ISE Troubleshooting

Authorization Issues

Wrong VLAN Assignment

Symptoms

  • Authentication succeeds but endpoint placed on wrong VLAN

  • Cannot reach expected network resources

  • IP address on unexpected subnet

Example: Expected VLAN 10, got VLAN 40
# Check current IP
ip addr show enp130s0
# Shows: inet 10.50.40.104/24  (VLAN 40 - Research)

# Expected: inet 10.50.10.x/24  (VLAN 10 - Data)

Diagnosis

  1. Check ISE session details:

    # Source credentials
source <(DSEC_SECURITY_MODE=permissive ~/.secrets/bin/dsec source d000 dev/network)

# Check which authorization profile was applied
netapi ise mnt session 98:bb:1e:1f:a7:13

# Get detailed authorization context
netapi ise dc session 98:bb:1e:1f:a7:13

  2. Check authorization profile configuration:

    # Get profile details (shows VLAN assignment)
netapi ise get-authz-profile Linux_EAPTLS_Admins

    Look for the vlan field:

    vlan  {'nameID': 'RESEARCH_VLAN', 'tagID': 1}  ← Wrong VLAN

Resolution

Update the authorization profile with correct VLAN name:

# Update to correct VLAN (use VLAN NAME from switch)
netapi ise update-authz-profile Linux_EAPTLS_Admins --vlan DATA_VLAN

# Verify change
netapi ise get-authz-profile Linux_EAPTLS_Admins

CRITICAL: Always use switch VLAN names (e.g., DATA_VLAN), NOT numeric IDs.

Verify switch VLAN names:
netapi ios exec "show vlan brief"

Output:

VLAN Name                             Status    Ports
---- -------------------------------- --------- --------
10   DATA_VLAN                        active    ...
40   RESEARCH_VLAN                    active    ...
100  MANAGEMENT_VLAN                  active    ...

Reconnect to apply new VLAN:

# Reconnect 802.1X
sudo nmcli connection down Wired-802.1X
sudo nmcli connection up Wired-802.1X

# Verify new IP address
ip addr show enp130s0
# Should now show: inet 10.50.10.x/24

DACL Not Applied

Symptoms

  • Authentication succeeds, correct VLAN assigned

  • Network access more restrictive than expected

  • Cannot reach resources that should be accessible

Diagnosis

  1. Check if DACL exists:

    # List all DACLs
netapi ise get-dacls

# Get specific DACL content
netapi ise get-dacl LINUX_EAPTLS_PERMIT_ALL

  2. Check if DACL assigned to profile:

    # Check authorization profile
netapi ise get-authz-profile Linux_EAPTLS_Admins

    Look for daclName field:

    daclName  LINUX_EAPTLS_PERMIT_ALL  ← DACL assigned
daclName  (empty)                  ← No DACL assigned

  3. Check session to verify DACL applied:

    # Detailed session view shows applied DACL
netapi ise dc session 98:bb:1e:1f:a7:13

Resolution

If DACL doesn’t exist, create it:

netapi ise create-dacl LINUX_EAPTLS_PERMIT_ALL \
  --acl "permit ip any any" \
  --descr "Full network access for Linux Admin workstations"

If DACL exists but not assigned, update profile:

netapi ise update-authz-profile Linux_EAPTLS_Admins \
  --dacl LINUX_EAPTLS_PERMIT_ALL

Reconnect to apply new DACL:

# Send CoA to reauthorize without reconnecting
netapi ise mnt coa-reauth 98:bb:1e:1f:a7:13

# Or reconnect manually
sudo nmcli connection down Wired-802.1X
sudo nmcli connection up Wired-802.1X

Authorization Rule Not Matching

Symptoms

  • Authentication succeeds but wrong authorization profile applied

  • Endpoint gets default/catch-all authorization instead of expected profile

Diagnosis

  1. Check which rule matched:

    # Detailed session shows matched authorization rule
netapi ise dc session 98:bb:1e:1f:a7:13

  2. Check authorization rules in policy set:

    # List all authorization rules
netapi ise get-authz-rules "Domus-Wired 802.1X"

  3. Check rule conditions:

    Look for AD group membership conditions:

    Condition: INSIDE-AD.ExternalGroups contains
  'inside.domusdigitalis.dev/Groups/GRP-Linux-Admin-Workstations'

Resolution

Verify computer is member of correct AD group:

# SSH to Domain Controller
ssh modestus-p50 "ssh administrator@dc-01.inside.domusdigitalis.dev \
  'Get-ADGroupMember -Identity GRP-Linux-Admin-Workstations'"

If group exists but not in ISE, add it:

# Add AD group to ISE join point
netapi ise add-ad-groups "INSIDE-AD" "GRP-Linux-Admin-Workstations"

If rule doesn’t exist, create it:

See Authorization Policy for creating authorization rules.

