Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
27165
Views
15
Helpful
15
Replies

ISE v1.2 - Endpoint abandoned EAP session and started new

dal
Level 3
Level 3

‎01-23-2014 02:22 PM - edited ‎03-10-2019 09:19 PM

Hi.

I have lots of clients that are not able to log on to both wired and wireless networks, and they always fails with these errors.

5411 Supplicant stopped responding to ISE

5440 Endpoint abandoned EAP session and started new

This is with certificate authentication, both for client and for machine.

The clients are for the most part Windows 7.

We use both Cisco and Aerohive for wireless, and the switch I have tested with is a Cisco2960S

A few strange things:

It works perfectly for a lot of clients too, with the excact same configuration.

One PC I'm testing with works fine when authenticating via wireless, but when I plug it into the switch, I get these errors.

I seems to be a timeout of some kind, either to short or too long, but where?

In the Win7 supplicant?

In the switch?

In the Cisco WLC

or in the Aerohive AP?

I have spent hours and hours on this problem, but I can't make it go away, it is very exhausting.

There surely must have been others with the same problem?

Thank you.

11 people had this problem
Labels:
0 Helpful
15 Replies 15

George Stefanick
VIP Alumni
VIP Alumni

‎01-23-2014 06:01 PM

Im a wireless guy .. On your WLC if you do a client debug in the cli .. If you see the WLC expiring the mobile it means the client isn't passing Eap in the time allowed and expires the session .. Only for the client to try again.

You can expand those timers .. Check this out

https://supportforums.cisco.com/docs/DOC-12110

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Robert Salazar
Cisco Employee
Cisco Employee

‎01-30-2014 12:51 PM

How many policy nodes is your switch or controller pointing to?

If it's more than one, can you change your switch to temporarily point to one (remove the second node) and see if the issue persists?

0 Helpful

dal
Level 3
Level 3
In response to Robert Salazar

‎01-30-2014 02:05 PM

Hi.

The switch is pointing to only one policy node.

0 Helpful

dal
Level 3
Level 3
In response to Robert Salazar

‎01-30-2014 02:07 PM

Hi.

A good tip. But the wireless authentication is mosty resolved. In that specific case I had, it was a MTU problem somewhere between the Accesspoint and ISE.

The problems I have with wired authentication through the switch is not resolved, though.

Peter Koltl
Level 7
Level 7
In response to dal

‎01-31-2014 12:12 PM

Did you exclude all potential cable problems?

Is the issue reproducible? Any improvement after you restart the Wired AutoConfig service on the Windows client?

On the switch:

debug authentication all

0 Helpful

Saurav Lodh
Level 7
Level 7

‎02-06-2014 10:10 PM

Verify  that the supplicant is configured properly to conduct a full EAP  conversation with Cisco ISE. Verify that NAS is configured properly to  transfer EAP messages to/from the supplicant. Verify that the supplicant  or NAS does not have a short timeout for EAP conversation.

0 Helpful

dal
Level 3
Level 3
In response to Saurav Lodh

‎04-06-2014 04:11 AM

Thank for trying to help out, but this is.. insanely vague.

How can i verify that NAS (the C2960S) is properly configured?

What timers are we talking about here? There are many to choose from..

The problem is still here, even with the latest patch 7 for ISE 1.2. It works fine on wireless, but not with wired, from the same computer. So it is logic to assume it has something to do with the switch.

This is the configuration from the switch:

interface GigabitEthernet1/0/20
  switchport mode access
 authentication event fail action next-method
 authentication open
 authentication order dot1x mab
 authentication port-control auto
 snmp trap mac-notification change added
 dot1x pae authenticator
 spanning-tree portfast
end

sh dot1x int g1/0/20
Dot1x Info for GigabitEthernet1/0/20
-----------------------------------
PAE                       = AUTHENTICATOR
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30

sh run aaa
!
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec default group radius local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius!
!
!
!
aaa server radius dynamic-author
 client 192.168.100.85
 server-key nope!
 auth-type any
!
!
radius server hmz
 address ipv4 192.168.100.85 auth-port 1812 acct-port 1813
 key nope!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
!
aaa new-model
aaa session-id common
!

Some debug from the switch:

