07-14-2020 07:42 AM
From packet capture on ISE, I can see meraki switch sends in the radius packet access-request the machine name host/<machine-name>as User-Name attribute and calling-station-id matches the endpoint mac address but in ISE I see 2 logs:
1st log says:
Event 5405 RADIUS Request dropped
Failure Reason 24708 User not found in Active Directory. Some authentication domains were not
available
because it thinks the username being passed is USERNAME.
2nd log says:
Event 5400 Authentication failed
Failure Reason 12953 Received EAP packet from the middle of conversation that contains a
session on this PSN that does not exist
for the username called USERNAME
After that, it's just being denied because MAB authentication is denying the machine mac address.
I don't see any ISE radius logs where the username=host/<machine-name> which is the one sent in the radius access-request.
ISE is v2.6 Patch 6
07-14-2020 09:10 AM
- Check configuration guidelines from this document :
M.
07-14-2020 04:58 PM - edited 07-14-2020 04:58 PM
Also, you might want to check the option for "Disclose invalid usernames" in the Security Settings. Depending on the failure reason, enabling this setting could reveal the actual username that is being presented to ISE in the logs to aid in your troubleshooting.
07-15-2020 01:34 AM
That Security Setting "Disclose invalid usernames" does not appear to be in the UI. I am running v2.6 Patch 6
07-15-2020 04:38 PM
The option is there in 2.6 p6. Maybe ensure you're logging in with Super Admin credentials.
Screenshot from 2.6 p6:
07-17-2020 01:15 AM
Aha! They have moved it! On ISE 2.4, that was under the RADIUS Settings. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide