Solved: Problem with authentication and authorisation on Cisco ISE

ilya0693@yandex.ru · ‎03-05-2018

I can't connect to a Wi-Fi network. For authentication and authorization used Cisco ISE v2.2. Access points are managed by the WLC 5760. When device is connected to the network, the device issues Authentication problem. Log WLC 5760 are here:

Mar 5 19:33:24.695: %PARSER-5-CFGLOG_LOGGEDCMD: User:vg logged command:shell processing

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Processing assoc-req station: 7423.4497.7706 AP: 84b8.02c0.9050 -00 thread:-110073160

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Association received from mobile on AP 84b8.02c0.9050

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 qos upstream policy is In_Client_LME_Guest and downstream policy is Eg_Client_LME_Guest

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 apChanged 0 wlanChanged 1 mscb ipAddr 192.168.111.151, apf RadiusOverride 0x0, numIPv6Addr=0

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Applying WLAN policy on MSCB.

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Disconnect client immediately due to WLANswitch from 3(LME_Guest) to 10(LME_Employee)

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Clean up Mscb after WLAN change

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Clear aaa attributes

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 dot1xapiCleanup Session Stop for dot1x/open client.iifid: 5095c0000f336e capwap id: 76f7000000005f old capwap id:76f7000000005f

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Clearing the audit session ID and AAA session id in MSCB

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Incrementing the Reassociation Count 1 for client (of interface VLAN311_LME_Guest)

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 MS got the IP, resetting the Reassociation Count 0 for client

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Clearing Address 192.168.111.151 on mobile

Mar 5 19:33:25.224: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 192.168.111.151 RUN (20) Skipping TMP rule add

Mar 5 19:33:25.224: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Change state to DHCP_REQD (7) last state RUN (20)

Mar 5 19:33:25.224: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_CHANGE: Client 1 vlan 311 m_vlan 311 Radio iif id 0x4d2ec000000075 bssid iif id 0x66a380000000fe, bssid 84b8.02c0.9050

Mar 5 19:33:25.224: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_AUTH: Adding opt82 len 0

Mar 5 19:33:25.224: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_CHANGE: Suppressing SPI (client pending deletion) pemstate 7 state LEARN_IP(2) vlan 311 client_id 0x5095c0000f336e mob=Local(1) ackflag 2 dropd 0, delete 1

Mar 5 19:33:25.224: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 DHCP_REQD (7) pemAdvanceState2: MOBILITY-INCOMPLETE with state 7.

Mar 5 19:33:25.225: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Complete to Mobility-Incomplete

Mar 5 19:33:25.225: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 DHCP_REQD (7) Reached FAILURE: from line 4334

Mar 5 19:33:25.225: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Reason code 1, Preset 1, AAA cause 1

Mar 5 19:33:25.225: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Scheduling deletion of Mobile Station: (callerId: 9) in 10 seconds

Mar 5 19:33:25.225: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Cannot delete client entry, IP address is 0

Mar 5 19:33:25.225: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [ 84b8.02c0.9050 ]

Mar 5 19:33:25.225: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Cannot delete client entry, IP address is 0

Mar 5 19:33:25.226: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Incrementing the Reassociation Count 1 for client (of interface VLAN311_LME_Guest)

Mar 5 19:33:25.226: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Clearing Dhcp state for station ---

Mar 5 19:33:25.226: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Sending SPI spi_epm_terminate_feature successfullifid: 5095c0000f336e capwap id: 76f7000000005f

Mar 5 19:33:25.226: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Deleting wireless client; Reason code 1, Preset 1, AAA cause 1

Mar 5 19:33:25.226: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_DEL: Successfully sent

Mar 5 19:33:25.227: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Challenge Fail, already scheduled for deletion

Mar 5 19:33:25.227: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 DHCP_REQD (7) Handling pemDelScb Event skipping delete

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB SPI response msg handler client code 1 mob state 1

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 apfProcessWcdbClientDelete: Delete ACK from WCDB.

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_DELACK: wcdbAckRecvdFlag updated

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_DELACK: Client IIF Id dealloc SUCCESS w/ 0x5095c0000f336e.

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Invoked platform delete and cleared handle

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Deleting mobile on AP 84b8.02c0.9050 (0)

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Calling SM stop unconditionally for dot1x/open ifid: 0 capwap id: 76f7000000005f old capwap id:76f7000000005f

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Unlinked and freed mscb

Mar 5 19:33:25.721: %AUTHMGR-4-UNAUTH_MOVE: (slow) MAC address (3084.5437.e218) from Ca60 to Ca2

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Processing assoc-req station: 7423.4497.7706 AP: 84b8.02c0.9050 -00 thread:-110073160

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Adding mobile on LWAPP AP 84b8.02c0.9050 (0)

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Creating WL station entry for client - rc 0

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Association received from mobile on AP 84b8.02c0.9050

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Applying WLAN policy on MSCB.

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Applying WLAN ACL policies to client

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 No Interface ACL used for Wireless client in WCM(NGWC)

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Applying site-specific IPv6 override for station 7423.4497.7706 - vapId 10, site 'default-group', interface 'VLAN311_LME_Guest'

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Applying local bridging Interface Policy for station 7423.4497.7706 - vlan 311, interface 'VLAN311_LME_Guest'

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 STA - rates (8): 2 4 11 22 12 18 24 36 0 0 0 0 0 0 0 0

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 STA - rates (12): 2 4 11 22 12 18 24 36 48 72 96 108 0 0 0 0

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Received 802.11i 802.1X key management suite, enabling dot1x Authentication

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 new capwap_wtp_iif_id 76f7000000005f, sm capwap_wtp_iif_id 0

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ADD: Radio IIFID 0x4d2ec000000075, BSSID IIF Id 0x57a500000f31b8, COS 4

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ADD: Anchor Sw 1, Doppler 1

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ALLOCATE: Client IIF Id alloc SUCCESS w/ client 738540000f33e1 (state 0).