Apr  6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] Create attr list, session 0x1E0000E0:
Apr  6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding MAC d43d.7e97.1e26
Apr  6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Swidb 0x4F8BAC8
Apr  6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding AAA_ID=14B
Apr  6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Audit_sid=C0A864FA0000014B6983A2E0
Apr  6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Domain=DATA (1)
Apr  6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Username=Dal@gaasdal.net
Apr  6 11:07:01.745: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e97.1e26) on Interface Gi1/0/20 AuditSessionID C0A864FA0000014B6983A2E0
Apr  6 11:07:01.745: AUTH-DETAIL: No default action(s) for event RX_METHOD_AGENT_FOUND.
Apr  6 11:08:21.182: %DOT1X-5-FAIL: Authentication failed for client (d43d.7e97.1e26) on Interface Gi1/0/20 AuditSessionID C0A864FA0000014B6983A2E0
Apr  6 11:08:21.187: %AUTHMGR-7-STOPPING: Stopping 'dot1x' for client d43d.7e97.1e26 on Interface Gi1/0/20 AuditSessionID C0A864FA0000014B6983A2E0
Apr  6 11:08:21.187: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (d43d.7e97.1e26) on Interface Gi1/0/20 AuditSessionID C0A864FA0000014B6983A2E0
Apr  6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] Create attr list, session 0x1E0000E0:
Apr  6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding MAC d43d.7e97.1e26
Apr  6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Swidb 0x4F8BAC8
Apr  6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding AAA_ID=14B
Apr  6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Audit_sid=C0A864FA0000014B6983A2E0
Apr  6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Domain=DATA (1)
Apr  6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Username=host/HovedPC.gaasdal.net
Apr  6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] Create attr list, session 0x1E0000E0:
Apr  6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding MAC d43d.7e97.1e26
Apr  6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Swidb 0x4F8BAC8
Apr  6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding AAA_ID=14B
Apr  6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Audit_sid=C0A864FA0000014B6983A2E0
Apr  6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Domain=DATA (1)
Apr  6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Username=host/HovedPC.gaasdal.net
Apr  6 11:09:22.079: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e97.1e26) on Interface Gi1/0/20 AuditSessionID C0A864FA0000014B6983A2E0
Apr  6 11:09:22.079: AUTH-DETAIL: No default action(s) for event SESSION_STARTED.

0 Helpful

Stephen McBride
Level 1
Level 1

‎04-06-2014 03:23 PM

I had a similar issue on wired where most hosts could connect but some would not - with the above mentioned errors. Ultimately this issue is very much related to the supplicant and myself and TAC came to the conclusion there was nothing wrong with the configuration of the network with regards to EAP.

I think this is the nature of dot1x - sometimes there will be hosts that can't connect for some reason and the question is do you troubleshoot the issue or tell the client that the issue is with their PC?? In out case it was "contractor byod" machines that couldn't connect so the answer was not so simple.

0 Helpful

dal
Level 3
Level 3

‎11-19-2014 11:00 AM

Hi.

I still have this problem.

Or, it works fine on wireless now, but not on wired.

I use the same computer for testing with both wired and wireless. Same certificate, and the same authentication and authorization rules in ISE.

ISE is upgraded to v1.3 now, btw.

If I use Microsoft PEAP as auth metod, it works, but not if I use certificate as auth method (which is the way I prefer it, and that's the way it is done on wireless)

So in my opinion, it must be something with the switch configuration.

But what? Some kind of timeout that needs to be adjusted?

 

Thanks

0 Helpful

Michael Thornton
Level 1
Level 1
In response to dal

‎02-20-2015 09:04 AM

For what it's worth, I see the same errors on our wired environment using PEAP. 

0 Helpful

dal
Level 3
Level 3

‎08-25-2015 02:48 AM

I finally figured this out.

Or at least what's causing it: Jumbo frames.

As soon as jumbo frames is enabled on the switch, or system mtu is increased from 1500, the authentication stops working. Because the Framed-MTU being sent seems to use the jumbo frames setting.

By typing no system mtu and no system mtu jumbo, and the rebooting the switch, 802.1x with EAP-TLS started to work fine.

 

The problem is of course, that I need jumbo frames enabled on the switch, because I have iSCSI connections enabled on some computers.

So some more testing revealed that jumbo frames CAN be enabled on the switch, as long as all the network nodes in the chain from switch to ISE-server has enabled jumbo frames as well.

 

Like this:

Client (1500) - Switch (9198) - Switch2 (9198) - vSwitch (9198) - virtual ISE (1500)

This works fine, until I enable jumbo frames on the client. Then it stops working again.

 

So the question is: How to fix this?

There should be a way to enable jumbo frames on the ISE server, IMO

Or is there a way to decrease the Framed MTU being sent from the switch? Or on the client?

 

Thanks.

Peter Koltl
Level 7
Level 7
In response to dal

‎08-29-2015 02:30 AM

Why do you want to use jumbo frames on the client?

 

Why do you think ISE needs jumbo frames? It does not talk to the client directly. Please capture the RADIUS packets sent by switch and check if the size exceeds 1500 bytes. (I'd be surprised)

 

I think you have collected enough info to open a TAC case.

 

0 Helpful

edwardonelife
Level 1
Level 1
In response to dal

‎12-08-2016 07:00 AM

This worked for me.

MTU on Cisco 3850 was changed from custom to default and EAP-TLS worked.

0 Helpful

mukka
Level 1
Level 1

‎11-24-2015 06:16 AM

Hi,

Do you solved it ?

I have a similar issue on eap_chaining with user and machine authentication.

When the user has the certificate all works fine, but if the user not have it, I can see a very large latency and the Endpoint abandoned EAP session. I need to complete the machine authentication to remediation.

 

I have windows 7 Enterprise, anyconnect 3.1.x and ISE 1.4

 

thanks.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents