Solved: New internal CA - issues with dot1x auth

Michael Bartholomæussen · ‎06-10-2020

Hi All,

We just setup a new internal PKI, so we need to test dot1x on wireless and wired on the new certificate.

Testing has shown that some clients with a new cert is authentication properly, no error in RADIUS logs.

Other clients present the new certificate with different errors

- auth is OK, connects to the network but is limited to the wireless subnet?

- log step 15013 "Selected identity source", returns "empty"?

- client lookup is OK, but step 24352 "Identity resolution failed" returns "ERROR_NO_SUCH_USER"?

I'm sure the they are mostly related, but step 15013 concerns me the most.

Prior to testing, I've added the new CA cert to ISE, under "trusted certificates". Not sure it was required, but mostly old habit from other dot1x installations, well knowing that ISE syncs AD information.

Policies and such, I havn't touched.

Kind regards,

Michael

poongarg · ‎06-10-2020

If you are using the ID store sequence and selected identity source is empty in the live logs, it means ISE is not able to find the user in any Identity store in the sequence.
What is the software version of ISE and can you please attach the authentication detailed report of the endpoint.

View solution in original post

poongarg · ‎06-10-2020

If you are using the ID store sequence and selected identity source is empty in the live logs, it means ISE is not able to find the user in any Identity store in the sequence.
What is the software version of ISE and can you please attach the authentication detailed report of the endpoint.