ISE Operational Issues

Proprietary notice
Copyright © Orange Business Services 2016. All rights reserved.

Confidentiality

All information contained in this document is strictly confidential and is the property of
Orange Business Services. It is provided for the sole purpose of responding to the request
from LafargeHolcim and shall not be used for any other purpose.
LafargeHolcim shall not publish or disclose this information, in whole or in part, to any other
party without the prior written permission of Orange Business Services.

Obligations and Conditions

This document is subject to contract and does not constitute a binding offer from Orange
Business Services. In the event that any assumption on which Orange Business Services
has based its proposal or any information provided by LafargeHolcim changes or is
incorrect, Orange Business Services reserves the right to revise any portion of this
document accordingly.
Implementation of any services detailed in this document is subject to applicable
regulations in force on the date the services are to be implemented.
Orange, the Orange logo, Orange Business Services, and related marks are trademarks of
Orange Brand Services Limited. Many of the products, services, and company names
referred to in this document are registered trademarks of third parties. They are all hereby
acknowledged.
Orange Business Services is a trading name of the Orange Group.

Point of contact

Name: Ashish Agarwal

Title: Solution Expert Email: [email protected]
Tel: Fax:
Address:
Website: http://www.mnc.orange-business.com
Table of Contents

1 Introduction 5
1.1 Overview 5
1.2 Intended audience 5
1.3 Scope 5
2 Troubleshooting 6
2.1 Impact Information template 6
2.2 High-Level Troubleshooting Flow 6
2.3 T-shoot Wired Network Access 7
2.3.1 Preliminary checks 7
2.3.2 How to check logs on ISE 7
2.3.3 Common issue 1 8
2.3.4 Common issue 2 8
2.3.5 Common issue 3 9
2.4 T-shoot Wireless Network Access 9
2.4.1 Web Auth Redirect process flow 9
2.4.2 Common issue 1 10
2.4.3 Common issue 2 11

.
History of document changes
Date Version Author Added/changed
10.08.2020 1.0 Ashish Agarwal Creation of document
1 Introduction
1.1 Overview
An ISE deployment relies on multiple components. When authentication fails in the AAA
environment, it may be challenging to find out root cause of the issue because you may
need to look at different components.

With recent enhancements, Cisco has put effort into providing a single point of view for
troubleshooting by correlating switch syslog events to internal ISE events, as well as by
providing interfaces on the ISE to poll for different authentication related information on
demand. Other enhancements on the ISE include a configuration validator, a TCP dump
utility.

1.2 Intended audience

This document is intended for orange business service desk responsible for creating
level1 ticket for ISE platform.

1.3 Scope
This document describes the common issues and troubleshooting steps to counter
those issues. ISE controls network access to the LAN network. Four use cases are
supported, each with a different Network Access Control implementation.

Corporate Access

Wired Access

MAB(MAC Authentication Bypass)

Corporate Access

Wireless Guest Access Guest Access

BYOD Access
2 Troubleshooting
2.1 Impact Information template
To begin with troubleshooting we need to request following information from client.
Particular Information Remark
Site impacted Mandatory
User device impacted Wired/Wireless Mandatory
No. of user impacted Single/Multiple Mandatory
SSID Mandatory
Switch Detail Optional
Device MAC address Mandatory

2.2 High-Level Troubleshooting Flow

Check ISE
Authentication
operation > live
logs by filtering
MAC in endpoint
ID

Validate applied
Check Pass Check DACL and make
status Authorization sure assigned IP
Policy is correct
Fail

Click on detail
image

Under
Authentication
Details > Failure
Reason will help to
identify the issue
2.3 T-shoot Wired Network Access
To start with the troubleshooting on Wired NAC (Network Access Control) we have to
observe logs on both authenticator (Switch) and authentication server (Cisco ISE).
2.3.1 Preliminary checks
Step1 Identify the switch port where client is connected.
Step2 Run command ”Show authentication session interface Gi x/x/x Detail”
Step3

 Verify MAC address

 Verify IP address

Domain should be Voice only in case of

IP Phone for rest it should be DATA

In case of the corporate laptop dot1x

should be Auth success.

Step4 In case of the corporate user machine, If dot1x is coming up with Stopped then
bounce the port and check.
 Even if it is giving same staus then suggest client to update windows
Group Policy.
2.3.2 How to check logs on ISE
Step5 Login to ISE GUI.
Step6 Go to Operations > Live Logs.
Step7 Now you have multiple option to filter the logs based on Endpoint ID (MAC
Address), IP address, Network Device and so on.
Step8 Filter the device for which you want to see logs.
Step9 Once filter the device, to get more elaborated information you need to select
icon .
2.3.3 Common issue 1
Problem description:
Client machine is unable to initiate dot1x though it is expected to have corporate
access.
Action:
Step1 First verify we have dot1x needed configuration on the switch.
Step2 Advice user to update group policy through command prompt.

Step3 If update get unsuccessful contact windows team to enable dot1x setting on
user machine.

2.3.4 Common issue 2

Problem description:
Under the live log detail display the following error message:

 11007 Could not locate Network Device or AAA Client Resolution

 Action:
Step1 Possible cause of this issue is switch is not properly added into the ISE under
network device.
Step2 Verify whether the Network Device or AAA client is configured in:
Step3 Go to Administration > Network Resources > Network Devices.
Step4 Verify switch IP address, Shared Secret under Radius authentication setting is
correctly configured.
Step5 Verify these setting with other working switch

2.3.5 Common issue 3

Problem description:
Under the live log detail display the following error message:
 11036 The Message-Authenticator RADIUS attribute is invalid

Action:
Step1 Possible cause of this issue is shared RADIUS key does not match between ISE
and NAD.
Step2 Verify whether the Network Device or AAA client is configured in:
Step3 GO to Administration > Network Resources > Network Devices.
Step4 Verify Shared Secret under Radius authentication setting is correctly configured.
Step5 Match this key with key configured on the switch side.

2.4 T-shoot Wireless Network Access

As mentioned earlier wireless access have three options to choose for network access.
Corporate access is required for the employee whereas internet access required to
Guest visiting company campus whereas in some case employee personal devices may
need access as well.
2.4.1 Web Auth Redirect process flow
At a high level a basic flow works like this:
 Unknown device connects to network
 ISE returns a result to the Network Access Device (NAD) with a redirect URL.
 When the user tries to connect to a website the NAD intercepts the HTTP get
request and returns a 302 redirect, pointing towards the web portal on ISE. The
redirect also contains the Radius session ID and the original url the user was
trying to reach.
 The user and device are on boarded.
a. In the case of guests, the mac address of the device is stored in the endpoint
database and associated with a guest endpoint group.
b. for BYOD, the device will be issued a certificate for dot1x authentication.
  After onboarding, ISE will send a Change of Authorization (CoA) to the AD. This
retriggers the authentication process as if the user had just connected.
 Because the Device is now known to ISE, it should match an authorization rule,
giving the device network access.

2.4.2 Common issue 1

Problem description:
Portal page doesn’t load in the browser.
Action:
Typically a problem with the redirect ACL on the WLC. Steps to investigate:
Step1 Check ISE livelog for web auth redirect status

Step2 Check Client Status on WLC.

 Step3 Check web auth ACL.

 Make sure DNS is able to resolve hostname in URL

 Ensure ACL is permitting the ip address of the ISE node

2.4.3 Common issue 2

Problem description:
User does not gain access to the network after logging in to portal
Action:
Step1 Change of authorization Failure
Step2 Login Wireless LAN controller.
Step3 Go to Security>AAA>Authentication.
Step4 Select the radius server.
Step5 Make sure we have COA enable for all the radius server.