dc top-failures
Description
Get top failure reasons with counts and percentages. Quickly identify what’s breaking authentication - the first step in any troubleshooting workflow.
Options
| Option | Default | Description |
|---|---|---|
|
|
Hours to look back |
|
|
Maximum results to return |
Usage
# Top 20 failures (last 24h)
netapi ise dc top-failures
# Last hour - incident response
netapi ise dc top-failures --hours 1
# Top 5 only
netapi ise dc top-failures --limit 5
# JSON for scripting
netapi ise dc --format json top-failuresSample Output
Top Failures (last 24h)
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━┳━━━━━━┓
┃ Failure Reason ┃ Count ┃ % ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━╇━━━━━━┩
│ 22056 Subject not found in the applicable identity... │ 45 │ 35% │
│ 22028 Authentication failed and target type is... │ 28 │ 22% │
│ 24408 EAP-TLS failed SSL/TLS handshake because of... │ 15 │ 12% │
│ 12514 EAP-TLS failed SSL/TLS handshake because... │ 12 │ 9% │
│ 22045 RADIUS packet contains duplicate RADIUS att... │ 8 │ 6% │
└─────────────────────────────────────────────────────────┴───────┴──────┘Common Failure Reasons
| Code | Meaning |
|---|---|
|
User not found in identity store (AD/LDAP) |
|
Authentication failed - password or unknown user |
|
Certificate issue - expired, revoked, or untrusted CA |
|
EAP-TLS handshake failure - often client cert issue |
|
Duplicate RADIUS attributes - usually supplicant bug |
Use Cases
See Also
-
nas - Which NADs are failing
-
failed - Individual failed auth records
-
auth-history - Failures for specific MAC