---

Introduction

Wired authentication problems are the most visible and disruptive NAC issues — users plug in and don’t get network access. Advanced troubleshooting for wired authentication requires a disciplined, methodical approach: reproduce the problem, collect the right evidence (switch CLI, packet captures, and ISE Live Logs), interpret RADIUS/EAP flows, and apply surgical fixes (switch config, identity source, certs, or ISE policy). This lesson teaches you the exact steps, commands, and GUI checks to diagnose and resolve the full spectrum of wired auth failures (802.1X, PEAP, EAP-TLS, MAB, CoA and dynamic VLAN issues).

---

Problem Statement

Common real-world challenges:

• Users/PCs don’t authenticate (802.1X fails silently).
• MAB devices don’t get assigned correct authorization (MAC not found).
• EAP methods fail: certificate validation errors, PEAP/MSCHAPv2 rejections.
• Dynamic VLANs or dACLs not applied after successful auth.
• Intermittent failures when ISE is reachable sometimes and fails other times (timeouts, load balancing).
• CoA (Change of Authorization) not applied when policy changes.

These can be caused by network misconfiguration, RADIUS reachability, identity source issues (AD), certificate trust problems, time skew, or NAD platform limitations.

---

Solution Overview

Troubleshooting approach (repeatable playbook):

1. Reproduce & scope — single port, single user, time window.
2. Physical & connectivity checks — link, VLAN, SVI, switch port state.
3. NAD (switch) check — AAA/RADIUS config, dot1x/MAB settings, auth logs.
4. ISE checks — Network Device entry, shared secret, Live Logs, IdentitySource, Authentication & Authorization policy matches, endpoint entries.
5. Collect packet captures — EAPOL frames, RADIUS Access-Request/Accept, and verify attributes (tunnel & VLAN, dACL).
6. Client logs — Windows Event Viewer, supplicant debug, certificate store.
7. Remediate & validate — fix config, restart flow, verify success and document.

We’ll walk through each step in detail with the exact commands, GUI screens and debug patterns.

---

Sample Lab Topology

Environment (VMware/EVE-NG lab):

• Cisco ISE VM (10.10.10.50) — Policy + PSN (Profiler + Portal optional)
• Catalyst switch (IOS XE) — mgmt 10.10.10.2, access ports Gi1/0/10..12
• AD/DC (10.10.10.10) — user auth, LDAP
• Windows 10 client (802.1X supplicant)
• IP Phone / Printer (MAB test)

Topology diagram:

---

Step-by-Step GUI & CLI Troubleshooting Guide

Follow this sequence. Treat it like a checklist.

---

Step A — Reproduce & capture the initial failure

1. Reproduce with a single client — note time, port, username/mac.
2. On the switch, run:

show interface Gi1/0/10 status
show mac address-table interface Gi1/0/10
show ip interface brief

What to confirm: link up, correct VLAN trunk/access, MAC learned on expected port.

---

Step B — Quick health checks (network & services)

1. Ping from switch to ISE and AD:

ping 10.10.10.50
ping 10.10.10.10

2. Check DNS and NTP on ISE and switch (time skew kills certs):

• On ISE GUI: Administration → System → Deployment → verify NTP status.
• On switch: show ntp status and show clock.

If pings fail — fix routing/firewall/NAT or DNS before continuing.

---

Step C — Validate NAD (switch) RADIUS & AAA config

On switch:

show running-config | section radius
show running-config | inc aaa
show radius statistics

Look for:

• RADIUS server IP matches ISE IP
• Shared secret configured (can’t show secret value), but verify the same secret is in ISE Network Device entry.
• ip radius source-interface matches the interface ISE expects (NAD source address used in ISE device entry).

Common failures: wrong NAD IP in ISE, switch using wrong source-interface (ISE rejects requests because IP doesn’t match device entry).

---

Step D — Check ISE Network Device entry

ISE GUI: Administration → Network Resources → Network Devices

• Open switch entry: confirm the IP, shared secret, SNMP credentials.
• Ensure correct device group and RADIUS authentication is enabled.
• [Screenshot: ISE > Network Devices > Access_Switch_9300]

If switch has multiple source IPs, add them all as separate device entries or use 0.0.0.0? (best practice: use configured source-interface on NAD and match in ISE).

---

Step E — Check Live RADIUS Flow in ISE (first port of call)

ISE GUI: Operations → RADIUS → Live Logs

1. Filter by timestamp or by calling station (MAC) or username.
2. Open the failed session and examine:
   • Result: Access-Accept / Access-Reject / Access-Challenge (or failure reason)
   • Authentication Method: dot1x, MAB, EAP method (PEAP/EAP-TLS)
   • Identity Source (AD/Internal)
   • Auth Policy that matched (click the matched rule)
   • AuthZ Profile applied (if Access-Accept)
   • Returned Attributes: look for Tunnel-Private-Group-ID (VLAN), Filter-Id or downloaded ACL name, Cisco-AVPair etc.
   • Failure Reason (ISE often displays a reason text: e.g., ‘AD user not found’, ‘MSCHAPv2 failure’, ‘EAP TLS certificate expired’).
   • [Screenshot: ISE Live Logs > open session details]

Interpretation examples:

• Access-Request → Access-Reject with reason Unknown user → AD lookup failed or wrong username format.
• Access-Accept received but switch didn’t apply VLAN → NAD not accepting attributes or platform doesn’t support that attribute; check NAD attribute mapping.

---

Step F — Switch CLI: watch RADIUS and 802.1X flow in real time

CAUTION: Debug commands can be CPU heavy on production devices — run for short windows and outside business hours where possible.

On switch:

terminal monitor                  ! if connected via console through SSH: use terminal monitor
debug radius
debug dot1x all
debug aaa authentication

Reproduce the failure and watch the output. Look for:

• RADIUS Access-Request for user <mac/username>
• RADIUS Access-Accept received — should contain attributes
• dot1x: EAP success or EAP failed messages

What to look for:

• Shared secret mismatch → NAD shows RADIUS: Invalid message or ISE logs show Bad shared secret.
• RADIUS traffic using unexpected source IP → “RADIUS server not matching device entry”.
• EAP timeouts — switch logs show it waited X seconds before fallback to MAB.

Stop debug quickly: no debug all or undebug all.

---

Step G — Packet captures (EAPOL + RADIUS) — the smoking gun

Capture 1: EAPOL on the access port

• On the switch: mirror port to a laptop running Wireshark, or use IOS monitor capture:

monitor capture CAP interface GigabitEthernet1/0/10 both
monitor capture CAP start
<reproduce auth>
monitor capture CAP stop
monitor capture CAP export tftp://10.10.10.20/gi101.pcap

Look in Wireshark for:

• EAPOL-Start, EAP-Request/Identity, EAP-Response/Identity
• EAP-Request/PEAP, EAP-Response/PEAP, EAP-Success or EAP-Failure
• If EAP fails: look for invalid certificate, unknown CA, or MSCHAPv2 failure.

Capture 2: RADIUS between NAD and ISE

• Capture on ISE or network tap; or run debug radius on switch to view Access-Request/Accept. Verify attributes in Access-Accept (VLAN/tunnel, Filter-ID, dACL).

Interpretation:

• If EAPOL completes but NAD does not receive Access-Accept — check RADIUS network path.
• If Access-Accept includes VLAN but switch ignores it — NAD may not map attribute or VLAN missing on uplink.

---

Step H — Client side diagnostics

Windows client checks:

1. Event Viewer → Applications and Services Logs → Microsoft → Windows → EAP and System for 802.1X errors.
2. netsh wlan show interfaces (for wireless) or netsh lan show interfaces (for wired?) — Windows has netsh lan show profiles etc. For wired: check Ethernet adapter properties → Authentication tab.
3. For PEAP/MSCHAPv2: verify user credentials and that AD password is not expired.
4. For EAP-TLS: check Certificates MMC (Local Computer → Personal → Certificates) and verify client certificate, CA chain, EKU and subject name match expectations.

macOS / Linux: check supplicant logs (e.g., wpa_supplicant with debug).

---

Step I — AD & Identity Source troubleshooting (ISE side)

In ISE:

• Administration → Identity Management → External Identity Sources → Active Directory → test connection.
• If AD query fails: check DNS, AD join account credentials used by ISE, ensure port 389/636 open between ISE and AD.
• Use ISE Live Logs to see which Identity Source was checked and errors (e.g., LDAP bind failed).

Common AD issues:

• AD account locked / expired.
• ISE node time skew causing Kerberos failures.
• DNS misconfiguration (ISE unable to resolve DC SRV records).

---

Step J — EAP / Certificate troubleshooting (EAP-TLS specific)

If EAP-TLS fails:

• Check client certificate validity and key usage (EKU = Client Authentication).
• On ISE: Administration → System → Certificates → verify server cert (ISE) is valid, not expired, proper CN/SAN matches FQDN used by clients.
• Ensure clients trust the issuing CA (trusted root in client certificate store).
• In ISE Live Logs look for TLS handshake failed: certificate unknown or certificate revoked.

If PEAP fails (MSCHAPv2):

• Live Logs often show MSCHAPv2 failure with reason NT_STATUS_PASSWORD_MISMATCH (bad password), or Account disabled. Check AD.

---

Step K — Authorization attributes not applied (VLAN/dACL missing)

If ISE shows Access-Accept with authorization profile but NAD doesn’t apply attributes:

1. Confirm NAD supports the attribute (DACL vs Filter-ID vs VLAN).
2. On switch, show radius and show authentication sessions interface Gi1/0/10 details — look for Authorization Profile and attributes.
3. Check uplink/trunk allows VLAN ID (trunk allowed VLANs) — missing VLAN on uplink results in invalid VLAN assignment.
4. Check ISE attribute names – for VLAN ensure Tunnel-Private-Group-ID is present in Access-Accept. If using Filter-ID, verify ACL name exists on switch.

---

Step L — CoA / Reauthorization not applied

If policy change requires CoA but NAD doesn’t accept CoA:

• Ensure NAD is configured to accept CoA/Disconnect requests from ISE (CoA enabled).
• From ISE, you can trigger CoA: Operations → RADIUS → Live Logs → select session → Disconnect/CoA action (GUI).
• On NAD verify logs for inbound CoA; if blocked verify intermediate firewall and NAT not blocking or translating ISE source.

