Identity Not Found Please Close This Window and Try Again Later Ping

Table Of Contents

Troubleshooting Cisco ISE

Installation and Network Connection Issues

Unknown Network Device

CoA Non Initiating on Client Machine

Users Are Assigned to Wrong VLAN During Network Access Sessions

Customer Motorcar URL Redirection Part Not Working

Cisco ISE Profiler is Non Able to Collect Data for Endpoints

RADIUS Accounting Packets (Attributes) Not Coming from Switch

Policy Service ISE Node Not Passing Traffic

Registered Nodes in Cisco ISE Managed List Following Standalone Reinstallation

Primary and Secondary Inline Posture Nodes Heartbeat Link Not Working

Licensing and Administrator Admission

Document Expired

Configuration and Performance (Including Loftier Availability)

Client Machines Are Not Able to Authenticate

Users Are Not Accordingly Redirected to URL

Cannot Download Remote Customer Provisioning Resources

Lost Monitoring and Troubleshooting Data Afterward Registering Policy Service ISE Node to Administration ISE Node

Cisco ISE Monitoring Dashlets Not Visible with Cyberspace Explorer viii

External Hallmark Sources

User Authentication Failed

Missing User for RADIUS-Server Test Username in Cisco ISE Identities

Connectivity Issues Between the Network Access Device (Switch) and Cisco ISE

Active Directory Disconnected

Cisco ISE Node Not Authenticating with Active Directory

RADIUS Server Error Message Entries Appearing in Cisco ISE

RADIUS Server Connectivity Bug (No Error Bulletin Entries Actualization in Cisco ISE)

Client Access, Authentication, and Authorization

Cannot Authenticate on Profiled Endpoint

Quarantined Endpoints Do Not Renew Authentication Following Policy Change

Endpoint Does Not Align to the Expected Profile

User is Unable to Authenticate Against the Local Cisco ISE Identity Shop

Document-Based User Authentication via Supplicant Failing

802.1X Authentication Fails

Users Are Reporting Unexpected Network Admission Bug

Authorization Policy Not Working

Switch is Dropping Active AAA Sessions

URL Redirection on Client Machine Fails

Amanuensis Download Issues on Client Machine

Agent Login Dialog Not Actualization

Amanuensis Fails to Initiate Posture Assessment

Agent Displays "Temporary Access"

Cisco ISE Does Not Upshot CoA Following Hallmark

Fault Messages

ACTIVE_DIRECTORY_USER_INVALID_CREDENTIALS

ACTIVE_DIRECTORY_USER_AUTH_FAILED

ACTIVE_DIRECTORY_USER_PASSWORD_EXPIRED

ACTIVE_DIRECTORY_USER_WRONG_PASSWORD

ACTIVE_DIRECTORY_USER_ACCOUNT_DISABLED

ACTIVE_DIRECTORY_USER_RESTRICTED_LOGON_HOURS

ACTIVE_DIRECTORY_USER_NON_COMPLIANT_PASSWORD

ACTIVE_DIRECTORY_USER_UNKNOWN_DOMAIN

ACTIVE_DIRECTORY_USER_ACCOUNT_EXPIRED

ACTIVE_DIRECTORY_USER_ACCOUNT_LOCKED_OUT

ACTIVE_DIRECTORY_GROUP_RETRIEVAL_FAILED

ACTIVE_DIRECTORY_MACHINE_AUTHENTICATION_DISABLED

ACTIVE_DIRECTORY_ATTRIBUTE_RETRIEVAL_FAILED

ACTIVE_DIRECTORY_PASSWORD_CHANGE_DISABLED

ACTIVE_DIRECTORY_USER_UNKNOWN

ACTIVE_DIRECTORY_CONNECTION_FAILED

ACTIVE_DIRECTORY_BAD_PARAMETER

ACTIVE_DIRECTORY_TIMEOUT

Troubleshooting APIs

Contacting the Cisco Technical Assistance Eye

Troubleshooting Cisco ISE

---

This appendix addresses several categories of troubleshooting information that are related to identifying and resolving problems that you may experience when you use Cisco Identity Services Engine (ISE). This appendix contains the following sections:

•Installation and Network Connection Issues

•Licensing and Administrator Admission

•Configuration and Operation (Including High Availability)

•External Authentication Sources

•Client Admission, Authentication, and Authorization

•Error Messages

•Troubleshooting APIs

•Contacting the Cisco Technical Assist Center

---

Note This appendix is kept as upwardly-to-date as possible with regards to presentation on Cisco.com also equally the online Assistance content available in the Cisco ISE software awarding, itself. For the most up-to-date fabric following Cisco Identity Services Engine, Release 1.0, however, Cisco recommends using the stand up-lonely Cisco Identity Services Engine Troubleshooting Guide, Release ane.0.

---

Installation and Network Connection Issues

If y'all believe you are experiencing hardware-related complications, offset verify the following on all of your deployed Cisco ISE nodes:

•The external power cablevision is connected, and the proper power source is being applied.

•The external cables connecting the appliance to the network are all secure and in good order.

•The appliance fan and blower are operating.

•Inadequate ventilation, blocked air circulation, excessive grit or dirt, fan failures, or any environmental weather condition that might affect the ability or cooling systems.

•The appliance software boots successfully.

•The adapter cards (if installed) are properly installed in their slots, and each card initializes (and is enabled by the appliance software) without issues. Bank check status LEDs on the adapter carte du jour that tin can aid you lot identifying a potential trouble.

For more information on Cisco ISE hardware installation and operational troubleshooting, including power and cooling requirements and LED behavior, see the Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.

---

Tip For bug regarding potential network access device (NAD) configuration bug, including AAA, RADIUS, profiler, and web hallmark, you can perform several validation analyses by choosing the Cisco ISE Monitor > Troubleshoot > Diagnostic Tools > General Tools > Evaluate Configuration Validator options.

---

Electric current Installation and Network Connection Troubleshooting Topics

•Unknown Network Device

•CoA Not Initiating on Client Machine

•Users Are Assigned to Incorrect VLAN During Network Access Sessions

•Client Car URL Redirection Office Not Working

•Cisco ISE Profiler is Not Able to Collect Data for Endpoints

•RADIUS Bookkeeping Packets (Attributes) Not Coming from Switch

•Policy Service ISE Node Non Passing Traffic

•Registered Nodes in Cisco ISE Managed List Following Standalone Reinstallation

•Master and Secondary Inline Posture Nodes Heartbeat Link Not Working

Unknown Network Device

Symptoms or Issue	Cisco ISE is not able to place the specified Network Admission Device (NAD).
Atmospheric condition	Click the magnifying glass icon in Authentications to brandish the steps in the Authentication Report. The logs display the post-obit error message: •11007 Could not locate Network Device or AAA Client Resolution
Possible Causes	The administrator did non correctly configure the network access device (NAD) type in Cisco ISE.
Resolution	Add the NAD in Cisco ISE again, verifying the NAD type and settings.

CoA Not Initiating on Client Machine

Symptoms or Event	Users logging into the Cisco ISE network are not experiencing the required Change of Authorization (CoA).
Conditions	Cisco ISE uses port 1700 by default for communicating RADIUS CoA requests from supported network devices.
Possible Causes	Cisco ISE network enforcement points (switches) may be missing primal configuration commands, may be assigning the incorrect port (i.e., a port other than 1700), or have an incorrect or incorrectly entered central.
Resolution	Ensure the following commands are nowadays in the switch configuration file (this is required on switch to activate CoA and configure): aaa server radius dynamic-writer client <Monitoring_node_IP_address> server-fundamental <radius_key>

Users Are Assigned to Incorrect VLAN During Network Access Sessions

Symptoms or Issue	Client machines are experiencing a variety of access issues related to VLAN assignments.
Conditions	Click on the magnifying glass icon in Authentications to launch the Authentication Details. The session event department of the authentication report should have the following lines: •%AUTHMGR-v-Neglect: Authorization failed for client (001b.a912.3782) on Interface Gi0/three AuditSessionID 0A000A760000008D4C69994E •%DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND: Attempt to assign non-existent or shutdown VLAN 666 to 802.1x port FastEthernet1/9 Yous can also run the troubleshooting workflow for the authentication. This workflow compares the ACL hallmark log that contains RADIUS switch responses with the switch bulletin database. Logging configuration (global) details may also be displayed: •Mandatory Expected Configuration Found On Device •logging monitor informational Missing •logging origin-id ip Missing •logging source-interface <interface_id> Missing •logging <syslog_server_IP_address_x> transport udp port 20514 Missing Note The network device must send syslog letters to the Monitoring ISE node server port 20514.
Possible Causes	The switch is missing (or contains the incorrect) name and numbers on the switch.
Resolution	Verify VLAN configuration(due south) on the network access/enforcement points (switches) in your deployment.

Customer Automobile URL Redirection Function Not Working

Symptoms or Issue	Users are not accordingly redirected to the right URL for hallmark.
Weather	The monitoring and troubleshooting configuration validator is designed to grab this. The web authentication configuration (global) details may display something like the following: •Mandatory Expected Configuration Found On Device •aaa authorization auth-proxy default grouping <radius_group> aaa say-so auth-proxy default grouping radius •aaa accounting auth-proxy default starting time-terminate group <radius_group> Missing •ip admission proper name <word> proxy http inactivity-fourth dimension sixty Missing fallback profile <word> •ip access-grouping <word> in •ip admission <give-and-take> Missing •ip http server ip http server •ip http secure-server ip http secure-server
Possible Causes	The switch is missing the ip http server and/or ip http secure-server command.
Resolution	Verify and (if necessary) adapt the configuration on the switch.

Cisco ISE Profiler is Not Able to Collect Data for Endpoints

Symptoms or Issue	Known devices on the network are not existence profiled according to profiler policies in Cisco ISE.
Weather	The monitoring and troubleshooting workflow catches device discovery configuration (global) details like the following: •Mandatory Expected Configuration Found On Device •ip dhcp snooping vlan <Vlan_ID_for_DHCP_Snooping> ip dhcp snooping vlan one-4096 •no ip dhcp snooping information option Missing •ip dhcp snooping ip dhcp snooping •ip device tracking ip device tracking
Possible Causes	Ane or more than Cisco ISE network enforcement points (switches) may be missing the ip dhcp snooping and/or ip device tracking commands that enable Profiler to perform its office.
Resolution	Verify switch configuration for those network segments where endpoints are not being accordingly profiled to ensure that: •The required information to profile the endpoint is being sent to Cisco ISE for it to profile. •Probes are configured on the network Policy Service ISE node entities.

RADIUS Accounting Packets (Attributes) Not Coming from Switch

Symptoms or Issue	The switch is not transmitting RADIUS accounting packets (attributes) to the RADIUS server.
Conditions	Click on the magnifying drinking glass icon in Authentications to launch the authentication details. The session event section of the authentication study should show the accounting events. Clicking on the accounting events shows that audit-session-id fields are bare because the VSA1 are blocked and no cisco-av-pair=audit-session-id letters are sent from the switch. The aforementioned can be washed by running the bookkeeping report for the 24-hour interval, where all inspect-session-id fields should be blank. Notation This issue is reported by the monitoring and troubleshooting configuration validator'south RADIUS configuration (global) details. –Mandatory Expected Configuration Found On Device –radius-server attribute 6 back up-multiple Missing –radius-server attribute 8 include-in-admission-req radius-server aspect eight include-in-access-req –radius-server host <radius_ip_address1> auth-port 1812 acct-port 1813 key <radius_key> Missing –radius-server vsa ship accounting radius-server vsa send accounting –radius-server vsa ship hallmark radius-server vsa transport authentication Note Be sure to include "radius-server aspect 25 access-request include" in the switch configuration.
Possible Causes	The Cisco ISE network enforcement device (switch) is missing the radius-server vsa send accounting command.
Resolution	Verify that the switch RADIUS configuration for this device is correct and features the appropriate control(s).

¹ VSA = vendor-specific attribute

Policy Service ISE Node Not Passing Traffic

Symptoms or Outcome	Network traffic is not traversing the network segment where a network policy enforcement device is installed.
Conditions	This issue tin bear on a Cisco ISE and other types of NADs that have been deployed equally Policy Service ISE nodes to interoperate with another network device.
Possible Causes	There are multiple possible causes for an issue such as this.
Resolution	ane. Use the tcpdump command in the NAD command-line interface (CLI) or from the Assistants ISE node user interface at Monitor > Troubleshoot > Diagnostic Tools > General Tools > TCP Dump to verify whether the auto is receiving and forwarding traffic equally required for your network. 2. If the TCP dump operation indicates that the Cisco ISE or NAD is working equally configured, verify other adjacent network components.

Registered Nodes in Cisco ISE Managed List Following Standalone Reinstallation

Symptoms or Issue	The Administration ISE node user interface displays the Policy Service ISE node host name and configuration information when Cisco ISE is reimaged and installed as a new standalone node.
Conditions	This applies to a Cisco ISE node previously deployed every bit the Administration persona managing one or more associated Policy Service ISE nodes.
Possible Causes	If the Policy Service ISE nodes are still configured to ship syslog updates to the Assistants persona every bit it was originally ready, node information is learned when the Assistants persona receives syslog messages. That data is probable used to populate the system summary page on the Administration persona.
Resolution	If y'all have non "deregistered" the Policy Service ISE nodes from the Cisco ISE node, reconfigure the Policy Service ISE nodes then that information technology sends syslog letters to itself, rather than the Cisco ISE node and restart the Policy Service ISE node. Note If you deregister any associated Policy Service ISE nodes before reinstalling the Cisco ISE software and reconfiguring the Administration persona, the Policy Service ISE nodes will operate in standalone mode and will non transmit the erroneous syslog updates.

Primary and Secondary Inline Posture Nodes Heartbeat Link Not Working

Symptoms or Effect	Two Inline Posture nodes that are deployed equally high-availability peers appear dead to one another.
Conditions	Two Inline Posture nodes that are deployed in a "collocated" high-availability deployment.
Possible Causes	If the eth2 and eth3 interfaces on the Inline Posture nodes are non connected, both nodes will act equally though the other node in the deployment has experienced some sort of failure.
Resolution	The heartbeat protocol requires a directly cable connexion between the eth2 interfaces of both nodes in a high-availability pair, as well as a direct cable connection between the eth3 interfaces of the two nodes. You can apply any Ethernet cable to brand these connections.

Licensing and Administrator Access

•Certificate Expired

Document Expired

Symptoms or Issue	•Administrator begins to encounter alarm messages starting 30 days before certificate expiration. •If the document has expired, users cannot log into the network via Cisco ISE until the certificate has been refreshed.
Weather condition	This issue can utilise to any expired certificates on Cisco ISE.
Possible Causes	Your Cisco ISE certificate is about to expire or has expired.
Resolution	Refresh your Cisco ISE trusted certificate.

Configuration and Operation (Including High Availability)

•Customer Machines Are Not Able to Authenticate

•Users Are Not Accordingly Redirected to URL

•Cannot Download Remote Client Provisioning Resources

•Lost Monitoring and Troubleshooting Data After Registering Policy Service ISE Node to Assistants ISE Node

•Cisco ISE Monitoring Dashlets Non Visible with Cyberspace Explorer 8

Client Machines Are Not Able to Authenticate

Symptoms or Issue	•Client sessions are not completing 802.1X hallmark. •Click the magnifying drinking glass icon in Authentications for the specific DACL to launch the authentication details. The content of the ACL should reveal one or more bad characters.
Weather	Click on magnifying glass icon in Authentications to launch the Authentication Details. The session event department of the authentication study should have the following entry: %EPM-iv-POLICY_APP_FAILURE: IP 0.0.0.0| MAC 0002.b3e9.c926| AuditSessionID 0A0002010000239039837B18| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-acl_access-4918c248| RESULT FAILURE| REASON Interface ACL not configured
Possible Causes	•The DACL syntax may be incorrect or non configured in Cisco ISE. •When Cisco ISE enforces the DACL and in that location is no pre-authentication ACL configured on the switch, the NAD brings down the session and authentication fails.
Resolution	Depending on the nature of the problem: •Correct the DACL syntax configured in Cisco ISE and ensure that it also includes the let udp any whatever command. •Configure the appropriate pre-authentication ACL on the switch.

Users Are Non Appropriately Redirected to URL

Symptoms or Issue	Administrator receives ane or more than "Bad URL" error letters from Cisco ISE.
Atmospheric condition	This scenario applies to 802.1X hallmark as well every bit guest access sessions. Click the magnifying drinking glass icon in Authentications to launch the Authentication Details. The authentication study should accept the redirect URL in the RADIUS response section as well as the session result department (which displays the switch syslog messages).
Possible Causes	Redirection URL is entered incorrectly with invalid syntax or a missing path component.
Resolution	Verify that the redirection URL specified in Cisco ISE via Cisco-av pair "URL Redirect" is correct per the following options: •CWA Redirection URL: https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa •802.1X Redirection URL: url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp

Cannot Download Remote Client Provisioning Resources

Symptoms or Issue	Administrator receives one or more "java.net.NoRouteToHostException: No route to host" mistake messages when trying to download client provisioning resources.
Weather condition	This issue applies to any Cisco ISE that is connected to an external customer provisioning resources store.
Possible Causes	Your internet connection may non be working properly or reliably.
Resolution	•Verify your internet connection settings. •Ensure that you have configured the right proxy settings in Cisco ISE at Administration > Organisation > Settings > Proxy.

Lost Monitoring and Troubleshooting Data Subsequently Registering Policy Service ISE Node to Administration ISE Node

Symptoms or Issue	The known collection of profiled endpoints is non visible on the secondary Policy Service ISE node when it is registered to the original (primary) Administration persona.
Conditions	This event tin come up up in a deployment in which you register a new Policy Service ISE node to what has been, until the moment of registration, a standalone Cisco ISE node with a large shop of known and profiled endpoints.
Possible Causes	Considering of its potentially huge size, monitoring and troubleshooting data is not replicated between two nodes when the new node is registered to the original standalone Cisco ISE node. Cisco ISE does not replicate a data store that could conceivably exist gigabytes in size, because it could bear upon network connectivity in a deployment environment.
Resolution	Ensure that you export monitoring and troubleshooting information prior to registering the new Policy Service ISE node to the formerly standalone Cisco ISE.

Cisco ISE Monitoring Dashlets Not Visible with Internet Explorer 8

Symptoms or Issue	Administrator sees i or more "At that place is a problem with this website's security document." messages afterwards clicking on the dashlets in the Cisco ISE monitoring portal.
Conditions	This issue is specific to Internet Explorer 8. (This consequence has non been observed when using Mozilla Firefox.)
Possible Causes	The security certificate for the Internet Explorer 8 browser connexion is invalid or expired.
Resolution	Use Internet Explorer 8 to reimport a valid security certificate to view the dashlets appropriately.

External Authentication Sources

•User Hallmark Failed

•Missing User for RADIUS-Server Test Username in Cisco ISE Identities

•Connectivity Issues Between the Network Admission Device (Switch) and Cisco ISE

•Active Directory Disconnected

•Cisco ISE Node Not Authenticating with Agile Directory

•RADIUS Server Error Message Entries Actualization in Cisco ISE

•RADIUS Server Connectivity Problems (No Mistake Bulletin Entries Appearing in Cisco ISE)

User Authentication Failed

Symptoms or Issue	Authentications study failure reason: "Authentication failed: 22040 Incorrect password or invalid shared secret"
Weather condition	Click the magnifying drinking glass icon in Authentications to view the steps in the authentication study that should brandish a cursory series of messages equally follows: •24210 Looking upward User in Internal Users IDStore - test-radius •24212 Found User in Internal Users IDStore •22040 Incorrect password or invalid shared secret
Possible Causes	The user or device may not be supplying the right credentials or RADIUS primal to match with the external authentication source.
Resolution	Verify that the user credentials that are entered on the client machine are right, and verify that the RADIUS server shared underground is correctly configured in both the NAD and Cisco ISE (they should be the same).

Missing User for RADIUS-Server Exam Username in Cisco ISE Identities

Symptoms or Result	The ambassador notices one or more Authentications report failure letters similar "Authentication failed: 22056 Bailiwick not institute in the applicable identity store(s)" for a given user ID.
Conditions	Click the magnifying glass icon in Authentications to view the messages in the Authentication Study. You should run into a curt serial like the post-obit: •24210 Looking upwards User in Internal Users IDStore - exam-radius •24216 The user is not constitute in the internal users identity store •22056 Subject not found in the applicable identity store(s)
Possible Causes	This message appears whatever time an authentication fails. In all cases, it's because the user is unknown to Cisco ISE. The subject could be a guest user who has non been added to the local database, a new employee who has not notwithstanding been appropriately provisioned in the network, or even a hacker. In addition, it is possible that the ambassador did not configure the user ID in Cisco ISE.
Resolution	Check the local and external identity sources to verify whether the user ID exists, and if it does, ensure that both Cisco ISE and the associated access switch are configured to accept that user.

Connectivity Problems Between the Network Access Device (Switch) and Cisco ISE

Symptoms or Issue	Authentications report failure reason: "Authentication failed: 22040 Wrong password or invalid shared clandestine"
Conditions	Click the magnifying drinking glass icon in Authentications to display authentication report entries similar the post-obit: •24210 Looking up User in Internal Users IDStore - test-radius •24212 Plant User in Internal Users IDStore •22040 Wrong password or invalid shared secret
Possible Causes	The network administrator may non have specified the correct countersign to enable the switch (or other NAD) to authenticate with Cisco ISE.
Resolution	Verify that the password that is configured on the NAD is right to cosign with Cisco ISE.

Active Directory Disconnected

Symptoms or Effect	The connectedness betwixt Cisco ISE and the Active Directory server has been terminated, resulting in user authenticating failure.
Weather	This issue is pertinent to whatever Agile Directory domain topology that is connected to Cisco ISE.
Possible Causes	This scenario is most usually caused by clock migrate due to not syncing fourth dimension via NTPane on VMware. This result can besides arise if the Cisco ISE FQDN2 changes and/or the proper noun of the certificate imported on the client machine has changed.
Resolution	Ensure that your Agile Directory domain and Cisco ISE are aligned to the aforementioned NTP server source. Close down or pause your Active Directory server and endeavor to authenticate an employee to the network.

^ane NTP = Network Time Protocol

^two FQDN = fully-qualified domain name

Cisco ISE Node Not Authenticating with Active Directory

Symptoms or Issue	The administrator receives "authentication failure" messages in the Authentication Failure Report on the Administration ISE node.
Conditions	This issue applies to Cisco ISE policy enforcement nodes added to an existing AD domain.
Possible Causes	•The administrator may not have changed the AD countersign on after joining the Cisco ISE node to the Advertizing domain. •The account used to join Cisco ISE to the Active Directory domain may have an expired password.
Resolution	Change the business relationship countersign that was used to join the Advertizement domain after adding Cisco ISE to Active Directory.

RADIUS Server Fault Message Entries Actualization in Cisco ISE

Symptoms or Upshot	•Unsuccessful RADIUS or AAA1 functions on Cisco ISE •Error messages in the Monitor > Hallmark event entries
Conditions	This scenario can go an consequence in a arrangement where Cisco ISE is configured to perform user authentication via an external identity source on the network.
Possible Causes	The post-obit are possible causes for losing connectivity with the external identity source: •Field of study not found in the applicable identity source •Incorrect countersign or invalid shared cloak-and-dagger •Could not locate network device or AAA customer
Resolution	Cheque the Cisco ISE dashboard (Monitor > Authentications) for any indication regarding the nature of RADIUS advice loss. (Look for instances of your specified RADIUS usernames and scan the system messages that are associated with any error message entries.) Log into the Cisco ISE CLIii and enter the following command to produce RADIUS attribute output that may aid in debugging connexion bug: test aaa group radius <username> <password> new-code If this examination control is successful, yous should see the following attributes: •Connect port •Connect NAD IP accost •Connect Policy Service ISE node IP address •Correct server key •Recognized username or password •Connectivity between the NAD and Policy Service ISE node You can also use this command to help narrow the focus of the potential problem with RADIUS advice by deliberately specifying incorrect parameter values in the command line then returning to the administrator dashboard (Monitor > Authentications) to view the type and frequency of error message entries that consequence from the incorrect command line. For example, to test whether or not user credentials may be the source of the problem, enter a username and or countersign that you know is wrong, so become look for error message entries that are pertinent to that username in the Monitor > Authentications page to see what Cisco ISE is reporting.) Note This control does not validate whether or non the NAD is configured to use RADIUS, nor does it verify whether the NAD is configured to utilise the new AAA model.

¹ AAA = authentication, authorization, and bookkeeping

ⁱⁱ CLI = control-line interface

RADIUS Server Connectivity Issues (No Error Message Entries Appearing in Cisco ISE)

Symptoms or Issue	•Unsuccessful RADIUS or AAA functions in Cisco ISE •The NAD is unable to ping the Policy Service ISE node
Atmospheric condition	This scenario is applicable in a system in which Cisco ISE is configured to perform user authentication via an external RADIUS server on the network.
Possible Causes	The following are possible causes for losing connectivity with the RADIUS server: •Network connectivity issue or issues •Bad server IP address •Bad server port
Resolution	If you are unable to ping the Policy Service ISE node from the NAD, try any or all of these possible solutions: •Verify the NAD IP address •Endeavour using Traceroute and other advisable "sniffer"-type tools to isolate the source of disconnection. (In a production surround, be cautious of overusing debug functions, because they commonly consume large amounts of available bandwidth and CPU, which can impact normal network functioning.) Check the Cisco ISE "TCP Dump" report for the given Policy Service ISE node to encounter if there are any indications.

Client Access, Authentication, and Say-so

•Cannot Authenticate on Profiled Endpoint

•Quarantined Endpoints Do Not Renew Authentication Post-obit Policy Alter

•Endpoint Does Not Align to the Expected Profile

•User is Unable to Authenticate Confronting the Local Cisco ISE Identity Store

•Document-Based User Authentication via Supplicant Failing

•802.1X Authentication Fails

•Users Are Reporting Unexpected Network Access Bug

•Authorization Policy Not Working

•Switch is Dropping Active AAA Sessions

•URL Redirection on Customer Machine Fails

•Agent Download Issues on Customer Automobile

•Agent Login Dialog Not Actualization

•Agent Fails to Initiate Posture Assessment

•Agent Displays "Temporary Access"

•Cisco ISE Does Not Effect CoA Following Authentication

Cannot Authenticate on Profiled Endpoint

Symptoms or Upshot	•The IP phone was profiled but was non authorized properly. Therefore, information technology was not assigned to the phonation VLAN. •The IP phone was profiled and authorized properly, but was not assigned to the correct voice VLAN. •The endpoint has been successfully profiled in Cisco ISE, but user hallmark fails.
Weather condition	The administrator volition run into the Authentications Log Error message: "22056 Field of study non plant in the applicable identity shop(due south)" containing the following entries: •24210 Looking up User in Internal Users IDStore - 00:03:E3:2A:21:4A •24216 The user is not institute in the internal users identity store •22056 Subject not found in the applicative identity shop(s)
Possible Causes	•This could exist either a MABone or 802.1X hallmark consequence. •The authorization profile could exist missing the Cisco av-pair="device-traffic-course=voice" attribute. As a result, the switch does not recognize the traffic on the voice VLAN. •The administrator did non add the endpoint equally static identity, or did not allow an unregistered endpoint to pass (create a policy rule to "Go along/Continue/Go along" upon failure).
Resolution	•Verify that the Authority Policy is framed properly for groups and conditions, and cheque to run across whether the IP phone is profiled as an "IP phone" or every bit a "Cisco-device." •Verify the switch port configuration for multidomain and voice VLAN configuration. •Add the continue/continue/continue to allow the endpoint to laissez passer: a. Choose Policy > Policy Elements > Configurations and choose Allowed Protocol Services to create a Protocol Policy. MAC authentications use PAPii /ASCII and EAP-MD53 protocols. Enable the following MAB_Protocols settings: –Process Host Lookup –PAP/ASCII –Detect PAP as Host Lookup –EAP-MD5 –Notice EAP-MD5 as Host Lookup b. From the main menu, cull Policy > Authentication. c. Alter the authentication method from Simple to Dominion-Based d. Employ the activeness icon to create new Hallmark Method entries for MAB: –Name: MAB –Status: IF MAB RADIUS:Service-Blazon == Call Check –Protocols: allow protocols MAB_Protocols and use –Identity Source: Internal –Hosts: Continue/Continue/Keep

¹ MAB = MAC authentication bypass

² PAP = Password Authentication Protocol

³ EAP = Extensible AUthentication Protocol; MD5 = Bulletin Digest 5

Quarantined Endpoints Do Not Renew Authentication Following Policy Change

Symptoms or Result	Hallmark has failed following policy modify or boosted identity and no reauthentication is taking identify. The endpoint in question remains unable to connect or hallmark fails.
Conditions	This event often occurs on client machines that are failing posture assessment per the posture policy that is assigned to the user part.
Possible Causes	The authentication timer may not exist prepare correctly on the customer machine, or the authentication interval may not be fix correctly on the switch.
Resolution	At that place are several possible resolutions for this issue: 1. Check the Session Status Summary report in Cisco ISE for the specified NAD or switch, and ensure that the interface has the appropriate authentication interval configured. 2. Enter "prove running configuration" on the NAD/switch and ensure that the interface is configured with an appropriate "authentication timer restart" setting. (For example, "authentication timer restart 15," and "authentication timer reauthenticate xv.") 3. Effort entering "interface shutdown" and "no shutdown" to bounce the port on the NAD/switch and strength reauthentication following a potential configuration change in Cisco ISE.

---

Notation Since CoA requires a MAC address or session ID, Cisco recommends that you do not bounciness the port that is shown in the Network Device SNMP report.

---

Endpoint Does Non Align to the Expected Profile

Symptoms or Issue	An IP telephone is plugged in and the profile appears equally a "Cisco-Device."
Conditions	Launch the Endpoint Profiler/Endpoint Profiler Summary report and click Details for the MAC address that corresponds to the profiled endpoint in question.
Possible Causes	•There could be an SNMP configuration issue on Cisco ISE, the switch, or both. •The profile is likely not configured correctly, or contains the MAC address of the endpoint already.
Resolution	•Verify the SNMP version configuration on both Cisco ISE and the switch for SNMP trap and SNMP server settings. •The Profiler profile needs to be updated. Choose Policy > Profiling > Profiling Policies in Cisco ISE and manually map this endpoint to that profile.

User is Unable to Authenticate Against the Local Cisco ISE Identity Store

Symptoms or Effect	User cannot authenticate from supplicant.
Weather condition	Authentications written report failure reason: "Authentication failed: 22056 Subject not found in the applicable identity store(s)" Click the magnifying glass in Authentications to launch the Authentication report that displays the following: •24210 Looking up User in Internal Users IDStore - ACSXP-SUPP2\Administrator •24216 The user is not found in the internal users identity shop
Possible Causes	The supplicant is providing a name and password to authenticate against the local Cisco ISE user database, but those credentials are non configured in the local database.
Resolution	Verify that the user credentials are configured in the Cisco ISE local identity store.

Certificate-Based User Authentication via Supplicant Failing

Symptoms or Consequence	User hallmark is failing on the client car, and the user is receiving a "RADIUS Admission-Decline" grade of message.
Conditions	(This outcome occurs with authentication protocols that require document validation.) Possible Authentications study failure reasons: •"Authentication failed: 11514 Unexpectedly received empty TLS bulletin; treating every bit a rejection by the client" •"Hallmark failed: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the Cisco ISE local-certificate" Click the magnifying glass icon from Authentications to display the following output in the Authentication Written report: •12305 Prepared EAP-Asking with another PEAP challenge •11006 Returned RADIUS Access-Challenge •11001 Received RADIUS Access-Request •11018 RADIUS is re-using an existing session •12304 Extracted EAP-Response containing PEAP challenge-response •11514 Unexpectedly received empty TLS bulletin; treating as a rejection by the client •12512 Treat the unexpected TLS acknowledge bulletin as a rejection from the client •11504 Prepared EAP-Failure •11003 Returned RADIUS Access-Decline •11006 Returned RADIUS Access-Challenge •11001 Received RADIUS Access-Request •11018 RADIUS is re-using an existing session •12104 Extracted EAP-Response containing EAP-FAST claiming-response •12815 Extracted TLS Alert message •12153 EAP-FAST failed SSL/TLS handshake considering the customer rejected the Cisco ISE local-certificate •11504 Prepared EAP-Failure •11003 Returned RADIUS Access-Turn down Notation This is an indication that the client does non have or does not trust the Cisco ISE certificates.
Possible Causes	The supplicant or client auto is not accepting the certificate from Cisco ISE. The customer machine is configured to validate the server certificate, but is not configured to trust the Cisco ISE document.
Resolution	The client machine must have the Cisco ISE document to enable hallmark.

