cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1211
Views
5
Helpful
1
Replies
Highlighted
Beginner

New internal CA - issues with dot1x auth

Hi All,

 

We just setup a new internal PKI, so we need to test dot1x on wireless and wired on the new certificate.

 

Testing has shown that some clients with a new cert is authentication properly, no error in RADIUS logs.

Other clients present the new certificate with different errors

- auth is OK, connects to the network but is limited to the wireless subnet?

- log step 15013 "Selected identity source", returns "empty"?

- client lookup is OK, but step 24352 "Identity resolution failed" returns "ERROR_NO_SUCH_USER"?

 

I'm sure the they are mostly related, but step 15013 concerns me the most.

 

Prior to testing, I've added the new CA cert to ISE, under "trusted certificates". Not sure it was required, but mostly old habit from other dot1x installations, well knowing that ISE syncs AD information.

 

Policies and such, I havn't touched.

 

Kind regards,

Michael

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

If you are using the ID store sequence and selected identity source is empty in the live logs, it means ISE is not able to find the user in any Identity store in the sequence.
What is the software version of ISE and can you please attach the authentication detailed report of the endpoint.

View solution in original post

1 REPLY 1
Highlighted
Cisco Employee

If you are using the ID store sequence and selected identity source is empty in the live logs, it means ISE is not able to find the user in any Identity store in the sequence.
What is the software version of ISE and can you please attach the authentication detailed report of the endpoint.

View solution in original post

Content for Community-Ad