cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
233
Views
0
Helpful
3
Replies
Beginner

Issue with Cisco ISE for wireless clients

Hi,

 

My current environment is configured for 802.1x using Cisco ISE and require machine cert and user cert authentication before a machine is authorised and assigned a vlan. Currently i notice my LAN with ISE works well and is very stable but my WLAN is rather unstable with ISE such that intermittently i don't see any machine cert authentication on my ISE logs when i boot up my machine. There are times where machine authentication with ISE would be able to work on the 1st boot up. Can anyone guide me how i can do a end to end tracking for my machine authentication that is done over wireless starting from the WLC? My WLC is AIR-CT3504. I have already ensured that the required 802.1x settings is already applied on my machine for both LAN and WLAN adaptor. Please advise. TIA!

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
VIP Advisor

Re: Issue with Cisco ISE for wireless clients

WLC will just pass the EAP message over Radius to ISE. All tracking has to
be done from ISE. You can run diagnostic using endpoing mac address to see
all the handshaking in details on ISE.
Enthusiast

Re: Issue with Cisco ISE for wireless clients

I assume your hosts are Windows based if you are doing machine and user cert authentication? If you are using NAM for eap-chaining purposes you can enable extended logging for the AnyConnect Client.

Open AnyConnect, make sure it is in focus

press this combo: left **bleep**+ left alt + L. no response

Right click the anyconnect icon in windows system tray. menu pops up

select extended logging so it has a check mark displayed. NAM will now log debug messages.

Then as mentioned by @Mohammed al Baqari you can run a tcp dump on your PSN.
3 REPLIES 3
Highlighted
VIP Advisor

Re: Issue with Cisco ISE for wireless clients

WLC will just pass the EAP message over Radius to ISE. All tracking has to
be done from ISE. You can run diagnostic using endpoing mac address to see
all the handshaking in details on ISE.
Enthusiast

Re: Issue with Cisco ISE for wireless clients

I assume your hosts are Windows based if you are doing machine and user cert authentication? If you are using NAM for eap-chaining purposes you can enable extended logging for the AnyConnect Client.

Open AnyConnect, make sure it is in focus

press this combo: left **bleep**+ left alt + L. no response

Right click the anyconnect icon in windows system tray. menu pops up

select extended logging so it has a check mark displayed. NAM will now log debug messages.

Then as mentioned by @Mohammed al Baqari you can run a tcp dump on your PSN.
Cisco Employee

Re: Issue with Cisco ISE for wireless clients