802.1X Authentication Fails

Symptoms or Issue	The user logging in via the client machine sees an mistake message from the supplicant that indicates that 802.1X authentication has failed.
Conditions	Troubleshooting Steps: one. Choose Monitor > Authentications. 2. Whorl over and await for the "Failure reason."
Possible Causes	Look for the details of the failed authentication record and click on the failure reason link under Details > Resolution for the Hallmark. The failure reason should be listed.
Resolution	Correct the failure reason per the findings that are defined in the Possible Causes.

---

Note If hallmark fails and there are no Authentications entries to search (assuming monitoring and troubleshooting is running properly), complete the post-obit steps:

1. Ensure that the RADIUS server configuration on the switch is pointing to Cisco ISE.

2. Check network connectivity between the switch and Cisco ISE.

3. Verify that the Policy Service ISE node is running on Cisco ISE to ensure that it tin can receive RADIUS requests.

---

Users Are Reporting Unexpected Network Access Bug

Symptoms or Issue	Several symptoms for this effect could be taking identify, including the post-obit: •Users are being asked to download an agent other than what they look. •Users who should have full network admission are only allowed limited network access. •Although users are passing posture assessment, they are not getting the advisable level of network access. •Users who should be immune into the corporate (Access) VLAN are existence left in the Hallmark VLAN following authentication.
Conditions	Users are successfully authenticated, but are unable to get network admission.
Possible Causes	•The administrator may not have specified the correct authorization profile. •The administrator did not define the appropriate policy conditions for the user access level. •The authority profile, itself, might non have been framed properly.
Resolution	Ensure that the Identity Group Weather condition are divers accordingly to support the authority profile that is required for the user groups in question. 1. Choose Monitor > Authentication. two. Wait for the identity group to which the user belongs. 3. Look at the say-so profile that is selected for that identity grouping. iv. Choose Policy > Authorization and verify that the correct rule is matching for that identity group. 5. If non, debug for the reason why the correct potency policy is not matching.

Authority Policy Not Working

Symptoms or Consequence	The potency policy that is specified by the administrator is the correct one, but the endpoint is non receiving the configured VLAN IP.
Conditions	This issue applies to standard user authorization sessions in a wired environment.
Possible Causes	The preauthorization ACL could be blocking DHCP traffic.
Resolution	•Ensure that the Cisco IOS release on the switch is equal to or more recent than the Cisco IOS Release 12.ii.(53)SE. •Ensure that the identity group atmospheric condition are defined appropriately. •Check for the customer machine port VLAN past using show vlan on the admission switch. If the port is not showing the correct authorization profile VLAN, ensure that VLAN enforcement is appropriate to reach out to the DHCP server. If the VLAN is right, the preauthorization ACL could exist blocking DHCP traffic. Ensure that the preauthorization DACL is as follows: permit udp any eq bootpc whatsoever eq bootps let udp any any eq domain permit tcp any host 80.0.fourscore.2 eq 443 --> This is for URL redirect permit tcp whatsoever host 80.0.80.2 eq world wide web permit tcp whatsoever host lxxx.0.80.ii eq 8443 --> This is for guest portal port let tcp any host 80.0.80.2 eq 8905 --> This is for posture communication between NAC agent and ISE (Swiss ports) permit udp any host 80.0.fourscore.2 eq 8905 --> This is for posture communication betwixt NAC agent and ISE (Swiss ports) permit udp whatsoever host lxxx.0.80.two eq 8906 --> This is for posture advice between NAC agent and ISE (Swiss ports) •Ensure the session is created on the switch by entering show epm session summary. If the IP address of the session shown is "not bachelor," ensure that the following configuration lines appear on the switch: ip dhcp snooping vlan 30-100

Switch is Dropping Active AAA Sessions

Symptoms or Issue	802.1X and MAB authentication and authorization are successful, just the switch is dropping active sessions and the epm session summary command does non brandish any active sessions.
Weather condition	This applies to user sessions that accept logged in successfully and are then being terminated by the switch.
Possible Causes	•The preauthentication ACL (and the subsequent DACL enforcement from Cisco ISE) on the NAD may not be configured correctly for that session. •The preauthentication ACL is configured and the DACL is downloaded from Cisco ISE, but the switch brings the session down. •Cisco ISE may be enforcing a preposture VLAN assignment rather than the (correct) postposture VLAN, which tin also bring downwardly the session.
Resolution	•Ensure the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE. •Bank check to encounter whether or non the DACL proper noun in Cisco ISE contains a blank space (possibly around or about a hyphen "-"). There should be no space in the DACL proper name. Then ensure that the DACL syntax is right and that it contains no actress spaces. •Ensure that the following configuration exists on the switch to interpret the DACL properly (if non enabled, the switch may terminate the session): radius-server attribute half-dozen on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include radius-server vsa send accounting radius-server vsa send authentication

URL Redirection on Client Machine Fails

Symptoms or Issue	The URL redirection page in the client motorcar's browser does not correctly guide the end user to the appropriate URL.
Conditions	This outcome is nearly applicable to 802.1X authentication sessions that require URL redirection and Guest Centralized Web Authentication (CWA) login sessions.
Possible Causes	(In that location are multiple causes for this issue. Run across the Resolutions descriptions that follow for explanation.)
Resolution	•The two Cisco av-pairs that are configured on the authorisation profile should exactly lucifer the example below. (Annotation: Practice non supplant the "IP" with the actual Cisco ISE IP address.) –url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp –url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also defined on the access switch) •Ensure that the URL redirection portion of the ACL have been applied to the session by entering the prove epm session ip <session IP> command on the switch. (Where the session IP is the IP address that is passed to the client machine by the DHCP server.) Admission feature : DOT1X AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e URL Redirect ACL : ACL-WEBAUTH-REDIRECT URL Redirect : https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72 0000A45A2444BFC2&action=cpp •Ensure that the preposture cess DACL that is enforced from the Cisco ISE authorization profile contains the post-obit command lines: let udp any eq bootpc any eq bootps allow udp any whatever eq domain let tcp whatever host fourscore.0.80.2 eq 443 --> This is for URL redirect permit tcp any host 80.0.lxxx.ii eq www --> Provides access to internet permit tcp any host lxxx.0.80.2 eq 8443 --> This is for guest portal port permit tcp any host fourscore.0.80.2 eq 8905 --> This is for posture communication betwixt NAC amanuensis and ISE (Swiss ports) permit udp any host lxxx.0.lxxx.ii eq 8905 --> This is for posture communication between NAC agent and ISE (Swiss ports) let udp any host 80.0.eighty.ii eq 8906 --> This is for posture advice between NAC agent and ISE (Swiss ports) Note Ensure that the in a higher place URL Redirect has the proper Cisco ISE FQDN.
Resolution (continued)	•Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on the switch every bit follows: ip access-list extended ACL-WEBAUTH-REDIRECT deny ip any host 80.0.fourscore.2 •Ensure that the http and https servers are running on the switch: •Ensure that, if the client automobile employs whatever kind of personal firewall, it is disabled. •Ensure that the client machine browser is not configured to use whatsoever proxies. •Verify connectivity between the client machine and the Cisco ISE IP address. •If Cisco ISE is deployed in a distributed environment, make sure that the customer machines are aware of the Policy Service ISE node FQDN. •Ensure that the Cisco ISE FQDN is resolved and reachable from the client machine.

Agent Download Issues on Customer Machine

Symptoms or Issue	Client auto browser displays a "no policy matched" fault message later on user hallmark and say-so.
Conditions	This result applies to user sessions during the client provisioning stage of authentication.
Possible Causes	The client provisioning resources policy could be missing required settings.
Resolution	•Ensure that a client provisioning policy exists in Cisco ISE. If yes, verify the policy identity group, conditions, and blazon of agent(due south) defined in the policy. (Likewise ensure whether or non there is whatever agent profile configured under Policy > Policy Elements > Results > Client Provisioning > Resources > Add > ISE Posture Agent Profile, even a contour with all default values.) •Try reauthenticating the client machine by bouncing the port on the access switch.

---

Note Recall that the client provisioning agent installer download requires the following:

•The user must allow the ActiveX installer in the browser session the first time an agent is installed on the client machine. (The client provisioning download page prompts for this.)

•The client automobile must have Internet access.

---

Agent Login Dialog Not Appearing

Symptoms or Result	The agent login dialog box does not appear to the user following client provisioning.
Conditions	This issue can by and large take identify during the posture assessment phase of whatever user hallmark session.
Possible Causes	In that location are multiple possible causes for this type of event. See the following Resolution descriptions for details.
Resolution	•Ensure that the agent is running on the client machine. •Ensure that the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.two.(53)SE. •Ensure that the discovery host address on the Cisco NAC agent or Mac Os X amanuensis is pointing to the Cisco ISE FQDN. (Correct-click on the NAC agent icon, choose Properties, and check the discovery host.) •Ensure that the access switch allows Swiss communication betwixt Cisco ISE and the stop customer machine. Limited admission ACL practical for the session should allow Swiss ports: allow udp any eq bootpc any eq bootps permit udp whatsoever whatsoever eq domain permit tcp any host 80.0.80.ii eq 443 --> This is for URL redirect allow tcp any host 80.0.lxxx.2 eq www --> Provides access to internet allow tcp whatsoever host eighty.0.fourscore.2 eq 8443 --> This is for invitee portal port permit tcp whatever host 80.0.lxxx.2 eq 8905 --> This is for posture communication between NAC agent and ISE (Swiss ports) permit udp whatever host 80.0.80.2 eq 8905 --> This is for posture communication betwixt NAC agent and ISE (Swiss ports) •If the agent login dialog even so does non appear, information technology could be a certificate effect. Ensure that the certificate that is used for Swiss advice on the end client is in the Cisco ISE certificate trusted list. •Ensure that the default gateway is reachable from the client automobile.

Agent Fails to Initiate Posture Assessment

Symptoms or Upshot	The user is presented with a "Clean access server not available" message.
Weather	This issue applies to any agent hallmark session from Cisco ISE.
Possible Causes	This error could hateful that either the session has terminated or Cisco ISE is no longer reachable on the network.
Resolution	•The user tin can try to ping the default gateway or the RADIUS server IP address or FQDN supplied past the network administrator. •The user can try to log into the network again. •The administrator can bank check network access attributes for the user (like the assigned VLAN, ACLs, routing, execute the nslookup command on the customer, client machine DNS connection, etc.).

Amanuensis Displays "Temporary Access"

Symptoms or Effect	A client car is granted "Temporary Access" following login and hallmark, but administrator and user expect full network access.
Weather	This issue is applicative to any client auto login session using an agent to connect.
Possible Causes	If the NAC Agent is running on the client and: •The interface on the client machine goes down •The session is terminated
Resolution	The user must try to verify network connectivity and then try to log in again (and laissez passer through posture cess, as well) to try to re-establish the connection.

Cisco ISE Does Not Issue CoA Following Authentication

Symptoms or Upshot	CoA is not issued following client automobile login and hallmark.
Conditions	This specific issue is only applicative in a wired environment where CoA is required on the client machine to complete authentication.
Possible Causes	The access switch may not accept the required configuration to support CoA for the customer machine.
Resolution	•Ensure that the Cisco IOS release on the switch is equal to or more than recent than Cisco IOS Release 12.2.(53)SE. •Ensure that the switch configuration features the post-obit commands necessary to enable CoA: aaa server radius dynamic-author client 80.0.lxxx.2 server-cardinal cisco456 --> ISE ip.

Fault Messages

•ACTIVE_DIRECTORY_USER_INVALID_CREDENTIALS

•ACTIVE_DIRECTORY_USER_AUTH_FAILED

•ACTIVE_DIRECTORY_USER_PASSWORD_EXPIRED

•ACTIVE_DIRECTORY_USER_WRONG_PASSWORD

•ACTIVE_DIRECTORY_USER_ACCOUNT_DISABLED

•ACTIVE_DIRECTORY_USER_RESTRICTED_LOGON_HOURS

•ACTIVE_DIRECTORY_USER_NON_COMPLIANT_PASSWORD

•ACTIVE_DIRECTORY_USER_UNKNOWN_DOMAIN

•ACTIVE_DIRECTORY_USER_ACCOUNT_EXPIRED

•ACTIVE_DIRECTORY_USER_ACCOUNT_LOCKED_OUT

•ACTIVE_DIRECTORY_GROUP_RETRIEVAL_FAILED

•ACTIVE_DIRECTORY_MACHINE_AUTHENTICATION_DISABLED

•ACTIVE_DIRECTORY_ATTRIBUTE_RETRIEVAL_FAILED

•ACTIVE_DIRECTORY_PASSWORD_CHANGE_DISABLED

•ACTIVE_DIRECTORY_USER_UNKNOWN

•ACTIVE_DIRECTORY_CONNECTION_FAILED

•ACTIVE_DIRECTORY_BAD_PARAMETER

•ACTIVE_DIRECTORY_TIMEOUT

ACTIVE_DIRECTORY_USER_INVALID_CREDENTIALS

Description	This Authentication Failure message indicates that the user's credentials are invalid.
Resolution	Check if the Active Directory user account and credentials that are used to connect to the Active Directory domain are right.

