Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1835
Views
15
Helpful
3
Replies

Authentication failed due to domain name need fill up for Android 11

penangpcr888
Level 1
Level 1

‎11-30-2021 03:03 AM

@Arne Bier 

Hi, i have the blocking issue. My Pixel with Android-11 is not able to get authentication from Cisco setup on WiFi enterprise. 

I did create the domain name as "motorola.com" in cisco server. I also extract out the CA cert(CAcert.crt) from cisco setup, and install as WiFi certificates on pixel phone. But still failed to get authentication from Cisco system. 

The pixel phone is trying connect to the cisco WiFi accessPoint as:

EAP method: TTLS

Phase 2 authentication: MSCHAPV2

CA Certificated: CAcert.crt

Online Certificate Status: Do no validate

Domain: motorola.com

identity: beng, password: xxxxx

 

Question:

Q1: May i know which area that i missed out need to configure for Cisco system?

Q2: Or anyone can suggest me which cisco command i need enter to makesure the configuration?

Q3: I did find some cisco command to setup as domain name. May i know, except setup domain name, which cisco command i still need when i try to setup domain name in cisco router?

 

Note: with Pixel Android-10, is manage to login to the same cisco system, due to Android-10 is not need to fill up domainName while connect to cisco accessPoint.

 

 

Can refer to the attachment on the domain name and failed authentication details.

domainName_png.PNGISE_authentication_failedLogs_png.PNG

Labels:
3 Replies 3

Arne Bier
VIP
VIP

‎12-08-2021 06:19 PM

Hello @penangpcr888 

 

apologies for the late reply - The ISE error message that you show in the graphic appears to be because you have not configured the NAS (WLC?) in ISE. Or some of the details are wrong (like the IP source address that is sending RADIUS to ISE). It's been a while since your request came in - have you made any progress?

thomas
Cisco Employee
Cisco Employee

‎12-09-2021 08:39 PM

image.png

ISE is very clearly telling you that you :

- have not added your WLC to the ISE Network Devices page

- added your WLC but with the wrong IP address/range

- added your WLC but with the wrong RADIUS Pre-Shared Key

- added your WLC but with the wrong IP address/range AND range the wrong RADIUS Pre-Shared Key

 

 

 

0 Helpful

Peter Koltl
Level 7
Level 7

‎12-11-2021 01:59 PM - edited ‎12-11-2021 01:59 PM

The Domain field in Android 11 must match the ISE EAP certificate subject’s domain.

motorola.com is suitable in case CN=ise.motorola.com

Customers Also Viewed These Support Documents