Solved: Cisco ISE and MAB authentication

help_pc · ‎08-02-2019

Hello everyone,

I am trying to follow this guide - https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-5/b_Identity_PSK_Feature_Deployment_Guide.html but can't quite get it to work. The client returns "Incorrect password for network Test" when trying to connect.

My test environment

- Cisco ISE 2.1.0.474

- WLC 5508 running software version 8.2.166.0

Errors from the RADIUS live logs in ISE

Event	5434 Endpoint conducted several failed authentications of the same scenario
Failure Reason	22056 Subject not found in the applicable identity store(s)

Policy Sets

What am I missing?

I am trying abc12345 for the password on my client. Is that right?
Wondering if it's due to running 8.2 on the WLC. Can anyone confirm if that's the case? Can't seem to find a 8.2 version of this guide.

Thanks in advance!

Mohammed al Baqari · ‎08-02-2019

In your authentication policy your mab entry should validate against
internal endpoints and you need to modify the 2nd action (if fails) from
reject to continue

View solution in original post

help_pc · ‎08-04-2019

Upgrading the WLC to 8.5.151.0 seemed to fix the issue of "incorrect password". Thanks again for the help on the other issue @Mohammed al Baqari

View solution in original post

Mohammed al Baqari · ‎08-02-2019

In your authentication policy your mab entry should validate against
internal endpoints and you need to modify the 2nd action (if fails) from
reject to continue

help_pc · ‎08-02-2019

Thanks for the suggestion! That got me a little farther. Now ISE shows the device status as "Auth passed"

5200 Authentication succeeded

but my client is still showing "incorrect password for network test" and does not connect to the SSID. Any suggestions? Thanks!

help_pc · ‎08-04-2019

Upgrading the WLC to 8.5.151.0 seemed to fix the issue of "incorrect password". Thanks again for the help on the other issue @Mohammed al Baqari