Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1397
Views
0
Helpful
3
Replies

Issue with Cisco ISE for wireless clients

Go to solution
donnie
Level 1
Level 1

‎06-20-2019 12:55 AM - edited ‎02-21-2020 11:07 AM

Hi,

 

My current environment is configured for 802.1x using Cisco ISE and require machine cert and user cert authentication before a machine is authorised and assigned a vlan. Currently i notice my LAN with ISE works well and is very stable but my WLAN is rather unstable with ISE such that intermittently i don't see any machine cert authentication on my ISE logs when i boot up my machine. There are times where machine authentication with ISE would be able to work on the 1st boot up. Can anyone guide me how i can do a end to end tracking for my machine authentication that is done over wireless starting from the WLC? My WLC is AIR-CT3504. I have already ensured that the required 802.1x settings is already applied on my machine for both LAN and WLAN adaptor. Please advise. TIA!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎06-20-2019 02:02 AM

WLC will just pass the EAP message over Radius to ISE. All tracking has to
be done from ISE. You can run diagnostic using endpoing mac address to see
all the handshaking in details on ISE.

View solution in original post

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎06-20-2019 05:31 AM

I assume your hosts are Windows based if you are doing machine and user cert authentication? If you are using NAM for eap-chaining purposes you can enable extended logging for the AnyConnect Client.

Open AnyConnect, make sure it is in focus

press this combo: left **bleep**+ left alt + L. no response

Right click the anyconnect icon in windows system tray. menu pops up

select extended logging so it has a check mark displayed. NAM will now log debug messages.

Then as mentioned by @Mohammed al Baqari you can run a tcp dump on your PSN.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎06-20-2019 02:02 AM

WLC will just pass the EAP message over Radius to ISE. All tracking has to
be done from ISE. You can run diagnostic using endpoing mac address to see
all the handshaking in details on ISE.
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎06-20-2019 05:31 AM

I assume your hosts are Windows based if you are doing machine and user cert authentication? If you are using NAM for eap-chaining purposes you can enable extended logging for the AnyConnect Client.

Open AnyConnect, make sure it is in focus

press this combo: left **bleep**+ left alt + L. no response

Right click the anyconnect icon in windows system tray. menu pops up

select extended logging so it has a check mark displayed. NAM will now log debug messages.

Then as mentioned by @Mohammed al Baqari you can run a tcp dump on your PSN.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents