https://community.cisco.com/t5/network-access-control/ise-auth-issues-after-upgrading-to-2-4/m-p/3903992#M470849 <P>The cert did not change, and I have had clients forget, and accept the cert again anyways.&nbsp; At this time, it appears this issue may be related to the radius timeout setting on the WLC default at 2 secs.&nbsp; We are increasing this to 10.&nbsp; Not a lot of evidence yet to back this up, but looking at the logs it appears that maybe this is the cause of the EAP retransmits.&nbsp; Is anyone aware of increased latency being introduced in 2.4?&nbsp; We were previously on 2.1 without any issues.</P> Tue, 06 Aug 2019 17:28:56 GMT awatson20 2019-08-06T17:28:56Z https://community.cisco.com/t5/network-access-control/ise-auth-issues-after-upgrading-to-2-4/m-p/3901523#M470817 <P>We recently upgraded from ISE 2.1 to 2.4, and since we have been seeing more random client auth issues.&nbsp; We are using ISE mainly for authentications using PEAP on a wireless network.&nbsp; Since the upgrade, clients are reporting issues and in the ISE logs we are mainly seeing this error.&nbsp;</P><TABLE border="0"><TBODY><TR><TD>&nbsp;</TD><TD>5440 Endpoint abandoned EAP session and started new</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>We have seen this error before, but it is more related now to clients actually having connection issues.&nbsp; We have not applied the patches yet, as we were waiting a couple of weeks to let the upgrade burn in.&nbsp; Any ideas or suggestions, or known issues with this issue?</P> Thu, 01 Aug 2019 14:58:31 GMT https://community.cisco.com/t5/network-access-control/ise-auth-issues-after-upgrading-to-2-4/m-p/3901523#M470817 awatson20 2019-08-01T14:58:31Z https://community.cisco.com/t5/network-access-control/ise-auth-issues-after-upgrading-to-2-4/m-p/3901582#M470822 I would definitely patch the deployment immediately following upgrading, there are about 500 known bugs if you run unpatched, it could be any number of them. Thu, 01 Aug 2019 16:07:35 GMT https://community.cisco.com/t5/network-access-control/ise-auth-issues-after-upgrading-to-2-4/m-p/3901582#M470822 Damien Miller 2019-08-01T16:07:35Z https://community.cisco.com/t5/network-access-control/ise-auth-issues-after-upgrading-to-2-4/m-p/3901871#M470830 <P>&nbsp;</P><P>&nbsp;- Or let your Intranet<FONT color="#FF0000"> burn out</FONT> ? Bear me I don't want to get into simple bashing towards Cisco. I believe CISCO ISE is a <U><FONT color="#008000">marvelous product</FONT> </U>with a <STRONG><FONT color="#008000">vast number</FONT></STRONG> of possibilities BUT as many people have experienced before : due to it's complexity (configuration and the different-nodes-complexity) AND It being <STRONG>mission critical</STRONG> on the Intranet it is simply not designed for upgrading production nodes. Many people therefore build a second/new environment in place to replace the old-versioned-ISE setup. I used to have a script witch could switch radius servers(PSN Nodes)&nbsp; on the millisecond in the running config of a switch using the CISCO-CONFIG-MIB.&nbsp; Sometimes for new major version it's even better then to re-enter the policies from scratch to take advantage of new features in the most optimal way. Consider following these practices when upgrading to new ISE versions.</P><P>&nbsp;M.</P> Fri, 02 Aug 2019 08:13:56 GMT https://community.cisco.com/t5/network-access-control/ise-auth-issues-after-upgrading-to-2-4/m-p/3901871#M470830 Mark Elsen 2019-08-02T08:13:56Z https://community.cisco.com/t5/network-access-control/ise-auth-issues-after-upgrading-to-2-4/m-p/3902164#M470836 <P>upgrade the patch as suggested. Also, are these Windows clients? any event log which can be seen ?</P> <P>&nbsp;</P> Fri, 02 Aug 2019 15:55:12 GMT https://community.cisco.com/t5/network-access-control/ise-auth-issues-after-upgrading-to-2-4/m-p/3902164#M470836 Nidhi 2019-08-02T15:55:12Z https://community.cisco.com/t5/network-access-control/ise-auth-issues-after-upgrading-to-2-4/m-p/3903876#M470842 <P>We applied the 2.4 Patch 9, and this seemed to make auth issues better at first, but we are continuing to see problems.&nbsp; Most of our endpoints are mobile iphones or android devices.&nbsp; From the client perspective, it appears that they cannot connect to the SSID.&nbsp; ISE shows the client constantly abandoning and establishing a new EAP session.&nbsp; The wireless controller shows the client authenticated.&nbsp; A debug basically shows the client going through the EAP process over and over.&nbsp; This all started after upgrading to 2.4</P><P>&nbsp;</P><P>See a lot of these errors in ISE:</P><P>5440 Endpoint abandoned EAP session and started new</P><P>12934 Supplicant stopped responding to ISE during PEAP tunnel establishment</P> Tue, 06 Aug 2019 14:50:20 GMT https://community.cisco.com/t5/network-access-control/ise-auth-issues-after-upgrading-to-2-4/m-p/3903876#M470842 awatson20 2019-08-06T14:50:20Z https://community.cisco.com/t5/network-access-control/ise-auth-issues-after-upgrading-to-2-4/m-p/3903935#M470844 <P>- As an additional debug-resource you may also involve the <STRONG>Wireless Debug Analyzer</STRONG> , which can be found from the link below&nbsp; :</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<A href="https://developer.cisco.com/docs/wireless-troubleshooting-tools/" target="_blank">https://developer.cisco.com/docs/wireless-troubleshooting-tools/</A></P><P>M.</P> Tue, 06 Aug 2019 16:13:27 GMT https://community.cisco.com/t5/network-access-control/ise-auth-issues-after-upgrading-to-2-4/m-p/3903935#M470844 Mark Elsen 2019-08-06T16:13:27Z https://community.cisco.com/t5/network-access-control/ise-auth-issues-after-upgrading-to-2-4/m-p/3903964#M470847 A common cause of this is when iphones don't trust the certificate. Did the ISE cert change? Tue, 06 Aug 2019 16:51:53 GMT https://community.cisco.com/t5/network-access-control/ise-auth-issues-after-upgrading-to-2-4/m-p/3903964#M470847 Damien Miller 2019-08-06T16:51:53Z https://community.cisco.com/t5/network-access-control/ise-auth-issues-after-upgrading-to-2-4/m-p/3903992#M470849 <P>The cert did not change, and I have had clients forget, and accept the cert again anyways.&nbsp; At this time, it appears this issue may be related to the radius timeout setting on the WLC default at 2 secs.&nbsp; We are increasing this to 10.&nbsp; Not a lot of evidence yet to back this up, but looking at the logs it appears that maybe this is the cause of the EAP retransmits.&nbsp; Is anyone aware of increased latency being introduced in 2.4?&nbsp; We were previously on 2.1 without any issues.</P> Tue, 06 Aug 2019 17:28:56 GMT https://community.cisco.com/t5/network-access-control/ise-auth-issues-after-upgrading-to-2-4/m-p/3903992#M470849 awatson20 2019-08-06T17:28:56Z https://community.cisco.com/t5/network-access-control/ise-auth-issues-after-upgrading-to-2-4/m-p/3904790#M470851 No known issues as such but would recommend you get it checked with TAC if you are facing this regularly. Wed, 07 Aug 2019 18:30:25 GMT https://community.cisco.com/t5/network-access-control/ise-auth-issues-after-upgrading-to-2-4/m-p/3904790#M470851 Surendra 2019-08-07T18:30:25Z https://community.cisco.com/t5/network-access-control/ise-auth-issues-after-upgrading-to-2-4/m-p/4019794#M470852 Hello awatson20 ,<BR />Did it work to change the timeout setting on the WLC? Tue, 28 Jan 2020 20:03:55 GMT https://community.cisco.com/t5/network-access-control/ise-auth-issues-after-upgrading-to-2-4/m-p/4019794#M470852 Sp@wn 2020-01-28T20:03:55Z https://community.cisco.com/t5/network-access-control/ise-auth-issues-after-upgrading-to-2-4/m-p/4019858#M470853 Yes, it did.<BR /> Tue, 28 Jan 2020 21:13:21 GMT https://community.cisco.com/t5/network-access-control/ise-auth-issues-after-upgrading-to-2-4/m-p/4019858#M470853 awatson20 2020-01-28T21:13:21Z