Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE Wireless Connection issues

Hi,

One of our remote offices is having real issues with Wireless connectivity.

The errors we have been receiving are as follows:

Event5440 Endpoint abandoned EAP session and started new
Failure Reason5440 Endpoint abandoned EAP session and started new
ResolutionVerify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root cause

Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication

*apfMsConnTask_0: Jul 22 11:52:31.810: 58:94:6b:2b:53:0c Association received from mobile on AP c4:7d:4f:35:a7:e0

 

And after a while those logs will be repeated :

*dot1xMsgTask: Jul 22 11:52:31.872: 58:94:6b:2b:53:0c Sending EAP-Request/Identity to mobile 58:94:6b:2b:53:0c (EAP Id 1)

*osapiBsnTimer: Jul 22 11:52:36.848: 58:94:6b:2b:53:0c 802.1x 'txWhen' Timer expired for station 58:94:6b:2b:53:0c and for message = M0

*dot1xMsgTask: Jul 22 11:52:36.848: 58:94:6b:2b:53:0c dot1x - moving mobile 58:94:6b:2b:53:0c into Connecting state

*dot1xMsgTask: Jul 22 11:52:36.849: 58:94:6b:2b:53:0c Sending EAP-Request/Identity to mobile 58:94:6b:2b:53:0c (EAP Id 2)

*osapiBsnTimer: Jul 22 11:52:41.848: 58:94:6b:2b:53:0c 802.1x 'txWhen' Timer expired for station 58:94:6b:2b:53:0c and for message = M0

*dot1xMsgTask: Jul 22 11:52:41.849: 58:94:6b:2b:53:0c dot1x - moving mobile 58:94:6b:2b:53:0c into Connecting

 

 

And after 13 retries :

 

*dot1xMsgTask: Jul 22 11:53:31.849: 58:94:6b:2b:53:0c Reached Max EAP-Identity Request retries (13) for STA 58:94:6b:2b:53:0c

*dot1xMsgTask: Jul 22 11:53:31.849: 58:94:6b:2b:53:0c Sent Deauthenticate to mobile on BSSID c4:7d:4f:35:a7:e0 slot 1(caller 1x_auth_pae.c:3057)

*apfMsConnTask_0: Jul 22 11:52:31.810: 58:94:6b:2b:53:0c Association received from mobile on AP c4:7d:4f:35:a7:e0

 

And after a while those logs will be repeated :

*dot1xMsgTask: Jul 22 11:52:31.872: 58:94:6b:2b:53:0c Sending EAP-Request/Identity to mobile 58:94:6b:2b:53:0c (EAP Id 1)

*osapiBsnTimer: Jul 22 11:52:36.848: 58:94:6b:2b:53:0c 802.1x 'txWhen' Timer expired for station 58:94:6b:2b:53:0c and for message = M0

*dot1xMsgTask: Jul 22 11:52:36.848: 58:94:6b:2b:53:0c dot1x - moving mobile 58:94:6b:2b:53:0c into Connecting state

*dot1xMsgTask: Jul 22 11:52:36.849: 58:94:6b:2b:53:0c Sending EAP-Request/Identity to mobile 58:94:6b:2b:53:0c (EAP Id 2)

*osapiBsnTimer: Jul 22 11:52:41.848: 58:94:6b:2b:53:0c 802.1x 'txWhen' Timer expired for station 58:94:6b:2b:53:0c and for message = M0

*dot1xMsgTask: Jul 22 11:52:41.849: 58:94:6b:2b:53:0c dot1x - moving mobile 58:94:6b:2b:53:0c into Connecting

 

 

And after 13 retries :

 

*dot1xMsgTask: Jul 22 11:53:31.849: 58:94:6b:2b:53:0c Reached Max EAP-Identity Request retries (13) for STA 58:94:6b:2b:53:0c

*dot1xMsgTask: Jul 22 11:53:31.849: 58:94:6b:2b:53:0c Sent Deauthenticate to mobile on BSSID c4:7d:4f:35:a7:e0 slot 1(caller 1x_auth_pae.c:3057)

 

We have tried changing the timeout from 5 to 15 and then 20 seconds but this is still not helping the cause.

The problem is persistent but also appears to be random in who it affects.

I've been leaning to the issue being with DHCP and Authentication but has anyone encountered this previously and what was the fix if any?

I'm also aware of discussions on here about a bug that will be fixed in ISE1.3 but cannot wait for this.

Any help/guidance would be greatly appreciated

Thanks

Jason

Everyone's tags (1)
4 REPLIES
Cisco Employee

What is the round-trip time

What is the round-trip time between the clients and the ISE server?

Thank you for rating helpful posts!
New Member

Hi neno, I think latency is

Hi neno,

 

I think latency is the issue as here are the steps

 

11001Received RADIUS Access-Request
 11017RADIUS created a new session
 15049Evaluating Policy Group
 15008Evaluating Service Selection Policy
 15004Matched rule
 15048Queried PIP
 15048Queried PIP
 15004Matched rule
 11507Extracted EAP-Response/Identity
 12500Prepared EAP-Request proposing EAP-TLS with challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12701Extracted EAP-Response/NAK requesting to use LEAP instead
 12700Prepared EAP-Request proposing LEAP with challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12702Extracted EAP-Response containing LEAP challenge-response and accepting LEAP as negotiated
 15041Evaluating Identity Policy
 15006Matched Default Rule
 15013Selected Identity Source - ActiveDirectory
 24430Authenticating user against Active Directory
 24402User authentication against Active Directory succeeded
 22037Authentication Passed
 24422ISE has confirmed previous successful machine authentication for user in Active Directory
 15036Evaluating Authorization Policy
 24432Looking up user in Active Directory - CPMUK\jferguson
 24416User's Groups retrieval from Active Directory succeeded
 24420User's Attributes retrieval from Active Directory succeeded
 15004Matched rule
 15048Queried PIP
 15048Queried PIP
 15016Selected Authorization Profile - Omni-Permit-All
 12705LEAP authentication passed; Continuing protocol
 11503Prepared EAP-Success
 11006Returned RADIUS Access-Challenge( Step latency=18095 ms)
 5440

Endpoint abandoned EAP session and started new

Gold

CSCuj98726 DescriptionSymptom

CSCuj98726
Symptom:
iOS device can bypass account suspension/lock even it is enabled, due to it will be reported as '5440 Endpoint abandoned EAP session and started new' instead of wrong password.

Conditions:
enable acount suspension/lock and iOS device use EAP authentication

Workaround:
Set the PEAP Retries to 0 in the selected Allowed Protocols configuration for the Authentication. This can be found under Policy -> Results -> Authentication -> Allowed Protocols.

Further Problem Description:
iOS does not support PEAP retries inside the TLS tunnel via MSChapv2 and when receiving a password retry will abandon the EAP session. Turning off the retry mechanism will cause an access-reject to be sent for every failed password.
Known Affected Releases:
(1)
1.2(0.899)
 
Known Fixed Releases:
(2)
1.2(1.198)
1.2(0.905)
  
New Member

Thanks Mohanak, I will look

Thanks Mohanak,

 

I will look and patching to latest version as I am currently running 1.2(0.899) and will let you know how that goes for me

 

Thanks

1022
Views
5
Helpful
4
Replies