FINAL REVIEW DRAFTCISCO CONFIDENTIAL

A P P E N D I X

Troubleshooting Cisco ISE

This appendix addresses several categories of troubleshooting information related to identifying and
resolving problems you may experience using Cisco ISE.

Installation and Network Connection Issues, page C-2

Licensing and Administrator Access, page C-12

Configuration and Operation (Including High Availability), page C-13

External Authentication Sources, page C-16

Client Access, Authentication, and Authorization, page C-21

Error Messages, page C-34

Troubleshooting APIs, page C-38

Contacting the Cisco Technical Assistance Center, page C-38

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

OL-22972-01

C-1

Appendix C

Troubleshooting Cisco ISE

Installation and Network Connection Issues

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Installation and Network Connection Issues

If you believe you are experiencing hardware-related complications, first verify the following on all of
your deployed Cisco ISE nodes:

The external power cable is connected, and the proper power source is being applied.

The external cables connecting the appliance to the network are all secure and in good order.

The appliance fan and blower are operating.

Inadequate ventilation, blocked air circulation, excessive dust or dirt, fan failures, or any
environmental conditions that might affect the power or cooling systems.

The appliance software boots successfully.

The adapter cards (if installed) are properly installed in their slots, and each card initializes (and is
enabled by the appliance software) without problems. Check status LEDs on the adapter card that
can aid you identifying a potential problem.

For more information on Cisco ISE hardware installation and operational troubleshooting, including
power and cooling requirements and LED behavior, see the Cisco Identity Services Engine Hardware
Installation Guide, Release 1.0.
Tip

For issues regarding potential Network Access Device (NAD) configuration issues including AAA,
RADIUS, Profiler, and Web Authentication, you can perform a number of validation analyses using
Cisco ISEs Monitor > Troubleshoot > Diagnostic Tools > General Tools > Evaluate
Configuration Validator options.
Current Installation and Network Connection Troubleshooting Topics

Unknown Network Device, page C-3

No Default ACL, page C-3

Bad SNMP Community String, page C-4

Change of Authorization Misconfigured, page C-5

No VLANs, page C-6

No IP HTTP Server/Secure Server, page C-7

No IP DHCP Snooping, page C-7

No IP Device Tracking, page C-8

No RADIUS-Server VSA Send Accounting, page C-9

Cisco ISE Deployed as Inline Posture Node Not Passing Traffic, page C-9

Registered Nodes in Cisco ISE Managed List Following Stand-Alone Reinstallation, page C-10

Primary and Secondary Inline Posture Nodes Heartbeat Link Not Working, page C-10

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

C-2

OL-22972-01

Appendix C

Troubleshooting Cisco ISE

Installation and Network Connection Issues

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Unknown Network Device

Still requires TME input
Symptoms/Issue

What are the common errors/obstacles the user encounters?

Tests user can perform to see if they are experiencing a common
issue?

Conditions

Click the magnifying glass icon in Livelog to display the steps in the Authentication
Report. The logs display the following error message:
11007 Could not locate Network Device or AAA Client Resolution

Possible Causes

The administrator did not correctly configure the Network Access Device (NAD)
type in Cisco ISE.

Resolution

Add the Network Access Device in Cisco ISE.

No Default ACL
Still requires TME input
Symptoms/Issue

What are the common errors/obstacles the user encounters?

Tests user can perform to see if they are experiencing a common
issue?

Conditions

Click on Livelog's magnifying glass to launch the Authentication Details. The

session event section of the authentication report should have the following lines

%AUTHMGR-5-FAIL: Authorization failed for client (001b.a912.3782) on

Interface Gi0/3 AuditSessionID 0A000A760000008D4C69994E

%EPM-4-POLICY_APP_FAILURE REASON Interface ACL not configured

Possible Causes

No default ACL is configured for the port in question

Resolution

You can go through the troubleshooting workflow for the authentication, which
compares the Cisco ISE configuration with authentication responses for the ACL that
RADIUS sends back to the switch, and compare them to the switch message
database. (This process includes looking at sh ip access-lists, show run, and
check ip access-group of the port.)
For example, you could see the following Logging Configuration (global) details:

Mandatory Expected Configuration Found On Device

logging monitor informational Missing

logging origin-id ip Missing

logging source-interface <interface_id> Missing

logging <syslog_server_IP_address_x> transport udp port 20514 Missing

Note

Note: Ensure the network device is sending syslog messages to the

Monitoring and Troubleshooting server port 20514.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

OL-22972-01

C-3

Appendix C

Troubleshooting Cisco ISE

Installation and Network Connection Issues

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Note

Missing ip access-config is one of the checks done by the NAD config validator (which checks
readiness for NPF1.x-SAS) that users can run to check NAD config.

Bad SNMP Community String

Still requires TME input
Symptoms/Issue

Conditions

What are the common errors/obstacles the user encounters?

Tests user can perform to see if they are experiencing a common
issue?
(This needs input from Inline Posture team to indicate impact to
Inline Posture and what is indicate on Monitoring persona)
Cisco ISE checks the monitoring and troubleshooting configuration validator
workflow for this potential situation. Go to Monitoring > Troubleshooting >
General Tools > Profiler Configuration (global) details where you may see the
following:

Mandatory Expected Configuration Found On Device

snmp-server community <snmp_ro_string> -- RO snmp-server community

profiler RO

snmp-server community <snmp_ro_string> -- RW snmp-server community

public RW

snmp-server enable traps snmp authentication linkdown linkup coldstart

warmstart -- snmp-server enable traps snmp authentication linkdown linkup
coldstart warmstart

snmp-server host <snmp_host1> public -- Missing

snmp-server host <snmp_host1> public mac-notification snmp -- Missing

mac address-table notification change -- mac address-table notification change

mac address-table notification change interval 0 -- Missing

Possible Causes

There could be an SNMP community string mismatch between Cisco ISE and the
remote node.

Resolution

One or more answers to the problem that the user should try to
help solve it.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

C-4

OL-22972-01

Appendix C

Troubleshooting Cisco ISE

Installation and Network Connection Issues

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Change of Authorization Misconfigured

Still requires TME input
Symptoms/Issue

What are the common errors/obstacles the user encounters?

Tests user can perform to see if they are experiencing a common
issue?

Conditions

Cisco ISE uses port 1799 for communicating RADIUS Change of Authorization
(CoA) requests to supported network devices.

aaa server radius dynamic-author

port 3799

server-key cisco123

Engineering: Does ISE require port 1700 or 3799 for CoA? Is it

configurable?
This scenario needs to be checked by the Monitoring and
Troubleshooting configuration validator for the specific
information indicated above.
Possible Causes

The remote node may be missing the commands, have the wrong port (1799 vs.
3900) or have the wrong/mistyped key.

Resolution

One or more answers to the problem that the user should try to
help solve it.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

OL-22972-01

C-5

Appendix C

Troubleshooting Cisco ISE

Installation and Network Connection Issues

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

No VLANs
Still requires TME input
Symptoms/Issue

What are the common errors/obstacles the user encounters?

Tests user can perform to see if they are experiencing a common
issue?

Conditions

Click on the magnifying glass icon in Livelog to launch the Authentication Details.
The session event section of the authentication report should have the following
lines:

%AUTHMGR-5-FAIL: Authorization failed for client (001b.a912.3782) on

Interface Gi0/3 AuditSessionID 0A000A760000008D4C69994E

%DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND: Attempt to assign

non-existent or shutdown VLAN 666 to 802.1x port FastEthernet1/9

You can also run the troubleshooting workflow for the authentication, which
compares the ISE config and authentication log for the ACL that RADIUS responses
to the switch with the switch message database. Logging Configuration (global)
details may be displayed:

Mandatory Expected Configuration Found On Device

logging monitor informational Missing

logging origin-id ip Missing

logging source-interface <interface_id> Missing

logging <syslog_server_IP_address_x> transport udp port 20514 Missing

Note

The network device must send syslog messages to the ISE Monitoring and
troubleshooting server port 20514.

Possible Causes

The switch is missing (or contains the incorrect) name and numbers on the switch.

Resolution

One or more answers to the problem that the user should try to
help solve it.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

C-6

OL-22972-01

Appendix C

Troubleshooting Cisco ISE

Installation and Network Connection Issues

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

No IP HTTP Server/Secure Server

Still requires TME input
Symptoms/Issue

What are the common errors/obstacles the user encounters?

Tests user can perform to see if they are experiencing a common
issue?

Conditions

The monitoring and troubleshooting configuration validator is designed to catch this.

The Web Authentication Configuration (global) details may display something like
the following:

Mandatory Expected Configuration Found On Device

aaa authorization auth-proxy default group <radius_group> aaa authorization

auth-proxy default group radius

aaa accounting auth-proxy default start-stop group <radius_group> Missing

ip admission name <word> proxy http inactivity-time 60 Missing fallback

profile <WORD>

ip access-group <WORD> in

ip admission <WORD> Missing

ip http server ip http server

ip http secure-server ip http secure-server

Possible Causes

The switch is missing the 'ip http server' command.

Resolution

One or more answers to the problem that the user should try to
help solve it.

No IP DHCP Snooping
Still requires TME input
Symptoms/Issue

Conditions

What are the common errors/obstacles the user encounters?

Tests user can perform to see if they are experiencing a common
issue?
(TBD - this needs to be update by the Profiler team)
This seems to be applicable to how well Profiler would scan, but the Monitoring and
Troubleshooting workflow also catches Device Discovery Configuration (global)
details like the following:

Mandatory Expected Configuration Found On Device

ip dhcp snooping vlan <Vlan_ID_for_DHCP_Snooping> ip dhcp snooping vlan

1-4096

no ip dhcp snooping information option Missing

ip dhcp snooping ip dhcp snooping

ip device tracking ip device tracking

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

OL-22972-01

C-7

Appendix C

Troubleshooting Cisco ISE

Installation and Network Connection Issues

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Possible Causes

The switch is missing the ip dhcp snooping command.

Resolution

One or more answers to the problem that the user should try to
help solve it.

No IP Device Tracking
Still requires TME input
Symptoms/Issue

Conditions

What are the common errors/obstacles the user encounters?

Tests user can perform to see if they are experiencing a common
issue?
(TBD - this needs to be updated by the Profiler team)
This seems to be applicable to how well Profiler would scan, but the Monitoring and
Troubleshooting workflow also catches this.
The Device Discovery Configuration (global) details may reveal the following:

Mandatory Expected Configuration Found On Device

ip dhcp snooping vlan <Vlan_ID_for_DHCP_Snooping> ip dhcp snooping vlan

1-4096

no ip dhcp snooping information option Missing

ip dhcp snooping ip dhcp snooping

ip device tracking ip device tracking

Possible Causes

The associated switch is missing the 'ip device tracking' command.

Resolution

One or more answers to the problem that the user should try to
help solve it.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

C-8

OL-22972-01

Appendix C

Troubleshooting Cisco ISE

Installation and Network Connection Issues

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

No RADIUS-Server VSA Send Accounting

Still requires TME input
Symptoms/Issue

What are the common errors/obstacles the user encounters?

Tests user can perform to see if they are experiencing a common
issue?

Conditions

Click on Livelogs magnifying glass to launch the Authentication Details. The

session event section of the authentication report should show the accounting events,
click on the accounting events would show that audit-session-id fields are blank
because the VSA are blocked and no cisco-av-pair=audit-session-id are sent from the
switch. The same can be done by running the Accounting report for the day - all
audit-session-id fields would be blank.
Note

This issue is reported by the Monitoring and Troubleshooting configuration

validator's RADIUS Configuration (global) details.
Mandatory Expected Configuration Found On Device
radius-server attribute 6 support-multiple Missing
radius-server attribute 8 include-in-access-req radius-server attribute 8

include-in-access-req
radius-server host <radius_ip_address1> auth-port 1812 acct-port 1813

key <radius_key> Missing

radius-server vsa send accounting radius-server vsa send accounting
radius-server vsa send authentication radius-server vsa send authentication

Possible Causes

Switch is missing the radius-server vsa send accounting command.

Resolution

One or more answers to the problem that the user should try to
help solve it.

Cisco ISE Deployed as Inline Posture Node Not Passing Traffic

Still requires TME input
Symptoms/Issue

Network traffic not traversing network segment where the Inline Posture node is
installed.

Conditions

This issue can affect any Cisco ISE that has been deployed as an Inline Posture node
to interoperate with another network device (like a WLC and/or VPN concentrator).

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

OL-22972-01

C-9

Appendix C

Troubleshooting Cisco ISE

Installation and Network Connection Issues

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Possible Causes
Resolution

What are the possible causes for the issue that the user can focus
upon for resolution?
1.

Use the tcpdump command in the Inline Posture node CLI or from the
administrator user interface at Monitor > Troubleshoot > Diagnostic Tools >
General Tools > TCP Dump to verify whether or not the Inline Posture node is
receiving and forwarding traffic as required for your network.

2.

If the TCP dump operation indicates that the Inline Posture node is working as
configured, verify other adjacent network components.

Registered Nodes in Cisco ISE Managed List Following Stand-Alone

Reinstallation
Final
Symptoms/Issue

Cisco ISE administrator user interface displaying Policy Service persona host name
and configuration info when reimaged and installed as a new stand-alone Cisco ISE
node.

Conditions

Cisco ISE previously deployed as an Administration persona managing one or more

associated Policy Service personas.

Possible Causes

If the Policy Service personas are still configured to send syslog updates to the
Administration persona as it was originally set up, node information is learned when
the Administration persona receives syslog messages and that information is likely
used to populate the system summary page on the Administration persona.

Resolution

If you have not deregistered the Policy Service persona from the Cisco ISE node,
reconfigure the Policy Service persona so that it sends syslog messages to itself,
rather than the Cisco ISE node and restart the Policy Service machine.
Note

If you unregister any associated Policy Service personas before reinstalling

the Cisco ISE software and reconfiguring the Administration persona, the
Policy Service personas will operate in stand-alone mode and will not
transmit the erroneous syslog updates.

Primary and Secondary Inline Posture Nodes Heartbeat Link Not Working
Final
Symptoms/Issue

Two Inline Posture nodes deployed as high availability peers appear dead to one
another.

Conditions

Two Inline Posture nodes deployed in a collocated high availability (HA)

Deployment.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

C-10

OL-22972-01

Appendix C

Troubleshooting Cisco ISE

Installation and Network Connection Issues

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Possible Causes

If the eth2 and eth3 interfaces on the Inline Posture nodes are not connected, both
nodes will act as though the other node in the deployment has experienced some sort
of failure.

Resolution

Ensure you have connected the eth2 and eth3 interfaces of the peer Inline Posture
nodes via a crossover cable to provide a dedicated heartbeat interface between the
two.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

OL-22972-01

C-11

Appendix C

Troubleshooting Cisco ISE

Licensing and Administrator Access

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Licensing and Administrator Access

Certificate Expired, page C-12

Certificate Expired
Still requires TME input
Symptoms/Issue

Alarm within 30 days of expiration.

Conditions

What else?
What is the environment? Configuration settings? OS
types/versions?

Possible Causes

Cisco ISE certificate is about to expire or has expired.

Resolution

One or more answers to the problem that the user should try to
help solve it.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

C-12

OL-22972-01

Appendix C

Troubleshooting Cisco ISE

Configuration and Operation (Including High Availability)

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Configuration and Operation (Including High Availability)

Bad dACL Syntax, page C-13

Bad URL, page C-13

Cannot Download Remote Client Provisioning Resources, page C-14

Lost Monitoring and Troubleshooting Data After Registering Policy Service Persona to
Administration Persona, page C-14

Cisco ISE Monitoring Dashlets Not Visible with Internet Explorer 8, page C-14

Bad dACL Syntax

Still requires TME input
Symptoms/Issue

Conditions

What are the common errors/obstacles the user encounters?

Tests user can perform to see if they are experiencing a common
issue?
1.

Click the magnifying glass icon in Livelog for the specific dACL to launch the
Authentication Details. The content of the ACL should reveal one or more bad
characters.

2.

Click on Livelogs magnifying glass to launch the Authentication Details. The

session event section of the authentication report should have the following line:
%EPM-4-POLICY_APP_FAILURE: IP 0.0.0.0| MAC 0002.b3e9.c926|
AuditSessionID 0A0002010000239039837B18| AUTHTYPE DOT1X| POLICY_TYPE
Named ACL| POLICY_NAME xACSACLx-IP-acl_access-4918c248| RESULT
FAILURE| REASON Interface ACL not configured

Possible Causes

What are the possible causes for the issue that the user can focus
upon for resolution?

Resolution

Configure ISE dACL as permit up any fany

Bad URL
Still requires TME input
Symptoms/Issue

What are the common errors/obstacles the user encounters?

Tests user can perform to see if they are experiencing a common
issue?

Conditions

Click the magnifying glass icon in Livelog to launch the Authentication Details. The
authentication report should have the redirect URL in the RADIUS response section
as well as the session event section (which displays the switch syslog messages).

Possible Causes

Redirection URL is mistyped with invalid syntax or missing path component.

Resolution

One or more answers to the problem that the user should try to
help solve it.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

OL-22972-01

C-13

Appendix C

Troubleshooting Cisco ISE

Configuration and Operation (Including High Availability)

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Cannot Download Remote Client Provisioning Resources

Final
Symptoms/Issue

Administrator receives one or more java.net.NoRouteToHostException: No route to

host error messages when trying to download client provisioning resources.

Conditions

This issue applies to any Cisco ISE connected to an external client provisioning
resource store.

Possible Causes

Your internet connection may not be working properly or reliably.

Resolution

Verify your internet connection settings.

Ensure you have configured the correct proxy settings in Cisco ISE at
Administration > System > Settings > Proxy.

Lost Monitoring and Troubleshooting Data After Registering Policy Service

Persona to Administration Persona
Final
Symptoms/Issue

The known collection of profiled endpoints is not visible on the secondary Policy
Service persona when it is registered to the original (primary) Administration
persona.

Conditions

This issue can come up in a deployment where you register a new additional Policy
Service persona to what has been, until the moment of registration, a stand-alone
Cisco ISE node with a large store of known and profiled endpoints.

Possible Causes

Because of it's potentially huge size, monitoring and troubleshooting data is not
replicated between two nodes when the new node is registered to the original
stand-alone Cisco ISE node. Cisco does not replicate a data store that could
conceivably be gigabytes in size as it could impact network connectivity in a
deployment environment.

Resolution

Ensure you export monitoring and troubleshooting information prior to registering

the new Policy Service persona to the formerly stand-alone Cisco ISE.

Cisco ISE Monitoring Dashlets Not Visible with Internet Explorer 8

Final
Symptoms/Issue

Administrator sees one or more There is a problem with this website's security
certificate. messages after clicking on the dashlets in the Cisco ISE monitoring
portal.

Conditions

This issue is specific to Internet Explorer 8. (This issue has not been observed using
Mozilla Firefox.)

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

C-14

OL-22972-01

Appendix C

Troubleshooting Cisco ISE

Configuration and Operation (Including High Availability)

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Possible Causes

The security certificate for the Internet Explorer 8 browser connection is invalid or
expired.

Resolution

Re-import a valid security certificate to view the dashlets appropriately using

Internet Explorer 8.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

OL-22972-01

C-15

Appendix C

Troubleshooting Cisco ISE

External Authentication Sources

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

External Authentication Sources

Bad RADIUS Key, page C-16

Missing User for RADIUS-Server Test User Name in Cisco ISE Identities, page C-16

Missing Password Configuration for RADIUS-Server Test User Name on Switch, page C-17

Active Directory Disconnected, page C-17

Active Directory Account Password Change, page C-17

Active Directory Account Password Expiration, page C-18

RADIUS Server Error Message Entries Appearing in Cisco ISE, page C-18

RADIUS Server Connectivity Issues (No Error Message Entries Appearing in Cisco ISE),
page C-19

Bad RADIUS Key

Still requires TME input
Symptoms/Issue

Authentication livelog/report failure reason: Authentication failed : 22040 Wrong

password or invalid shared secret

Conditions

Click the magnifying glass icon in Livelog to view the steps in Authentication Report
that read:

Possible Causes
Resolution

24210 Looking up User in Internal Users IDStore - test-radius

24212 Found User in Internal Users IDStore

22040 Wrong password or invalid shared secret

What are the possible causes for the issue that the user can focus
upon for resolution?
One or more answers to the problem that the user should try to
help solve it.

Missing User for RADIUS-Server Test User Name in Cisco ISE Identities
Still requires TME input
Symptoms/Issue

Authentication livelog/report failure reason: Authentication failed : 22056 Subject

not found in the applicable identity store(s)

Conditions

Click the magnifying glass icon in Livelog to view the steps in Authentication Report
that read: 24210 Looking up User in Internal Users IDStore - test-radius

24216 The user is not found in the internal users identity store

22056 Subject not found in the applicable identity store(s)

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

C-16

OL-22972-01

Appendix C

Troubleshooting Cisco ISE

External Authentication Sources

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Possible Causes

The administrator did not configure test user name on ISE, but on switch user has
radius-server test username config.

Resolution

One or more answers to the problem that the user should try to
help solve it.

Missing Password Configuration for RADIUS-Server Test User Name on Switch

Still requires TME input
Symptoms/Issue

Authentication livelog/report failure reason: Authentication failed : 22040 Wrong

password or invalid shared secret

Conditions

Click the magnifying glass icon in Livelog to view the steps in Authentication Report
that read:

24210 Looking up User in Internal Users IDStore - test-radius

24212 Found User in Internal Users IDStore

22040 Wrong password or invalid shared secret

Possible Causes

Administrator did not configure a password on the IOS/CAT switch

Resolution

One or more answers to the problem that the user should try to
help solve it.

Active Directory Disconnected

Still requires TME input
Symptoms/Issue

Cisco ISE's connection to the Active Directory server has been terminated.

Conditions

What is the environment? Configuration settings? OS

types/versions?

Possible Causes

This scenario is most commonly caused by clock drift due to not syncing time via
NTP on VMware.

Resolution

Shut down or pause your Active Directory server and try to authenticate an Employee
to the network.

Active Directory Account Password Change

Still requires TME input
Symptoms/Issue

This scenario is indicated by an Authentication Report failure entry.

Conditions

What is the environment? Configuration settings? OS

types/versions?

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

OL-22972-01

C-17

Appendix C

Troubleshooting Cisco ISE

External Authentication Sources

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Possible Causes

What are the possible causes for the issue that the user can focus
upon for resolution?

Resolution

Administrator account used to join the remote nodes to the AD domain must change
his password.

Active Directory Account Password Expiration

Still requires TME input
Symptoms/Issue

This scenario is indicated by an Authentication Report failure entry.

Conditions

What is the environment? Configuration settings? OS

types/versions?

Possible Causes

Administrator account used to join the remote nodes to the AD domain has an
expired password.

Resolution

One or more answers to the problem that the user should try to
help solve it

RADIUS Server Error Message Entries Appearing in Cisco ISE

Still requires QA validation
Symptoms/Issue
Conditions

Unsuccessful RADIUS and/or AAA functions on Cisco ISE

Error messages in the Monitor > Authentication event entries

This is applicable in a system where Cisco ISE is configured to perform user

authentication via an external RADIUS server on the network.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

C-18

OL-22972-01

Appendix C

Troubleshooting Cisco ISE

External Authentication Sources

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Possible Causes

Resolution

The following are possible causes for losing connectivity with the RADIUS server:

Subject not found in applicable identity store(s)

Wrong password or invalid shared secret

Could not locate network device or AAA client

Check the Cisco ISE dashboard (Monitor > Authentications) for any indication
regarding the nature of RADIUS communication loss. (Look for instances of your
specified RADIUS user name and scan the system messages associated with any
error message entries.)
Log in to the Cisco ISE command line interface and enter the following command to
produce RADIUS attribute output that may aid debugging connection issues:
test aaa group radius <user name> <password> new-code
If this test command is successful, you should see the following attributes:

Connect port

Connect NAD IP address

Connect Policy Service IP address

Correct server key

Recognized user name/password

Connectivity between the NAD and Policy Service persona

You can also use this command to help narrow the focus of the potential problem
with RADIUS communication by deliberately specifying incorrect parameter values
in the command line and then returning to the administrator dashboard (Monitor >
Authentications) to view the type and frequency of error message entries resulting
from the incorrect command line. For example, to test whether or not user credentials
may be the source of the problem, enter a user name and or password you know is
incorrect then go look for error message entries pertinent that user name in the
Monitor > Authentications page to see what Cisco ISE is reporting.)
Note

This command does not validate that the NAD is configured to use RADIUS,
nor does it verify whether or not the NAD is configured to use the new AAA
model.

RADIUS Server Connectivity Issues (No Error Message Entries Appearing in

Cisco ISE)
Still requires QA validation
Symptoms/Issue
Conditions

Unsuccessful RADIUS and/or AAA functions on Cisco ISE

The NAD is not able to ping the Policy Service persona

This is applicable in a system where Cisco ISE is configured to perform user

authentication via an external RADIUS server on the network.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

OL-22972-01

C-19

Appendix C

Troubleshooting Cisco ISE

External Authentication Sources

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Possible Causes

Resolution

The following are possible causes for losing connectivity with the RADIUS server:

Network connectivity issue(s)

Bad server IP address

Bad server port

If you are not able to ping the Policy Service persona from the NAD:

Verify the NAD IP address

Try using Traceroute and other appropriate sniffer-type tools to isolate the
source of disconnection. (In a production environment, be cautious of overusing
debug functions, as they commonly consume large amounts of available
bandwidth and CPU, which can impact normal network operation.)

Check the Cisco ISE TCP Dump report for the given Policy Service persona to see
if there are any indications.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

C-20

OL-22972-01

Appendix C

Troubleshooting Cisco ISE

Client Access, Authentication, and Authorization

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Client Access, Authentication, and Authorization

Can't Authenticate on Profiled Endpoint, page C-21

Quarantined Endpoints Do Not Renew Authentication Following Policy Change, page C-22

Endpoint Does Not Align to the Expected Profile, page C-23

User Name From Supplicant Does Not Match the Identity Store, page C-24

Untrusted Certificate, page C-25

802.1X Authentication Fails, page C-26

Users Are Reporting Unexpected Network Access Issues, page C-26

Authorization Policy Not Working, page C-27

Switch is Dropping Active AAA Sessions, page C-28

URL Redirection on Client Machine Fails, page C-29

Agent Download Issues on Client Machine, page C-31

Agent Login Dialog Not Appearing, page C-32

Agent Fails to Initiate Posture Assessment, page C-32

NAC Agent Displays Temporary Access, page C-33

Cisco ISE Does Not Issue Change of Authorization Following Authentication, page C-33

Can't Authenticate on Profiled Endpoint

Final
Symptoms/Issue

Conditions

The IP phone got profiled but is not authorized properly and hence is not
enforced to voice VLAN.

The IP phone got profiled and authorized properly, but is not assigned to the
specified voice VLAN.

The endpoint has been successfully profiled in Cisco ISE, but user
authentication fails.

The administrator will see the Authentications Log Error message: 22056 Subject
not found in the applicable identity store(s) containing the following entries:

24210 Looking up User in Internal Users IDStore - 00:03:E3:2A:21:4A

24216 The user is not found in the internal users identity store

22056 Subject not found in the applicable identity store(s)

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

OL-22972-01

C-21

Appendix C

Troubleshooting Cisco ISE

Client Access, Authentication, and Authorization

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Possible Causes

Resolution

This could be either a MAB or 802.1X authentication issue.

The authorization profile could be missing the Cisco

av-pair=device-traffic-class=voice attribute. (As a result, the switch does not
recognize the traffic on the voice VLAN.

The administrator did not add the endpoint as static identity, or did not allow an
unregistered endpoint to pass (create a policy rule to
Continue/Continue/Continue upon failure).

Verify that the Authorization Policy is framed properly for groups and
conditions, and check to see whether the IP phone is profiled as an IP phone
or as a Cisco-device.

Verify the switch port configuration for multi-domain and voice VLAN
configuration.

Add the continue/continue/continue to allow endpoint to pass:

a. Navigate to Policy > Policy Elements > Configurations and select

Allowed Protocol Services to create a Protocol Policy. MAC

authentications use PAP/ASCII and EAP-MD5 protocols. Enable the
following MAB_Protocols settings:
Process Host Lookup
PAP/ASCII
Detect PAP as Host Lookup
EAP-MD5
Detect EAP-MD5 as Host Lookup
b. From the main menu, go to Policy > Authentication.
c. Change the authentication method from Simple to Rule-Based
d. Use the gear icon to create new Authentication Method entries for MAB:
Name: MAB
Condition: IF MAB RADIUS:Service-Type == Call Check
Protocols: allow protocols MAB_Protocols and use
Identity Source: Internal
Hosts: Continue/Continue/Continue

Quarantined Endpoints Do Not Renew Authentication Following Policy Change

Final
Symptoms/Issue

Livelog has failed authentication following policy change or additional identity and
no re-authentication is taking place. The endpoint in question remains unable to
connect and/or authentication fails.

Conditions

This issue often occurs on client machines that are failing posture assessment per the
posture policy assigned to the user role.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

C-22

OL-22972-01

Appendix C

Troubleshooting Cisco ISE

Client Access, Authentication, and Authorization

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Note

Possible Causes

The authentication timer may not be set correctly on the client machine, or the
authentication interval may not be set correctly on the switch.

Resolution

There are a few of possible resolutions for this issue:

1.

Check the Session Status Summary report in Cisco ISE for the specified
Network Access Device (NAD)/switch, and ensure that the interface has the
appropriate authentication interval configured.

2.

Enter show running configuration on the NAD/switch and ensure that the
interface is configured with an appropriate authentication timer restart setting.
(For example, authentication timer restart 15, and authentication timer
reauthenticate 15.)

3.

Try entering interface shutdown and no shutdown to bounce the port on the
NAD/switch and force reauthentication following a potential configuration
change in Cisco ISE.

Since CoA requires a MAC address/Session ID, Cisco recommends that you do not bounce the port
shown in the Network Device SNMP report.

Endpoint Does Not Align to the Expected Profile

Final
Symptoms/Issue

An IP Phone is plugged in and the profile appears as a Cisco-Device.

Conditions

Launch the Endpoint Profiler/Endpoint Profiler Summary report and click Details
for the MAC address corresponding to the profiled endpoint in question.

Possible Causes

Resolution

There could be an SNMP configuration issue on Cisco ISE, the switch, or both.

The profile is likely not configured correctly, or contains the MAC address of
the endpoint already.

Verify the SNMP version configuration on both Cisco ISE and the switch for
SNMP trap and SNMP server settings.

The Profiler profile needs to be updated. Go to the Policy > Profiling >
Profiling Policies configuration page in Cisco ISE and manually map this
endpoint to that profile.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

OL-22972-01

C-23

Appendix C

Troubleshooting Cisco ISE

Client Access, Authentication, and Authorization

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

User Name From Supplicant Does Not Match the Identity Store
Still requires TME input
Symptoms/Issue

User cannot authenticate from supplicant.

Conditions

Authentication livelog/report failure reason: Authentication failed : 22056 Subject

not found in the applicable identity store(s)
Click the magnifying glass in Livelog to launch the Authentication report that
displays the following:

24210 Looking up User in Internal Users IDStore ACSXP-SUPP2\Administrator

24216 The user is not found in the internal users identity store

Possible Causes

What are the possible causes for the issue that the user can focus
upon for resolution?

Resolution

Ensure user in the name given in steps is in identity store.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

C-24

OL-22972-01

Appendix C

Troubleshooting Cisco ISE

Client Access, Authentication, and Authorization

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Untrusted Certificate
Still requires TME input
Symptoms/Issue

What are the common errors/obstacles the user encounters?

Tests user can perform to see if they are experiencing a common
issue?

Conditions

Possible authentication livelog/report failure reasons:

Authentication failed : 11514 Unexpectedly received empty TLS message;

treating as a rejection by the client

Authentication failed : 12153 EAP-FAST failed SSL/TLS handshake because

the client rejected the ISE local-certificate

Click the magnifying glass icon from Livelog to display the following output in the
Authentication Report:

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

11514 Unexpectedly received empty TLS message; treating as a rejection by the

client

12512 Treat the unexpected TLS acknowledge message as a rejection from the
client

11504 Prepared EAP-Failure

11003 Returned RADIUS Access-Reject

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12104 Extracted EAP-Response containing EAP-FAST challenge-response

12815 Extracted TLS Alert message

12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE
local-certificate

11504 Prepared EAP-Failure

11003 Returned RADIUS Access-Reject

Note

This is an indication that the client does not have or trust the ISE certificates.

Possible Causes

The client machine is configured to validate the remote node/server certificate, but
is not configured to trust the Cisco ISE certificate.

Resolution

One or more answers to the problem that the user should try to
help solve it.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

OL-22972-01

C-25

Appendix C

Troubleshooting Cisco ISE

Client Access, Authentication, and Authorization

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

802.1X Authentication Fails

Final

Note

Symptoms/Issue

The user logging in via the client machine sees an error message from the supplicant
indicating that 802.1X authentication has failed.

Conditions

Troubleshooting Steps:
1.

Navigate to Monitor > Authentications.

2.

Look for Failure reason.

Possible Causes

Look for the details of the failed authentication record and click on the failure reason
link under details, resolution for the authentication. The failure reason should be
listed.

Resolution

Correct the failure reason per the findings defined in the Possible Causes.

If Authentication fails and there are no Livelog entries to search (assuming monitoring and
troubleshooting is running properly):
1.

Ensure the RADIUS server configuration on the switch is pointing to Cisco ISE.

2.

Check network connectivity between the switch and Cisco ISE.

3.

Verify that the Policy Service persona is running on Cisco ISE to ensure it can receive RADIUS
requests.

Users Are Reporting Unexpected Network Access Issues

Final
Symptoms/Issue

Conditions

Several symptoms for this issue could be taking place, including the following:

Users are being asked to download an Agent other than what they expect.

Users who should have full network access are only allowed limited Network
Access.

Although users are passing posture assessment, they are not getting the
appropriate level of network access.

Users who should be allowed into the corporate (Access) VLAN are being left
in the Authentication VLAN following authentication.

Any user who has successfully authenticated, but is not able to get access they
expect.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

C-26

OL-22972-01

Appendix C

Troubleshooting Cisco ISE

Client Access, Authentication, and Authorization

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Possible Causes

Resolution

The administrator may not have specified the correct authorization profile.

The administrator did not define the policy conditions appropriate for the user
access level.

The authorization profile, itself, might not have been framed properly.

Ensure that the Identity Group Conditions are defined appropriately to support the
authorization profile required for the user groups in question.
1.

Navigate to Monitor > Authentication.

2.

Look for The Identity Group to which the user belongs.

3.

Look at the Authorization Profile selected for that Identity Group.

4.

Navigate to Policy > Authorization and verify that the correct rule is matching
for that Identity Group.

5.

If not, debug for the reason why the correct Authorization Policy is not
matching.

Authorization Policy Not Working

Final
Symptoms/Issue

The authorization policy specified by the administrator is the correct one, but the
endpoint is not receiving the configured VLAN IP.

Conditions

This issue applies to standard user authorization sessions in a wired environment.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

OL-22972-01

C-27

Appendix C

Troubleshooting Cisco ISE

Client Access, Authentication, and Authorization

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Possible Causes
Resolution

The pre-authorization ACL could be blocking DHCP traffic.

Ensure the IOS release on the switch is equal to or more recent than 12.2.(53)SE.

Ensure that the Identity Group Conditions are defined appropriately.

Check for client machine port VLAN using show vlan on the access switch. If
the port is not showing the correct authorization profile VLAN, ensure that
VLAN enforcement is proper to reach out DHCP server. If the VLAN is correct,
the pre-authorization ACL could be blocking DHCP traffic. Ensure the
pre-authorization DACL is as follows:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8906 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
deny ip any any

Ensure the session is created on the switch by entering show epm session
summary. If the IP address of the session shown is not available, ensure the
following configuration lines appear on the switch:
ip dhcp snooping vlan 30-100
ip device tracking

Switch is Dropping Active AAA Sessions

Final
Symptoms/Issue

802.1X and MAB authentication and authorization are successful, but the switch is
dropping active sessions and the epm session summary command does not display
any active sessions.

Conditions

This applies to user sessions that have logged in successfully and are then being
terminated by the switch.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

C-28

OL-22972-01

Appendix C

Troubleshooting Cisco ISE

Client Access, Authentication, and Authorization

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Possible Causes

Resolution

Pre-auth ACL not configured on NAD and DACL enforcement happening from
ISE for that session.

Pre-auth ACL is configured; DACL from ISE is downloaded to NAD; however

switch brings the session down.

If ISE enforces Pre-posture VLAN and does not enforce post-posture VLAN
then the session might be brought down.

Ensure the IOS release on the switch is equal to or more recent than 12.2.(53)SE.

Check to see whether or not the DACL name in Cisco ISE contains a blank space
(possibly around/near a hyphen/dash -). There should be no space in the
DACL name. Then ensure that DACL content is proper in syntax and no extra
spaces.

Ensure that following configuration exists on the switch to interpret the DACL
properly (if not enabled, the switch may terminate the session):
radius-server
radius-server
radius-server
radius-server
radius-server

attribute 6 on-for-login-auth
attribute 8 include-in-access-req
attribute 25 access-request include
vsa send accounting
vsa send authentication

URL Redirection on Client Machine Fails

Final
Symptoms/Issue

The URL redirection page in the client machine's browser does not correctly guide
the end user to the appropriate URL.

Conditions

This issue is most applicable to 802.1X authentication sessions requiring URL

redirection and Guest Centralized Web Authentication (CWA) login sessions.

Possible Causes

(There are multiple causes for this issue, please see Resolutions descriptions below
for explanation.)

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

OL-22972-01

C-29

Appendix C

Troubleshooting Cisco ISE

Client Access, Authentication, and Authorization

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Resolution

The two Cisco av-pairs configured on the authorization profile should exactly
match the example below. (Note: DO NOT replace the ip with the actual ISE
IP address.)
url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is

also defined on the access switch)

Ensure that URL redirect ACL, URL redirect av-pairs are applied to the session
by entering the show epm session ip <session ip> command on the switch.
(Where the session IP is the IP address that is passed to the client machine by
the DHCP server.)
Admission feature : DOT1X
AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
URL Redirect ACL : ACL-WEBAUTH-REDIRECT
URL Redirect :
https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
0000A45A2444BFC2&action=cpp

Ensure that the pre-posture assessment DACL enforced from the Cisco ISE
authorization profile Contains the following:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8906 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
deny ip any any

Note

Ensure that the above URL Redirect has the proper Cisco ISE FQDN.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

C-30

OL-22972-01

Appendix C

Troubleshooting Cisco ISE

Client Access, Authentication, and Authorization

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Resolution
(continued)

Ensure that the ACL with name ACL-WEBAUTH_REDIRECT exists on the

switch as follows:
ip access-list extended ACL-WEBAUTH-REDIRECT
deny ip any host 80.0.80.2
permit ip any any

Ensure that the http and https servers are running on the switch:
ip http server
ip http secure-server

Ensure that, if the client machine employing any kind of personal firewall, it is
disabled.

Ensure that the client machine browser is not configured to use any proxies.

Verify connectivity between the client machine and the Cisco ISE IP address.

If Cisco ISE is deployed in a distributed environment, make sure that client

machines are aware of the Policy Service persona FQDN.

Ensure the Cisco ISE FQDN is resolved and reachable from the client machine.

Agent Download Issues on Client Machine

Final
Symptoms/Issue

Client machine browser displays a no policy matched error message after user
authentication and authorization.

Conditions

This issue applies to user sessions during the client provisioning phase of
authentication.

Possible Causes

The client provisioning resource policy could be missing required settings.

Resolution

Note

Ensure a client provisioning policy exists in Cisco ISE. If yes, verify the policy
identity group, conditions, and type of agent(s) defined in the policy. (Also
ensure whether or not there is any agent profile configured under Policy > Policy
Elements > Results > Client Provisioning > Resources > Add > Profile, even
a profile with all default values.)

Try re-authenticating the client machine by bouncing the port on the access
switch.

Remember that client provisioning agent installer download requires the following:

The user to allow an ActiveX installer the first time an agent is installed on the client machine (the
client provisioning download page prompts for this).

The client machine must have Internet access.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

OL-22972-01

C-31

Appendix C

Troubleshooting Cisco ISE

Client Access, Authentication, and Authorization

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Agent Login Dialog Not Appearing

Final
Symptoms/Issue

The agent login dialog does not appear to the user following client provisioning.

Conditions

This issue can generally take place during the posture assessment phase of any user
authentication session.

Possible Causes

(There are multiple possible causes for this type of issue. Please see the following
Resolution descriptions for details.)

Resolution

Ensure that the agent is running on the client machine.

Ensure the IOS release on the switch is equal to or more recent than 12.2.(53)SE.

Ensure that the discovery host address on the Cisco NAC agent or Mac OS X
agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,
go to Properties, and check the discovery host.)

Ensure that the access switch allows Swiss communication (TCP and UDP)
between Cisco ISE and end client machine. Limited access ACL applied for the
session should allow swiss ports:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8906 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
deny ip any any

If the agent login dialog still does not appear, it could be certificate issue. Ensure
that the certificate used for swiss communication on the end client is in the Cisco
ISE certificate trusted list.

Ensure that the default gateway is reachable from the client machine.

Agent Fails to Initiate Posture Assessment

Final
Symptoms/Issue

The user is presented with a Clean access server not available message.

Conditions

This issue applies to any agent authentication session from Cisco ISE.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

C-32

OL-22972-01

Appendix C

Troubleshooting Cisco ISE

Client Access, Authentication, and Authorization

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Possible Causes
Resolution

This error could mean that either the session has terminated or Cisco ISE is no longer
reachable on the network.

The user can try to ping the default gateway or the RADIUS server IP address or
FQDN supplied by the network administrator.

The user can try to log into the network again.

The administrator can check network access attributes for the user (like the
assigned VLAN, ACLs, routing, execute the nslookup command on the client,
client machine DNS connection, etc.).

NAC Agent Displays Temporary Access

Final
Symptoms/Issue

A client machine is granted Temporary Access following login and authentication,

but administrator and user expect full network access.

Conditions

This issue is applicable to any client machine login session using an agent to connect.

Possible Causes

If the NAC Agent is running on the client and:

Resolution

The interface on the client machine goes down

The session is terminated

The user must try and verify their network connectivity and then try to and log in
again (and pass through posture assessment, as well) to attempt to re-establish the
connection.

Cisco ISE Does Not Issue Change of Authorization Following Authentication

Final
Symptoms/Issue

Change of Authorization is not issued following client machine login and

authentication.

Conditions

This specific issue is only applicable in a wired environment where CoA is required
on the client machine to complete authentication.

Possible Causes

The access switch may not have the required configuration to support change of
authorization for the client machine.

Resolution

Ensure the IOS release on the switch is equal to or more recent than 12.2.(53)SE.

Ensure that the switch configuration features the following commands necessary
to enable Change of Authorization:
aaa server radius dynamic-author
client 80.0.80.2 server-key cisco456 --> ISE ip.
server-key cisco456

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

OL-22972-01

C-33

Appendix C

Troubleshooting Cisco ISE

Error Messages

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

Error Messages

ACTIVE_DIRECTORY_USER_INVALID_CREDENTIALS, page C-34

ACTIVE_DIRECTORY_USER_AUTH_FAILED, page C-34

ACTIVE_DIRECTORY_USER_PASSWORD_EXPIRED, page C-35

ACTIVE_DIRECTORY_USER_WRONG_PASSWORD, page C-35

ACTIVE_DIRECTORY_USER_ACCOUNT_DISABLED, page C-35

ACTIVE_DIRECTORY_USER_RESTRICTED_LOGON_HOURS, page C-35

ACTIVE_DIRECTORY_USER_NON_COMPLIANT_PASSWORD, page C-35

ACTIVE_DIRECTORY_USER_UNKNOWN_DOMAIN, page C-36

ACTIVE_DIRECTORY_USER_ACCOUNT_EXPIRED, page C-36

ACTIVE_DIRECTORY_USER_ACCOUNT_LOCKED_OUT, page C-36

ACTIVE_DIRECTORY_GROUP_RETRIEVAL_FAILED, page C-36

ACTIVE_DIRECTORY_MACHINE_AUTHENTICATION_DISABLED, page C-36

ACTIVE_DIRECTORY_ATTRIBUTE_RETRIEVAL_FAILED, page C-37

ACTIVE_DIRECTORY_PASSWORD_CHANGE_DISABLED, page C-37

ACTIVE_DIRECTORY_USER_UNKNOWN, page C-37

ACTIVE_DIRECTORY_CONNECTION_FAILED, page C-37

ACTIVE_DIRECTORY_BAD_PARAMETER, page C-37

ACTIVE_DIRECTORY_TIMEOUT, page C-38

ACTIVE_DIRECTORY_USER_INVALID_CREDENTIALS
Description

This Authentication Failure message indicates that the users credentials are invalid.

Resolution

Check if the Active Directory user account and credentials that are used to connect
to the Active Directory domain are correct.

