Troubleshooting Cisco ISE Installation and Network Connection Issues Unknown Network Device Co A Not Initiating on Client Machine Users Are Assigned to Incorrect VLAN During Network Access Sessions Client Machine URL Redirection Function Not Working Cisco ISE Profiler is Not Able to Collect Data for Endpoints RADIUS Accounting Packets (Attributes) Not Coming from Switch Policy Service ISE Node Not Passing Traffic Registered Nodes in Cisco ISE Managed List Following Standalone Reinstallation Primary and Secondary Inline Posture Nodes Heartbeat Link Not Working Licensing and Administrator Access Certificate Expired Configuration and Operation (Including High Availability) Client Machines Are Not Able to Authenticate Users Are Not Appropriately Redirected to URL Cannot Download Remote Client Provisioning Resources Lost Monitoring and Troubleshooting Data After Registering Policy Service ISE Node to Administration ISE Node Cisco ISE Monitoring Dashlets Not Visible with Internet Explorer 8 External Authentication Sources User Authentication Failed Missing User for RADIUS-Server Test Username in Cisco ISE Identities Connectivity Issues Between the Network Access Device (Switch) and Cisco ISE Active Directory Disconnected Cisco ISE Node Not Authenticating with Active Directory RADIUS Server Error Message Entries Appearing in Cisco ISE RADIUS Server Connectivity Issues (No Error Message Entries Appearing in Cisco ISE) Client Access, Authentication, and Authorization Cannot Authenticate on Profiled Endpoint Quarantined Endpoints Do Not Renew Authentication Following Policy Change Endpoint Does Not Align to the Expected Profile User is Unable to Authenticate Against the Local Cisco ISE Identity Store Certificate-Based User Authentication via Supplicant Failing 802.1X Authentication Fails Users Are Reporting Unexpected Network Access Issues Authorization Policy Not Working Switch is Dropping Active AAA Sessions URL Redirection on Client Machine Fails Agent Download Issues on Client Machine Agent Login Dialog Not Appearing Agent Fails to Initiate Posture Assessment Agent Displays "Temporary Access" Cisco ISE Does Not Issue Co A Following Authentication Error Messages ACTIVE_DIRECTORY_USER_INVALID_CREDENTIALS ACTIVE_DIRECTORY_USER_AUTH_FAILED ACTIVE_DIRECTORY_USER_PASSWORD_EXPIRED ACTIVE_DIRECTORY_USER_WRONG_PASSWORD ACTIVE_DIRECTORY_USER_ACCOUNT_DISABLED ACTIVE_DIRECTORY_USER_RESTRICTED_LOGON_HOURS ACTIVE_DIRECTORY_USER_NON_COMPLIANT_PASSWORD ACTIVE_DIRECTORY_USER_UNKNOWN_DOMAIN ACTIVE_DIRECTORY_USER_ACCOUNT_EXPIRED ACTIVE_DIRECTORY_USER_ACCOUNT_LOCKED_OUT ACTIVE_DIRECTORY_GROUP_RETRIEVAL_FAILED ACTIVE_DIRECTORY_MACHINE_AUTHENTICATION_DISABLED ACTIVE_DIRECTORY_ATTRIBUTE_RETRIEVAL_FAILED ACTIVE_DIRECTORY_PASSWORD_CHANGE_DISABLED ACTIVE_DIRECTORY_USER_UNKNOWN ACTIVE_DIRECTORY_CONNECTION_FAILED ACTIVE_DIRECTORY_BAD_PARAMETER ACTIVE_DIRECTORY_TIMEOUT Troubleshooting APIs Contacting the Cisco Technical Assistance Center This appendix addresses several categories of troubleshooting information that are related to identifying and resolving problems that you may experience when you use Cisco Identity Services Engine (ISE).
This appendix contains the following sections: •Installation and Network Connection Issues •Licensing and Administrator Access •Configuration and Operation (Including High Availability) •External Authentication Sources •Client Access, Authentication, and Authorization •Error Messages •Troubleshooting APIs •Contacting the Cisco Technical Assistance Center Note This appendix is kept as up-to-date as possible with regards to presentation on as well as the online Help content available in the Cisco ISE software application, itself.
session Id=Session Id Value&action=cwa •802.1X Redirection URL: url-redirect=https://ip:8443/guestportal/gateway?
Click the magnifying glass icon in Authentications to launch the Authentication Details.
The authentication report should have the redirect URL in the RADIUS response section as well as the session event section (which displays the switch syslog messages).
The content of the ACL should reveal one or more bad characters.
%EPM-4-POLICY_APP_FAILURE: IP 0.0.0.0| MAC 0002.b3e9.c926| Audit Session ID 0A0002010000239039837B18| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME x ACSACLx-IP-acl_access-4918c248| RESULT FAILURE| REASON Interface ACL not configured •The DACL syntax may be incorrect or not configured in Cisco ISE.