Technical Note: Troubleshooting EasyConnect

1. Rogue host connects to an Open SSID.
2. Rogue host goes through registration process in Captive Portal.
3. Depending upon the device, Endpoint Compliance Policy matches and pushes an agent.
4. EasyConnect Policy matches and Supplicant Configuration is applied (defines secure SSID, encryption & cipher).
5. Agent attempts to move to the secure SSID.

• Windows or Mac OS X:  Dissolvable or Persistent Agent
• Android: Android mobile agent
• iOS: Downloads supplicant from captive portal.  Ensure an old iOS mobile agent is NOT installed.  Otherwise supplicant configuration cannot be applied.

• Review the endpoint compliance and EasyConnect policy configuration (what agent should they get and what SSID should they move to?)

• What policy do they match for endpoint compliance?
• Are they getting an agent?
• What policy do they match for EasyConnect?
• Does the endstation get a supplicant configuration applied?  If not, check the characters in the password.  Refer to related KB article below.
  
• Are they getting moved to the secure SSID?
• What OS displays for the host in the Host View?  Is it correct?  

• Agent logs from the endstation.  Refer to related KB articles below.
  
• NAC CLI:
• tomcat-portal catalina
• DumpHostRecords -mac
• client -mac
• output.master with RadiusManager debug enabled  
• Screenshots of Endpoint Compliance policy, User/Host profile & Configuration
• Screenshots of EasyConnect policy, User/Host profile & Configuration

Related Articles

Technical Note: EasyConnect configuration does not work with certain characters in password

Technical Note: macOS Persistent Agent logs

Technical Note: Windows Persistent Agent logs

Technical Note: Enable Windows Dissolvable Agent debug logging