Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE 1.2.1 logs full of Identity/Endpoint ID of 00:00:00:00:00:03, authentication failed

After an upgrade to 1.2.1, I now see a lot of auth failed entries with an Identity/Endpoint ID of 00:00:00:00:00:03.

I dont see this MAC on the switch port of the NAS where ISE reports it.


Anybody know what this is and how to stop it from happening?



Everyone's tags (1)
Cisco Employee

Looks like that mac address

Looks like that mac address belongs to Xerox. With that being said, it could be someone spoofing that mac address as well. It is interesting that you don't see it on the switchport that is reporting it. Couple of quesitons:

1. Do you have physical access to that port/jack? If yes, can you confirm what exactly is plugged there

2. Have you tried shutting down the port and see if the authentications for that mac address stop?

3. Can you post the output of "show authentication session interface interface_name_number"




Thank you for rating helpful posts!
New Member

Answers are:

Answers are:

  1. Its a HP ESXi server.  2x Win7 VM PC's run on this machine, each with a dedicated NIC.
  2. I haven't, will shut the VM's and shut the ports and see what happens.
  3. The auth session shows the MAC, but the switch MAC table doesn't
SW1-C3750X#show authentication sessions int gi 1/0/19

Interface    MAC Address    Method  Domain  Status Fg Session ID
Gi1/0/19     000c.2931.54f6 dot1x   DATA    Auth      0A0A01FE000000870EDF8C3B
Gi1/0/19     0000.0000.0003 N/A     UNKNOWN Unauth    0A0A01FE000000B219576F86

SW1-C3750X#show mac address-table int gi 1/0/19
          Mac Address Table

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 100    000c.2931.54f6    STATIC      Gi1/0/19



Thanks for replying.


New Member

VM turned off it makes no

VM turned off it makes no difference.  One other thing to note is that I said there are 2 VM PC's, each with their own dedicated NIC.  This is only happening on one of those interfaces!

New Member

The switch is full of these

The switch is full of these events:


Aug 22 11:36:05.856: %AUTHMGR-5-START: Starting 'mab' for client (0000.0000.0003) on Inte                                                            rface Gi1/0/19 AuditSessionID 0A0A01FE000000B219576F86
Aug 22 11:36:05.890: %MAB-5-FAIL: Authentication failed for client (0000.0000.0003) on In                                                            terface Gi1/0/19 AuditSessionID 0A0A01FE000000B219576F86
New Member

With interface shutdown the

With interface shutdown the events do not happen.

Cisco Employee

That is so strange. So with

That is so strange. So with the VM shut off the issue still persists? But when you shutdown the port the issue goes away. This leads me to believe that the issue is with the NIC card. Are the two NICs residing on the same or different NIC card?

Thank you for rating helpful posts!
CreatePlease login to create content