log, but this would not be the root cause of the failure. You would need to investigate further to find the root cause (try an AD lookup using the Test User tool, check certificate trust on the client side, check certificate expiry, etc).

View solution in original post

Craig Sawyer
Beginner

We had a similar issue with Android, we resolved it by modifying the clients. When adding the network (Settings app, select Network & Internet, then select Wi-Fi.) under "CA certificate" select "Use system certificates" then type your domain.

View solution in original post

2 REPLIES 2
Greg Gibbs
Cisco Employee

The credential showing 'USERNAME' is likely a result of the default disabled setting for 'Disclose invalid usernames' in the Administration > System > Settings > Protocols > RADIUS page. This is a result of the username not being found in the respective identity store.

Screen Shot 2020-06-25 at 1.43.20 pm.png

 

Enabling the setting will show the true credential in the log, but this would not be the root cause of the failure. You would need to investigate further to find the root cause (try an AD lookup using the Test User tool, check certificate trust on the client side, check certificate expiry, etc).

View solution in original post

Craig Sawyer
Beginner

We had a similar issue with Android, we resolved it by modifying the clients. When adding the network (Settings app, select Network & Internet, then select Wi-Fi.) under "CA certificate" select "Use system certificates" then type your domain.

View solution in original post

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel