Solved: ISE 2.4: Wireless guest failed auth msg: 5400 Authentication failed

girish_gavandi · ‎04-22-2019

Hello,

Requesting help to troubleshoot below authentication fail error messages seen for wireless guest users.

Event 5400 Authentication failed
Failure Reason 22040 Wrong password or invalid shared secret

ISE and WLC shared secret is correct.
Guest user is correctly entering the username and password.

Authentication failed is happening only for Officer and Employee guest types. It not happening for Bronze User and Guest User guest types.

Steps:
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11027 Detected Host Lookup UseCase (Service-Type = Call Check (10))
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15041 Evaluating Identity Policy
15048 Queried PIP - Radius.NAS-Port-Type
15048 Queried PIP - Radius.Service-Type
15013 Selected Identity Source - Internal Endpoints
24209 Looking up Endpoint in Internal Endpoints IDStore - <mac add>
24211 Found Endpoint in Internal Endpoints IDStore
22040 Wrong password or invalid shared secret
22057 The advanced option that is configured for a failed authentication request is used
22061 The 'Reject' advanced option is configured in case of a failed authentication request
11003 Returned RADIUS Access-Reject

Attaching policy set rules and authorization logs from a working client.

Any help is much appreciated.

Regards,
Girish

girish_gavandi · ‎12-14-2019

Just to close this thread with the solution,

We did following changes to solve this issue:

Fixed context visibility issue.
Rebuilt context visibility database using https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-23/213610-ise-2-3-rest-sync-context-visibility.html
Changed custom condition for MAB to Wireless_MAB condition from library. Authentication started to work after that change.
Changed condition in authorization rule to include all subgroups in Endpoint Identity Group type.

ISE Version : 2.4.0.357

WLC Version: 8.5.135.0

View solution in original post

Arne Bier · ‎04-23-2019

I would recommend using Smart Conditions that are built into ISE when creating Wireless MAB policy sets. Make that the first step.

Allowed Protocols should only have First checkbox ticked (hosts). Not PAP etc - in your screenshots it shows that a PAP request came in. If you use Allowed Protocls correctly then it will catch this type of thing early on.

The authentication rule will be simple then. Use default “internal endpoints” and set to Continue if user not found.

Authorisation should the make tests about which identity group the user belongs to etc

girish_gavandi · ‎12-14-2019

Just to close this thread with the solution,

We did following changes to solve this issue:

Fixed context visibility issue.
Rebuilt context visibility database using https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-23/213610-ise-2-3-rest-sync-context-visibility.html
Changed custom condition for MAB to Wireless_MAB condition from library. Authentication started to work after that change.
Changed condition in authorization rule to include all subgroups in Endpoint Identity Group type.

ISE Version : 2.4.0.357

WLC Version: 8.5.135.0