ACTIVE_DIRECTORY_USER_AUTH_FAILED

Description	This Authentication Failure message indicates that the user authentication has failed. You volition see this message when the user or automobile password is not found in Agile Directory.
Resolution	Check if the Agile Directory user account and credentials that are used to connect to the Agile Directory domain are correct.

ACTIVE_DIRECTORY_USER_PASSWORD_EXPIRED

Description	This Authentication Failure message appears when the user's countersign has expired.
Resolution	If the Active Directory user account is valid, then reset the business relationship in Active Directory. If the user business relationship has expired, but if it is still needed, and then renew it. If the user account has expired and is no longer valid, investigate the reasons for the attempts.

ACTIVE_DIRECTORY_USER_WRONG_PASSWORD

Description	This Authentication Failure message appears when the user has entered an incorrect password.
Resolution	Cheque if the Active Directory user account and credentials that are used to connect to the Active Directory domain are correct.

ACTIVE_DIRECTORY_USER_ACCOUNT_DISABLED

Clarification	This Authentication Failure message appears when the user account is disabled in Active Directory.
Resolution	If the Active Directory user account is valid, then reset the account in Active Directory. If the user account has expired, only if it is still needed, then renew it. If the user business relationship has expired and is no longer valid, investigate the reasons for the attempts.

ACTIVE_DIRECTORY_USER_RESTRICTED_LOGON_HOURS

Description	This Authentication Failure message appears when the user logs in during restricted hours.
Resolution	If the user admission is valid, then update the user access policy in Active Directory. If the user access is invalid (restricted at this time), and then investigate the reasons for the attempts.

ACTIVE_DIRECTORY_USER_NON_COMPLIANT_PASSWORD

Description	This Authentication Failure message appears if the user has a password that is not compliant with the password policy.
Resolution	Reset the password in Active Directory such that information technology is compliant with the password policy in Active Directory.

ACTIVE_DIRECTORY_USER_UNKNOWN_DOMAIN

Clarification	This Authentication Failure bulletin appears if Active Directory is unable to locate the specified domain.
Resolution	Check the configuration of Agile Directory in the Administration ISE node user interface and the DNSi configuration in the Cisco ISE CLI.

ⁱ DNS = domain proper noun service

ACTIVE_DIRECTORY_USER_ACCOUNT_EXPIRED

Description	This message appears when the user business relationship in Active Directory has expired.
Resolution	If the user account has expired, but is still needed, then renew the user account. If the user account has expired and is no longer valid, investigate the reasons for the attempts.

ACTIVE_DIRECTORY_USER_ACCOUNT_LOCKED_OUT

Description	This Hallmark Failure message appears if the user account has been locked out.
Resolution	If the user attempts to log in with correct credentials, reset the user's password. Otherwise, investigate the attempts that caused the lock out.

ACTIVE_DIRECTORY_GROUP_RETRIEVAL_FAILED

Description	This Hallmark Failure message appears if Agile Directory is unable to call up the groups.
Resolution	Check if the Active Directory configuration in the Administration ISE node user interface is correct.

ACTIVE_DIRECTORY_MACHINE_AUTHENTICATION_DISABLED

Description	This Authentication Failure message appears if machine authentication is not enabled in Active Directory.
Resolution	Enable Machine Authentication in Active Directory, if required.

ACTIVE_DIRECTORY_ATTRIBUTE_RETRIEVAL_FAILED

Description	This Authentication Failure message appears if Agile Directory is unable to retrieve the attributes that y'all have specified.
Resolution	Check if the Active Directory configuration in the Administration ISE node user interface is correct.

ACTIVE_DIRECTORY_PASSWORD_CHANGE_DISABLED

Description	This Authentication Failure bulletin appears if the password modify choice is disabled in Active Directory.
Resolution	Enable Password Alter in Active Directory, if required.

ACTIVE_DIRECTORY_USER_UNKNOWN

Description	This Invalid User message appears if the user information is not found in Active Directory.
Resolution	Bank check for the origin of the invalid attempts. If it is from a valid user, ensure that the user account is configured correctly in Agile Directory.

ACTIVE_DIRECTORY_CONNECTION_FAILED

Description	This External Fault message appears when Cisco ISE is unable to establish a connexion with Active Directory.
Resolution	Check if the Active Directory configuration in the Assistants ISE node user interface is right.

ACTIVE_DIRECTORY_BAD_PARAMETER

Description	This External Error message appears when you have provided an invalid input.
Resolution	Cheque if the Active Directory configuration in the Administration ISE node user interface is correct.

ACTIVE_DIRECTORY_TIMEOUT

Description	This External Mistake message appears when a timeout upshot has occurred.
Resolution	Check if the Active Directory configuration in the Administration ISE node user interface is right

Troubleshooting APIs

Yous can use the post-obit troubleshooting APIs to query information from Cisco ISE that could assistance in general troubleshooting processes.

• Become Version and Type of Node (Version)
https://{hostname}/ise/mnt/api/Version

• Get Failure Reasons Mapping (FailureReasons)
https://{hostname}/ise/mnt/api/FailureReasons

• Get Session Authentication Status (AuthStatus)
https://{hostname}/ise/mnt/api/AuthStatus/MACAddress/{mac}/{seconds}/{number of records per MAC Address}/All

• Get Session Accounting Status (AcctStatusTT)
https://{hostname}/ise/mnt/api/AcctStatusTT/MACAddress/{mac}/{seconds}

For more information:

•For more data about using the troubleshooting APIs in this release, encounter the Cisco Identity Services Engine API Reference Guide, Release i.0.

---

Note The Cisco Identity Services Engine API Reference Guide, Release 1.0, also provides information about the supported session management and CoA APIs.

---

Contacting the Cisco Technical Aid Heart

If you cannot locate the source and potential resolution for a problem in the above sections, contact a Cisco client service representative for data on how to best proceed with resolving the issue. For Cisco Technical Assistance Center (TAC), come across the Cisco Information Packet publication that is shipped with your apparatus or visit the following website:

http://world wide web.cisco.com/tac/

Before you contact Cisco TAC, make certain that you have the following information ready:

•The appliance chassis type and series number.

•The maintenance understanding or warranty information (see the Cisco Information Packet).

•The name, type of software, and version or release number (if applicable).

•The appointment yous received the new appliance.

•A brief clarification of the problem or condition yous experienced, the steps you have taken to isolate or re-create the problem, and a description of any steps you took to resolve the problem.

---

Note Be sure to provide the customer service representative with any upgrade or maintenance data that was performed on the Cisco ISE 3300 Series appliance after your initial installation. For site log information, see the "Creating a Site Log" section in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.

---

warrenfelount.blogspot.com

Source: https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html