As discussed earlier, the ISE Policy Administration Node (PAN) should be the first stop when troubleshooting authentication failures. Some failures will require additional diagnostic work at the NAD level. In most cases, the logs and debugs from the ISE and the NAD should be enough to determine the root cause of the problem.

The diagnostic work that can be performed on a supplicant is largely dependent on the troubleshooting tools that a particular supplicant provides. The native Windows supplicant has almost no debugging tools. Cisco AnyConnect Network

Access Manager has a diagnostic and reporting tool (DART) that can be deployed to clients and used to generate a detailed report file. However, the report file is primarily for use by Cisco support staff and not generally recommended for the end user.

Sniffer traces provide vital troubleshooting information, but they are also of limited use on the end client. In general, using the Cisco Switched Port Analyzer (SPAN) to sniff the traffic at the switch is a more reliable and effective way to gather EAP packet traces.

Some of the common supplicant failures arise in situations where the client sends an EAPoL Start request, but fails to respond to an Identity Request message from the switch. Usually this happens because the supplicant is unable to find valid credentials. When the client "goes silent," there is no way for the switch or Cisco ISE to understand the failure.

Unlike Windows native supplicants or other supplicants available on other operating systems, Cisco AnyConnect Network Access Manager includes an enhanced feature for notifying the ISE of the failure reason. As an example, take the situation in which the client is misconfigured and does not trust the ISE certificate in an EAP Transport Layer Security (EAP-TLS)or Protected EAP (PEAP) authentication.

The Windows native supplicant was used on the PC. There are no details on the event other than Failure Reason: 5411 No response received during 120 seconds on last EAP message sent to the client. At this point, the administrator will have to log in to the affected endpoint to troubleshoot the issue.

This image shows an example in which the PC is running Cisco AnyConnect Network Access Manager. The Failure Reason clearly indicates what the issue is on the supplicant settings.