MnT Failure Reasons

Synopsis

netapi ise mnt failure-reasons [OPTIONS]

Description

List ISE authentication failure reason codes and descriptions.

Usage

# All failure reasons
netapi ise mnt failure-reasons

# Search for specific reason
netapi ise mnt failure-reasons | grep -i "certificate"

Common Failure Reasons

Code	Description	Common Cause
11007	Could not locate machine/user in external identity store	User not in AD, typo in username
12308	Client rejected EAP-TLS request	Certificate issues on endpoint
22056	Subject not found in LDAP	AD connectivity, wrong identity store
22058	User/Machine is disabled in Active Directory	Account disabled
24408	User authentication against external identity store failed	Wrong password, locked account
24415	Client certificate chain does not terminate at a trusted CA	CA certificate not imported to ISE

Code

Description

Common Cause

11007

Could not locate machine/user in external identity store

User not in AD, typo in username

12308

Client rejected EAP-TLS request

Certificate issues on endpoint

22056

Subject not found in LDAP

AD connectivity, wrong identity store

22058

User/Machine is disabled in Active Directory

Account disabled

24408

User authentication against external identity store failed

Wrong password, locked account

24415

Client certificate chain does not terminate at a trusted CA

CA certificate not imported to ISE

Troubleshooting Workflow

# 1. Get auth status for failing endpoint
netapi ise mnt auth-status 14:F6:D8:7B:31:80 --hours 24

# 2. Look up the failure reason code
netapi ise mnt failure-reasons | grep "12308"

# 3. Check endpoint in ERS
netapi ise get-endpoint 14:F6:D8:7B:31:80