ACTIVE_DIRECTORY_USER_AUTH_FAILED
Description

This Authentication Failure message indicates that the user authentication has failed.
You will see this message when the user or machine password is not found in Active
Directory.

Resolution

Check if the Active Directory user account and credentials that are used to connect
to the Active Directory domain are correct.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

C-34

OL-22972-01

Appendix C

Troubleshooting Cisco ISE

Error Messages

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

ACTIVE_DIRECTORY_USER_PASSWORD_EXPIRED
Description

This Authentication Failure message appears when the users password has expired.

Resolution

If the Active Directory user account is valid, then reset the account in Active
Directory. If the user account has expired, but if it is still needed, then renew it. If
the user account has expired and is no longer valid, investigate the reasons for the
attempts.

ACTIVE_DIRECTORY_USER_WRONG_PASSWORD
Description

This Authentication Failure message appears when the user has entered an incorrect
password.

Resolution

Check if the Active Directory user account and credentials that are used to connect
to the Active Directory domain are correct.

ACTIVE_DIRECTORY_USER_ACCOUNT_DISABLED
Description

This Authentication Failure message appears when the user account is disabled in
Active Directory.

Resolution

If the user account is valid, then reset the account in Active Directory. If the user
account has expired, but if it is still needed, then renew it. If the user account has
expired and is no longer valid, investigate the reasons for the attempts.

ACTIVE_DIRECTORY_USER_RESTRICTED_LOGON_HOURS
Description

This Authentication Failure message appears when the user logs in during restricted
hours.

Resolution

If the user access is valid, then update the user access policy in Active Directory. If
the user access is invalid (restricted at this time), then investigate the reasons for the
attempts.

ACTIVE_DIRECTORY_USER_NON_COMPLIANT_PASSWORD
Description

This Authentication Failure message appears if the user has a password that is not
compliant with the password policy.

Resolution

Reset the password in Active Directory such that it is compliant with the password
policy in Active Directory.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

OL-22972-01

C-35

Appendix C

Troubleshooting Cisco ISE

Error Messages

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

ACTIVE_DIRECTORY_USER_UNKNOWN_DOMAIN
Description

This Authentication Failure message appears if Active Directory is unable to locate

the specified domain.

Resolution

Check the configuration of Active Directory in ISE administrative user interface and
the DNS configuration in ISE CLI.

ACTIVE_DIRECTORY_USER_ACCOUNT_EXPIRED
Description

This message appears when the user account in Active Directory has expired.

Resolution

If the user account has expired, but is still needed, then renew the user account. If the
user account has expired and is no longer valid, investigate the reasons for the
attempts.

ACTIVE_DIRECTORY_USER_ACCOUNT_LOCKED_OUT
Description

This Authentication Failure message appears if the user account has been locked out.

Resolution

If the user attempts to login with correct credentials, reset the users password.
Otherwise, investigate the attempts that caused the lock out.

ACTIVE_DIRECTORY_GROUP_RETRIEVAL_FAILED
Description

This Authentication Failure message appears that Active Directory is unable to

retrieve the groups.

Resolution

Check if the Active Directory configuration in ISE administrative user interface is

correct.

ACTIVE_DIRECTORY_MACHINE_AUTHENTICATION_DISABLED
Description

This Authentication Failure message appears if machine authentication is not

enabled in Active Directory.

Resolution

Enable Machine Authentication in Active Directory, if required.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

C-36

OL-22972-01

Appendix C

Troubleshooting Cisco ISE

Error Messages

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

ACTIVE_DIRECTORY_ATTRIBUTE_RETRIEVAL_FAILED
Description

This Authentication Failure message appears if Active Directory is unable to retrieve

the attributes that you have specified.

Resolution

Check if the Active Directory configuration in ISE administrative user interface is

correct.

ACTIVE_DIRECTORY_PASSWORD_CHANGE_DISABLED
Description

This Authentication Failure message appears if the password change option is

disabled in Active Directory.

Resolution

Enable Password Change in Active Directory, if required.

ACTIVE_DIRECTORY_USER_UNKNOWN
Description

This Invalid User message appears if the user information is not found in Active
Directory.

Resolution

Check for the origin of the invalid attempts. If it is from a valid user, ensure that the
user account is configured correctly in Active Directory.

ACTIVE_DIRECTORY_CONNECTION_FAILED
Description

This External Error message appears when ISE is unable to establish a connection
with Active Directory.

Resolution

Check if the Active Directory configuration in ISE administrative user interface is

correct.

ACTIVE_DIRECTORY_BAD_PARAMETER
Description

This External Error message appears when you have provided an invalid input.

Resolution

Check if the Active Directory configuration in ISE administrative user interface is

correct.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

OL-22972-01

C-37

Appendix C

Troubleshooting Cisco ISE

Troubleshooting APIs

FINAL REVIEW DRAFTCISCO CONFIDENTIAL

ACTIVE_DIRECTORY_TIMEOUT
Description

This External Error message appears when a time-out event has occurred.

Resolution

Check if the Active Directory configuration in ISE administrative user interface is

correct

Troubleshooting APIs
You can use the following troubleshooting APIs to extract information from Cisco ISE that could aid
general troubleshooting processes.

Get Failure Reasons Mapping

https://{hostname}/mnt/API/External/FailureReasons

Get Session Auth Status

https://{hostname}/mnt/API/External/AuthStatus/MACAddress/{mac}/{seconds}/{number of
records per MAC Address}/All

Get Session Accounting Status

https://{hostname}/mnt/API/External/AcctStatusTT/MACAddress/{mac}/{seconds}

Contacting the Cisco Technical Assistance Center

If you cannot locate the source and potential resolution for a problem in the above sections, contact a
Cisco customer service representative for information on how to best proceed with resolving the issue.
For Cisco Technical Assistance Center (TAC), see the Cisco Information Packet publication that is
shipped with your appliance or visit the following website:
http://www.cisco.com/tac/
Before you contact Cisco TAC, make sure that you have the following information ready:

Note

The appliance chassis type and serial number.

The maintenance agreement or warranty information (see the Cisco Information Packet).

The name, type of software, and version or release number (if applicable).

The date you received the new appliance.

A brief description of the problem or condition you experienced, the steps you have taken to isolate
or re-create the problem, and a description of any steps you took to resolve the problem.

Be sure to provide the customer service representative with any upgrade or maintenance information that
was performed on the Cisco ISE 3300 Series appliance after your initial installation. For site log
information, see the Creating a Site Log section in the Cisco Identity Services Engine Appliance
Hardware Installation Guide, Release 1.0.

Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

C-38

OL-22972-01