If wrong rule is matching (rule order issue):

ISE evaluates authorization rules top-to-bottom. A generic rule at the top can shadow more specific rules below.

Example: Rule #1 shadows rule #0
# List rules to check order
netapi ise get-authz-rules "Domus-Wired 802.1X"

# Output shows:
#   #0: Linux_Admin_EAP-TLS         (specific - AD group check)
#   #1: Linux_Research_AD_Machine   (generic - EAP-TLS only)  ← Matches first!

Rule evaluation is FIRST-MATCH-WINS: Most specific rules MUST be at rank 0 (top).

Wrong Order (generic shadows specific):
#0: EAP-TLS_AllUsers      ← Matches ALL EAP-TLS (too broad!)
#1: EAP-TLS_Admins        ← Never reached (shadowed)
Correct Order (specific before generic):
#0: EAP-TLS_Admins        ← Matches admins first ✓
#1: EAP-TLS_AllUsers      ← Matches remaining users ✓

Fix by deleting shadowing rule:

# Delete the generic rule that's matching incorrectly
netapi ise delete-authz-rule "Domus-Wired 802.1X" "Linux_Research_AD_Machine" --force

# Verify rule removed
netapi ise get-authz-rules "Domus-Wired 802.1X"

# Reconnect to apply new rule
sudo nmcli connection down Wired-802.1X
sudo nmcli connection up Wired-802.1X

# Verify correct profile applied
netapi ise dc session 98:bb:1e:1f:a7:13

Success Case: modestus-razer Resolution

Authorization Rule Troubleshooting Flow

Scenario: Authentication succeeded but endpoint assigned wrong VLAN (40 instead of 10), causing network access issues.

Root Causes Identified:

  1. Authorization rule ordering - generic rules shadowing specific rules

  2. AD group condition not matching (computer not in required AD group)

  3. Posture rules matching before intended EAP-TLS rules

Resolution Steps Taken:

Delete shadowing rules
# Remove generic rules that were matching first
netapi ise delete-authz-rule "Domus-Wired 802.1X" "Linux_Research_AD_Machine" --force
netapi ise delete-authz-rule "Domus-Wired 802.1X" "Linux_EAPTLS_Test" --force
Create simple EAP-TLS rule (no AD group requirement)
# Create rule that matches any EAP-TLS authentication
netapi ise add-authz-rule "Domus-Wired 802.1X" \
  "Linux_EAP-TLS_Permit" \
  "Linux_EAPTLS_Admins" \
  --dict "Network Access" \
  --attr "EapAuthentication" \
  --value "EAP-TLS" \
  --operator "equals" \
  --rank 0
Recreate posture rules (disabled until ready)
# Recreate but keep disabled
netapi ise add-authz-rule "Domus-Wired 802.1X" \
  "Linux_Posture_Compliant" "Linux_Posture_Compliant" \
  --dict "Session" --attr "PostureStatus" \
  --value "Compliant" --operator "equals" --rank 1

# Disable via ISE GUI: Policy → Policy Sets → Domus-Wired 802.1X → Toggle OFF
Before and After Rule Ordering
Figure 1. Final working configuration
# Verify rule order
netapi ise get-authz-rules "Domus-Wired 802.1X"

# Output:
#   #0: Linux_EAP-TLS_Permit     → Linux_EAPTLS_Admins (VLAN 10) ✓
#   #1: Linux_Admin_EAP-TLS      → (disabled - AD group required)
#   #2-4: Posture rules          → (disabled - not ready yet)
#   #5: Default                  → DenyAccess
Reconnect and verify
# Reconnect 802.1X
sudo nmcli connection down Wired-802.1X
sudo nmcli connection up Wired-802.1X

# Verify VLAN 10 assignment
ip addr show enp130s0 | grep inet
# Output: inet 10.50.10.130/24 ✓

# Verify switch status
netapi ios exec "show access-s int g1/0/5 d"
# Output:
#   Status:  Authorized ✓
#   IPv4 Address:  10.50.10.130 ✓
#   Vlan: 10 ✓
#   dot1x Authc Success ✓

