Solved: RADIUS authenticatoin failure events not present in ISE logs

mikeyasg · ‎04-01-2022

When an endpoint tries to authenticate with ISE it fails. But the logs for this authentication failure event are not present in ISE live log or Reports. Is there any solution for this?

Arne Bier · ‎04-03-2022

Do you mean ISE shutdown/restart or endpoint shutdown/restart?

If it's the endpoint, then perhaps the supplicant is not configured correctly. Need more details on whether you're trying to do Computer or User auth (or both).

Not seeing Live Logs in ISE could be an indication of a broken ISE system. Ensure that all Secondary ISE nodes are in Sync with the Primary Admin node. If in doubt, restart the ISE node that is operating as the Primary Monitoring persona.

View solution in original post

mikeyasg · ‎04-01-2022

When an end point tries to authenticate with ISE after a restart or a shutdown it fails. The first time the endpoint authenticats successfully but after a restart it start to fail and we have to disable and enable agin the network adapter for it to work. any help on this please i am struggling with it for over a 2 weeks now.

Walker · ‎04-01-2022

Is your network device properly configured to send radius logs to your ISE server? Can you see logs from other endpoints? Can you see logs coming in from the particular switch that this endpoints is connected to?

My first thought is that there is a misconfiguration somewhere, whether it's your AAA config on the switch or the NAD config from Administration > Network Resources > Network Devices. Please verify those settings are in place and correct.

Arne Bier · ‎04-03-2022

Do you mean ISE shutdown/restart or endpoint shutdown/restart?

If it's the endpoint, then perhaps the supplicant is not configured correctly. Need more details on whether you're trying to do Computer or User auth (or both).

Not seeing Live Logs in ISE could be an indication of a broken ISE system. Ensure that all Secondary ISE nodes are in Sync with the Primary Admin node. If in doubt, restart the ISE node that is operating as the Primary Monitoring persona.

mikeyasg · ‎04-03-2022

Thank You Arnie Bier.

one of the nodes was out of syncn and it was the primary monitoring persona. will do as you suggested. the shutdwon is on the endpoints and we have configured the supplicant PEAP and MSCHAPv2. authentication mode is set to use or computer authentication. it is set up to prompt the user for credential to authenticate to ISE buteach time when the endpoint restarts authentication will not take place so we disable and enable agiain the Ethernet network adapter then it will authenticate. we use AD server as an identity source.

thomas · ‎04-01-2022

Provide the necessary detail to troubleshoot as explained in How to Ask The Community for Help .

Otherwise, call TAC and they will go back and forth with you to get the necessary details for troubleshooting.

mikeyasg · ‎04-01-2022

The configuration on the switch

aaa new-model
aaa group server radius RADIUS_GROUP
aaa authentication dot1x default group RADIUS_GROUP
aaa authorization network default group RADIUS_GROUP
aaa authorization auth-proxy default group RADIUS_GROUP
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group RADIUS_GROUP
aaa server radius dynamic-author
aaa session-id common

I have run the test command
test aaa group RADIUS_GROUP testuser test password new-model

and it returns User successfully authenticated.

For successful authentications i can find a live log but for unsuccessfull authentications there is no log

i have also run a TCP Dump on the ISE node and there are RADIUS traffics going in and out of the node. i attached a screenshot.

mikeyasg · ‎04-02-2022

We also have to ISE nodes one primary Admin and one primary Monitor. the PSN is active in both nodes. The was an out of sync problem with the two nodes recently. can that be the problem for the logs not being visible?