Hi Rob,

Yes, my device is part of the NAD Group. I have changed it back to #alldeivcetypeswired, instead of switches.

Please see attached screenshot of the logs with the authentication set - default.

For testing purposes, I have added the mac address of a windows 10 Pc (not part of the domain) on cisco ISE - and when I connect it to the switch the authentication fails but he can still access the network. Yet I see no hits on wired policies. And when I check the radius logs I do not see information regarding the pc. Although under Endpoints the pc username was displaying whereas before there was no such information.

OKay thank you i will try that out. What is the radius-test under identity? why is it trying to authenticate against it ?

Hi Rob,

this is the policy that i have set now. i deleted the enpoint and tried connecting again. This is the result i am getting now.

He is still able to access the network so i m not sure what is going on even though the authentication is failing.

Does the client computer trust the certificate presented by ISE?

The probable reason he can still access the network is because the switchport interface is configured in "open" mode?

This is my switch port config.

Yes i configured open mode.

Let me remove it and try again.

interface GigabitEthernet1/0/10
switchport access vlan 105
switchport mode access
switchport voice vlan 301
ip device tracking maximum 65535
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 25.00
storm-control multicast level 25.00
storm-control unicast level 25.00
spanning-tree portfast edge
!

Okay, it works now. But what if I just wanted him to access the internet?

And it shows that he is authenticated using wired Dot1x the policy I have created but doesn't show that there are any hits against it.

It's not working as it says "Authentication Failed" if you showed me the entire output of the logged I'd be able to determine why.

You didn't answer my previous question, does the client computer trust the certificate (EAP) presented by ISE?

Dear Rob,

My apologies - it does not ask for any trust certificate on the client computer.

I'm pasting the log below:

Overview
Event 5400 Authentication failed
Username INVALID
Endpoint Id 70:5A:0F:62:92:CF
Endpoint Profile
Authentication Policy Wired >> TCRA Dot1x
Authorization Policy Wired
Authorization Result

Authentication Details
Source Timestamp 2020-10-02 10:34:03.205
Received Timestamp 2020-10-02 10:34:03.205
Policy Server TCRA-ISE-PAN
Event 5400 Authentication failed
Failure Reason 22056 Subject not found in the applicable identity store(s)
Resolution Check whether the subject is present in any one of the chosen identity stores. Note that some identity stores may have been skipped due to identity resoultion settings or if they do not support the current authentication protocol.
Root cause Subject not found in the applicable identity store(s).
Username INVALID
Endpoint Id 70:5A:0F:62:92:CF
Calling Station Id 70-5A-0F-62-92-CF
IPv4 Address 10.100.105.59
Audit Session Id 0AC8D0640000001F05C2B02B
Authentication Method dot1x
Authentication Protocol PEAP (EAP-MSCHAPv2)
Service Type Framed
Network Device Test
Device Type All Device Types#Wired
Location All Locations#TCRA-HQ
NAS IPv4 Address 10.200.208.100
NAS Port Id GigabitEthernet1/0/10
NAS Port Type Ethernet
Response Time 4 milliseconds

Other Attributes
ConfigVersionId 123
Device Port 1645
DestinationPort 1812
RadiusPacketType AccessRequest
Protocol Radius
NAS-Port 50110
Framed-MTU 1500
State 37CPMSessionID=0AC8D0640000001F05C2B02B;38SessionID=TCRA-ISE-PAN/390237529/74355;
NetworkDeviceProfileId b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow false
AcsSessionID TCRA-ISE-PAN/390237529/74355
DetailedInfo Invalid username or password specified
SelectedAuthenticationIdentityStores TCRA-AD
IdentityPolicyMatchedRule TCRA Dot1x
EndPointMACAddress 70-5A-0F-62-92-CF
ISEPolicySetName Wired
IdentitySelectionMatchedRule TCRA Dot1x
StepLatency 52=24137
IsMachineIdentity false
TLSCipher ECDHE-RSA-AES256-GCM-SHA384
TLSVersion TLSv1.2
DTLSSupport Unknown
Network Device Profile Cisco
Location Location#All Locations#TCRA-HQ
Device Type Device Type#All Device Types#Wired
IPSEC IPSEC#Is IPSEC Device#No
RADIUS Username INVALID
Device IP Address 10.200.208.100
CPMSessionID 0AC8D0640000001F05C2B02B
Called-Station-ID 3C:41:0E:F2:25:0A
CiscoAVPair service-type=Framed,
audit-session-id=0AC8D0640000001F05C2B02B,
method=dot1x

Result
RadiusPacketType AccessReject

Session Events

Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - DEVICE.Device Type
15048 Queried PIP - Normalised Radius.RadiusFlowType
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12808 Prepared TLS ServerKeyExchange message
12810 Prepared TLS ServerDone message
12811 Extracted TLS Certificate message containing client certificate
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request (step latency=24137 ms Step latency=24137 ms)
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
15041 Evaluating Identity Policy
15013 Selected Identity Source - TCRA-AD
24430 Authenticating user against Active Directory - TCRA-AD
24325 Resolving identity - INVALID
24313 Search for matching accounts at join point - tcra.go.tz
24318 No matching account found in forest - tcra.go.tz
24322 Identity resolution detected no matching account
24352 Identity resolution failed - ERROR_NO_SUCH_USER
24412 User not found in Active Directory - TCRA-AD
22056 Subject not found in the applicable identity store(s)
22058 The advanced option that is configured for an unknown user is used
22061 The 'Reject' advanced option is configured in case of a failed authentication request
11823 EAP-MSCHAP authentication attempt failed
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
15041 Evaluating Identity Policy
15013 Selected Identity Source - TCRA-AD
24430 Authenticating user against Active Directory - TCRA-AD
24325 Resolving identity - INVALID
24313 Search for matching accounts at join point - tcra.go.tz
24318 No matching account found in forest - tcra.go.tz
24322 Identity resolution detected no matching account
24352 Identity resolution failed - ERROR_NO_SUCH_USER
24412 User not found in Active Directory - TCRA-AD
15013 Selected Identity Source - TCRA-AD
24430 Authenticating user against Active Directory - TCRA-AD
24325 Resolving identity - INVALID
24313 Search for matching accounts at join point - tcra.go.tz
24318 No matching account found in forest - tcra.go.tz
24322 Identity resolution detected no matching account
24352 Identity resolution failed - ERROR_NO_SUCH_USER
24412 User not found in Active Directory - TCRA-AD
22016 Identity sequence completed iterating the IDStores
22056 Subject not found in the applicable identity store(s)
22058 The advanced option that is configured for an unknown user is used
22061 The 'Reject' advanced option is configured in case of a failed authentication request
11815 Inner EAP-MSCHAP authentication failed
11520 Prepared EAP-Failure for inner EAP method
22028 Authentication failed and the advanced options are ignored
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
61025 Open secure connection with TLS peer
12307 PEAP authentication failed
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject

The username says it's INVALID, which is why it's not found in the identity store and fails authentication.

To aid debugging, you can force Cisco ISE to display the invalid usernames. To do this, check the Disclose Invalid Usernames check box under Administration > System > Settings > Security Settings. You can also configure the Disclose Invalid Usernames option to time out, so that you do not have to manually turn it off

Okay thank you. I tried connecting a laptop thats part of the domain and it is asking for anyconnect - wired user name and password but when the the user puts in the username and password it does not connect.

Right ok, so the initial computer/user you were troubleshooting with wasn't joined to the domain, so could have been sending the wrong identity to ISE. Disclosing the username on ISE would have revealed that

AnyConnect needs correctly configuring, it doesn't just work