Lessons Learned:

  • Rule order is critical - Most specific rules MUST be at rank 0 (top)

  • Test incrementally - Add one rule at a time, verify it works

  • AD group prerequisites - Ensure groups exist in ISE before using in conditions

  • Disable unused rules - Don’t leave experimental rules enabled

  • netapi is essential - CLI automation saved hours of GUI clicking

Key Commands Used:

Command Purpose

netapi ise get-authz-rules

List all authorization rules in policy set

netapi ise add-authz-rule

Create new authorization rule

netapi ise delete-authz-rule

Remove authorization rule (permanent)

netapi ise update-authz-rule

Enable/disable rule, change rank, change profile

netapi ise dc session <MAC>

Detailed session diagnostics (which rule matched)

netapi ios exec "show access-s int <port> d"

Verify switch port authorization status

Network Connectivity Issues After Authentication

Symptoms

  • Authentication succeeds, correct VLAN assigned

  • Cannot ping gateway or other network devices

  • DACL shows "permit ip any any" but still restricted

Diagnosis

  1. Check interface and IP configuration:

    # Check IP address
ip addr show enp130s0

# Check routing table
ip route show

# Check DNS
cat /etc/resolv.conf

  2. Test gateway connectivity:

    # Ping gateway
ping -c 2 10.50.10.1

# Check ARP table
ip neigh show

  3. Check firewall rules on pfSense:

    Cross-VLAN traffic might be blocked by firewall rules even if DACL permits it.

Common Causes

  1. pfSense firewall rules blocking traffic between VLANs

  2. Switch ACL in addition to DACL

  3. Linux local firewall (iptables/nftables) blocking traffic

  4. DACL has restrictive rules despite appearing to permit all

Resolution

Check Linux local firewall:

# Check iptables rules
sudo iptables -L -n -v

# Check nftables rules
sudo nft list ruleset

# Temporarily disable to test (if safe)
sudo systemctl stop iptables
sudo systemctl stop nftables

Verify DACL content:

# Get exact ACL rules
netapi ise get-dacl LINUX_EAPTLS_PERMIT_ALL

Check switch interface configuration:

# Check interface config on switch
netapi ios exec "show running-config interface GigabitEthernet1/0/7"

Complete Verification Workflow

After any authorization changes, follow this workflow:

#!/bin/bash
# complete-verification.sh - Verify ISE authorization configuration

# Source credentials
source <(DSEC_SECURITY_MODE=permissive ~/.secrets/bin/dsec source d000 dev/network)

MAC="98:bb:1e:1f:a7:13"
PROFILE="Linux_EAPTLS_Admins"

echo "=== 1. Authorization Profile Configuration ==="
netapi ise get-authz-profile "$PROFILE"

echo -e "\n=== 2. DACL Content ==="
netapi ise get-dacl LINUX_EAPTLS_PERMIT_ALL

echo -e "\n=== 3. Current Session Details ==="
netapi ise mnt session "$MAC"

echo -e "\n=== 4. Detailed Authorization Context ==="
netapi ise dc session "$MAC"

echo -e "\n=== 5. Network Configuration ==="
echo "IP Address:"
ip addr show enp130s0 | grep "inet "

echo -e "\nRouting:"
ip route show | grep default

echo -e "\n=== 6. Connectivity Tests ==="
echo "Gateway (10.50.10.1):"
ping -c 2 10.50.10.1 2>&1 | tail -1

echo "Switch (10.50.1.10):"
ping -c 2 10.50.1.10 2>&1 | tail -1

echo "ISE (10.50.1.21):"
ping -c 2 10.50.1.21 2>&1 | tail -1

Make executable and run:

chmod +x complete-verification.sh
./complete-verification.sh

Common Error Messages

Error Cause Resolution

Value for attribute is not a permitted option

AD group not added to ISE join point

Run netapi ise add-ad-groups "INSIDE-AD" "GROUP_NAME"

Authorization profile not found

Profile name misspelled or doesn’t exist

Check netapi ise get-authz-profiles

DACL not found

DACL name misspelled or doesn’t exist

Check netapi ise get-dacls, create if needed

Session not found

Endpoint not authenticated or wrong MAC

Check netapi ise mnt sessions for active sessions

Silent VLAN assignment failure

Used numeric VLAN ID instead of name

Use VLAN name: --vlan DATA_VLAN not --vlan 10

See Also