Symptom
ISE sends access reject instead of drop packets
the logs in ISE
24352 Identity resolution failed - ERROR_AD_DOMAIN_UNAVAILABLE
24710 Identity resolution is configured to drop request if required domain is not available - ONEADR
22059 The advanced option that is configured for process failure is used
22062 The 'Drop' advanced option is configured in case of a failed authentication request
12117 EAP-FAST inner method finished with failure
22028 Authentication failed and the advanced options are ignored
12967 Sent EAP Intermediate Result TLV indicating failure
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12218 Selected identity type 'User'
12125 EAP-FAST inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12213 Identity type provided by client is not equal to requested type
12216 Identity type provided by client was already used for authentication
12967 Sent EAP Intermediate Result TLV indicating failure
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12108 EAP-FAST authentication failed
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
Conditions
when domains are unreachable
