Re: Wired dot1x failing from meraki switches with username USERNAME

rcullum · ‎07-14-2020

From packet capture on ISE, I can see meraki switch sends in the radius packet access-request the machine name host/<machine-name>as User-Name attribute and calling-station-id matches the endpoint mac address but in ISE I see 2 logs:

1st log says:

Event 5405 RADIUS Request dropped
Failure Reason 24708 User not found in Active Directory. Some authentication domains were not
available

because it thinks the username being passed is USERNAME.

2nd log says:

Event 5400 Authentication failed
Failure Reason 12953 Received EAP packet from the middle of conversation that contains a
session on this PSN that does not exist

for the username called USERNAME

After that, it's just being denied because MAB authentication is denying the machine mac address.

I don't see any ISE radius logs where the username=host/<machine-name> which is the one sent in the radius access-request.

ISE is v2.6 Patch 6

marce1000 · ‎07-14-2020

- Check configuration guidelines from this document :

https://community.cisco.com/t5/security-documents/how-to-integrate-meraki-networks-with-ise/ta-p/3618650

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Greg Gibbs · ‎07-14-2020

Also, you might want to check the option for "Disclose invalid usernames" in the Security Settings. Depending on the failure reason, enabling this setting could reveal the actual username that is being presented to ISE in the logs to aid in your troubleshooting.

rcullum · ‎07-15-2020

That Security Setting "Disclose invalid usernames" does not appear to be in the UI. I am running v2.6 Patch 6

Greg Gibbs · ‎07-15-2020

The option is there in 2.6 p6. Maybe ensure you're logging in with Super Admin credentials.

Screenshot from 2.6 p6:

rcullum · ‎07-17-2020

Aha! They have moved it! On ISE 2.4, that was under the RADIUS Settings. Thanks.