Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3228
Views
0
Helpful
2
Replies

ISE Dot1x configuration, PAP is not allowed

naoki_Japan
Spotlight
Spotlight

‎09-14-2021 01:47 AM

 

I wanna give the users registered in AD network access via ISE authentication through AD.

I have neatly registered AD on ISE.

however, the logs below appears all time and the authentication fails.

could you let me know the cause and resolution?

 

 

11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11027 Detected Host Lookup UseCase (Service-Type = Call Check (10))
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - DEVICE.Device Type
15048 Queried PIP - Radius.NAS-Port-Type
11034 Process Host Lookup is disabled. (Service-Type = Call Check (10) cannot be applied)
15024 PAP is not allowed
11003 Returned RADIUS Access-Reject

0 Helpful
2 Replies 2

Karsten Iwen
VIP
VIP

‎09-14-2021 02:08 AM

For whatever reason, the switch port is doing MAB for the client instead of 802.1X. Look at the switch port why it is doing that.

0 Helpful

naoki_Japan
Spotlight
Spotlight

‎09-14-2021 02:32 AM

thank you for your help

but, it is seemed that the switch is working correctly, judging on the log shown below

 

switch1#
*Sep 14 09:23:09.660: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (??MAC address???) with reason (Timeout) on Interface Gi1/0/2 AuditSessionID 0A0A0AFE000000A7E39CA738
*Sep 14 09:23:09.662: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (??MAC address???) on Interface GigabitEthernet1/0/2 AuditSessionID 0A0A0AFE000000A7E39CA738
switch1#

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card