Mar 5 19:33:25.755: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 iifid Clearing Ack flag

Mar 5 19:33:25.755: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ADD: Platform ID allocated successfully ID:3819

Mar 5 19:33:25.755: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ADD: Adding opt82 len 0

Mar 5 19:33:25.755: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ADD: Cleaering Ack flag

Mar 5 19:33:25.755: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ADD: ssid LME_Employee bssid 84b8.02c0.9050 vlan 311 auth=ASSOCIATION(0) wlan(ap-group/global) 10/10 client 0 assoc 74 mob=Unassoc(0) radio 0

Mar 5 19:33:25.755: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 m_vlan 311 ip 0.0.0.0 src 0x76f7000000005f dst 0x0 cid 0x738540000f33e1 glob rsc id 3819 dhcpsrv 192.168.96.1 type 0 IPSG off

Mar 5 19:33:25.756: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ADD: mscb iifid 0x738540000f33e1 msinfo iifid 0x0

Mar 5 19:33:25.756: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 START (0) Initializing policy

Mar 5 19:33:25.756: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Change state to AUTHCHECK (2) last state START (0)

Mar 5 19:33:25.756: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Change state to 8021X_REQD (3) last state AUTHCHECK (2)

Mar 5 19:33:25.756: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 84b8.02c0.9050 vapId 10 apVapId 10for this client

Mar 5 19:33:25.756: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Not Using WMM Compliance code qosCap 00

Mar 5 19:33:25.757: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 84b8.02c0.9050 vapId 10 apVapId 10

Mar 5 19:33:25.757: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 apfPemAddUser2 (apf_policy.c:204) Changing state for mobile 7423.4497.7706 on AP 84b8.02c0.9050 from Idle to Associated

Mar 5 19:33:25.757: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Stopping deletion of Mobile Station: (callerId: 48)

Mar 5 19:33:25.757: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Ms Timeout = 0, Session Timeout = 300

Mar 5 19:33:25.757: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Sending assoc-resp station: 7423.4497.7706 AP: 84b8.02c0.9050 -00 thread:-110073160

Mar 5 19:33:25.758: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Sending Assoc Response to station on BSSID 84b8.02c0.9050 (status 0) ApVapId 10 Slot 0

Mar 5 19:33:25.758: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 apfProcessAssocReq (apf_80211.c:6359) Changing state for mobile 7423.4497.7706 on AP 84b8.02c0.9050 from Associated to Associated

Mar 5 19:33:25.762: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Session start for dot1x/open client. iifid: 738540000f33e1 capwap id: 76f7000000005f old capwap id:0

Mar 5 19:33:25.915: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Not comparing because the ACLs have not been sent yet.

Mar 5 19:33:25.915: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Final flag values are, epmSendAcl 1, epmSendAclDone 0

Mar 5 19:33:25.915: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 client incoming attribute size are 670

Mar 5 19:33:25.922: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Session Update for dot1x/open client.iifid: 738540000f33e1 capwap id: 76f7000000005f old capwap id:76f7000000005f

paul46 · ‎03-05-2018

Hi Ilya

You need to provide more details

What kind of device are you authenticating? Is it 802.1x?

Post your ISE authentication and authorization policy?

Have you integrated wireless controller to ISE?

View solution in original post

paul46 · ‎03-05-2018

Hi Ilya

You need to provide more details

What kind of device are you authenticating? Is it 802.1x?

Post your ISE authentication and authorization policy?

Have you integrated wireless controller to ISE?

ilya0693@yandex.ru · ‎03-06-2018

1. What kind of device are you authenticating? Is it 802.1x?
I'm using Android device. Yes, it's 802.1x

2. Have you integrated wireless controller to ISE?

Yes. I'm integrated wireless controller to ISE. I'm configured the RADIUS SERVER, Server group and Method List. Created and setting WLAN. In the attachment screenshots with settings.
3. Post your ISE authentication and authorization policy?

Policy Authentication created in the following way:

Standart rule 1 : if Airespace:Airespace-Wlan-id EQUALS 10 Allow protocols: Default Network Access and
Default :Use Internal users

Policy Authorization created in the following way:

Standart rule 1 : if LME_Guest AND (Airespace:Airespace-Wlan-id EQUALS 10) then: PermitAccess

tell me please where to look for the problem? On ISE or WLC?

paul46 · ‎03-06-2018

Replace Airspace condition in your authentication policy to below

Standart rule 1 If Wireless_802.1X

you are using Default :Use Internal users as a store. Is your Android device corporate? does it have certificate? In that case, you need to create a Certificate Authentication Profile and change your Internal Users store to new one

ilya0693@yandex.ru · ‎03-07-2018

I replaced Airspace condition in authentication policy on the following (this authentication policy default):
Dot1x : if Wired_802.1x OR Wireless_802.1X Allow protocols: Default Network Access and
Default: Use All_User_ID_Stores

Policy Authorization:

Standart rule 1 : if LME_Guest AND (Wireless_802.1X AND Airespace:Airespace-Wlan-id EQUALS 10) then: PermitAccess

But my device is still not authenticated, and this applies not only to my device. Other devices also not authenticated.

1. Is your Android device corporate?
No, this is my personal device. Corporate devices also do not connect to Wi-Fi. Logs on ISE indicate that authentication is successful, however I do not connect to the Wi-Fi network, Authentication problem.
2. does it have certificate?

No, can I do without a certificate? I can connect to the network without using a certificate? On Daloradius we connected without using certificates.