---

Step M — Collecting support bundles & escalation

If unresolved:

1. From the switch: show tech-support (or equivalent) and capture show run, debug outputs, and packet captures.
2. From ISE GUI: Administration → System → Troubleshooting → Download Support Bundle (grab logs for PSN, PAN).
3. Document timestamps, usernames, MACs, and sample Access-Request/Accept/Reject pairs.

---

FAQs

1. Q — My switch shows Access-Accept but client still says “No network access.” Why?
A: Common reasons: Switch accepted Access-Accept but the returned VLAN ID is not allowed on uplink trunk (trunk not carrying VLAN), or the switch platform doesn’t support the RADIUS attribute type used (DACL vs Filter-ID). Check show authentication sessions and show ip access-lists. Verify trunk allowed VLAN list and that the switch applied the attribute.

---

2. Q — I see Access-Reject with reason “No matching identity found.” What now?
A: Check Identity Source Sequence used for that rule. Confirm AD is reachable, DNS works, and the username format is what AD expects (e.g., user@domain vs DOMAIN\user). Use ISE Live Logs to see which identity sources were tried and their errors.

---

3. Q — EAP-TLS fails with “certificate unknown.” How do I fix it?
A: Ensure:

• ISE server certificate is valid and CN/SAN matches the value clients expect (FQDN).
• Client trusts the issuing CA chain (root + intermediates installed).
• Client certificate has Client Authentication EKU and is not expired or revoked.
  Check TLS handshake in packet capture to see which cert check fails.

---

4. Q — MAB devices are authenticated but get wrong Authorization profile.
A: Check MAC format (ISE and switch may normalize MACs differently: 00:11:22:33:44:55 vs 0011.2233.4455). Ensure MACs are registered in ISE with the expected format and in the right Endpoint Groups or Internal Endpoints DB. Also ensure Authorization rules order in ISE maps MAC to correct policy.

---

5. Q — Authentication sometimes works, sometimes times out. Intermittent success.
A: Likely intermittent network or resource issue: RADIUS UDP packet drops, misconfigured load-balancer, or ISE node resource exhaustion. Check show radius statistics, network path packet loss, ISE CPU/memory, and RADIUS retransmission counts.

---

6. Q — How can I test RADIUS without a supplicant?
A: Use a RADIUS test client tool (radclient / radtest) from a lab host to send Access-Request with sample attributes. On switch you can use test aaa group radius in some IOS versions. In ISE Live Logs you’ll see the test entry.

---

7. Q — CoA doesn’t reassign VLAN after policy change.
A: Confirm: (a) CoA is enabled on NAD; (b) ISE’s PAN can reach NAD IP on CoA port; (c) Firewall allows CoA traffic. Use ISE Live Logs to initiate CoA and check NAD logs for inbound CoA.

---

8. Q — Live Logs shows “EAP Timeout.” How long to wait before fallback to MAB?
A: The switch uses EAP timeout values (configurable). If EAP times out, authentication order dot1x mab will trigger MAB. Check show run | section dot1x and EAP timeout settings to tune behavior.

---

9. Q — I changed shared secret but ISE still receives requests from the NAD.
A: Ensure both sides have the same shared secret and that the NAD is sending requests from the source IP listed in ISE’s Network Device entry. If the NAD uses a different source-IP, create a corresponding Network Device entry in ISE.

---

10. Q — Where do I find which Authorization Profile ISE applied?
A: ISE Live Logs → open session → look at “Authorization Result” (shows profile name and attributes). On the NAD show authentication sessions shows the Authorization Profile name and applied attributes.

---

YouTube Link

For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel Network Journey and join my instructor-led classes for hands-on, real-world ISE experience

---

Closing Notes — key takeaways

• Work methodically: reproduce → collect → interpret → fix → validate.
• Start local (switch) → network (RADIUS) → ISE → identity source (AD) → client.
• Use ISE Live Logs as your main GUI source of truth — it shows the matched rule, identity source and attributes returned.
• Packet captures are decisive: EAPOL + RADIUS flows reveal TLS/PEAP handshakes and attribute presence.
• Be cautious with debug in production; prefer short windows and scheduled time.
• Document fixes (which rule changed, updated secrets, CoA actions) for future troubleshooting.

---

Fast-Track to Cisco ISE Mastery Pro

If you want hands-on mastery of these troubleshooting techniques (live lab scenarios, instructor feedback, real enterprise case studies), join 4-month Instructor-Led CCIE Security / Cisco ISE Mastery Program. You’ll get:

• Live lab builds in VMware/EVE-NG with downloadable lab packs
• Step-by-step troubleshooting playbooks (like the one above) ready to use in production
• Live Q&A, exam prep, and career coaching

Seats are limited — reserve your spot and see the full outline here:
https://course.networkjourney.com/ccie-security/

Enroll Now & Future‑Proof Your Career
Email: info@networkjourney.com
WhatsApp / Call: +91 97395 21088

---