Cisco ISE radius WLAN authentication not successful with some locations.

SOLVED
JacobD
Here to help

Cisco ISE radius WLAN authentication not successful with some locations.

Hi,

 

My company has many locations which we have put a Meraki SD-WAN device at to VPN to our HQ. At HQ we have a Cisco ISE which we use to authenticate WLAN  with dot1x. It works with most of our Meraki locations with no issues. But there are a couple of locations that have the exact same configuration as everywhere else, but cannot connect to our WLAN. Each computer is setup with a certificate to authenticate with, so no username/password should be needed to authenticate. And like I said, with most locations this works perfectly. But for these couple locations that don't work, the logs in the ISE say "Supplicant stopped responding to ISE". It never gives a deny or anything. My first thought was that the computers weren't configured with a certificate but there are other services that we use those same certificates for, so they wouldn't be able to work from home over VPN without these certificates either.

 

I tried a to test the connection from the dashboard with just test/test, because there are no username/passwords configured nothing i do will succeed, but I just wanted to make sure that it could reach the ISE. Meraki says that it failed but it did reach the server. In the logs of the ISE I see no log for this attempt for at least 3 minutes. usually I see logs appear pretty fast, so I am beginning to think that the clients are taking to long to answer. Is this a possibility or am I just shooting in the dark? If it is possible that it's answering to slow/late, what can I do in Meraki to troubleshoot? I don't see any configuration for radius timeout or anything similar.

 

Thanks in advance!

1 ACCEPTED SOLUTION

Thank you for your reply. The problem has been solved, sadly not by my efforts. There are cable modem connections at the locations and there were a few other issues that I wasn't aware of (one being issues with connecting to some our HQ servers from clients at the locations). My boss called the company and requested the modem be set to bridge mode. Everything works after the change. I am not sure if the modem has anything to do with the MTU, I don't think so, but I guess it's possible. It's also possible the modem had a security setting that was blocking our traffic. Again, thanks for your reply!

View solution in original post

3 REPLIES 3
CptnCrnch
Kind of a big deal
Kind of a big deal

Please check the maximum MTU size for the path inbetween the branches and your HQ. In most cases certificates will not come through to ISE because of a too small MTU and fragmentation disabled.

Thank you for your reply. The problem has been solved, sadly not by my efforts. There are cable modem connections at the locations and there were a few other issues that I wasn't aware of (one being issues with connecting to some our HQ servers from clients at the locations). My boss called the company and requested the modem be set to bridge mode. Everything works after the change. I am not sure if the modem has anything to do with the MTU, I don't think so, but I guess it's possible. It's also possible the modem had a security setting that was blocking our traffic. Again, thanks for your reply!

HosamHasan
Here to help

As mentioned above check MTU some ISP use low MTU fragmentation size you can use packet capture from from the AP with failed connections , another thing happened recently microsoft push update for TLS from version 1 to 1.2 so make sure your radius are working on booth , if you could post wireless health log or packet capture thats could be more helpfull to find the issue,

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels