https://community.cisco.com/t5/network-access-control/event-5400-authentication-failed-with-22056-failure/m-p/4720513#M578204 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/306399">@latenaite2011</a>&nbsp;</P> <P>I would suggest the following:</P> <UL> <LI>verifying ISE working with other use cases</LI> <LI>trying another switch port, in case the switch port gone bad</LI> <LI>trying another docking station, in case the existing docking station is bad or has a bad network interface</LI> <LI>trying rebooting the PC and trying another PC, in case something wrong with the client O/S</LI> </UL> <P>&nbsp;</P> Sun, 13 Nov 2022 18:32:29 GMT hslai 2022-11-13T18:32:29Z https://community.cisco.com/t5/network-access-control/event-5400-authentication-failed-with-22056-failure/m-p/4718090#M578126 <P>Hey everyone,</P> <P>Just wondering if anyone knows why a user would get a Event 5400 Authentication failed (Failure Reason is 22056 Subnet not found in the applicable identity store(s).&nbsp; The laptop has just gone through a successful authentication and switched to a docking station (to test how a normal user would do) and we're testing this new configuration now.&nbsp;</P> <P>In the live logs, we can see it switched from 802.1x to MAB and not sure why if it just worked with 802.1x about several minutes ago.</P> <P>See attached snapshots.&nbsp; This is a new setup.&nbsp; &nbsp;Not sure if the mac address is still in the cache so it is not prompting to re-authenticate.</P> Tue, 08 Nov 2022 17:40:29 GMT https://community.cisco.com/t5/network-access-control/event-5400-authentication-failed-with-22056-failure/m-p/4718090#M578126 latenaite2011 2022-11-08T17:40:29Z https://community.cisco.com/t5/network-access-control/event-5400-authentication-failed-with-22056-failure/m-p/4718145#M578127 <P>I didn't read your trace, but just from idea - after successful dot1x authentication an endpoint with the MC of the endpoint was created on the ISE, but docking station has another MAC address, so you got disconnected.</P> Tue, 08 Nov 2022 18:45:35 GMT https://community.cisco.com/t5/network-access-control/event-5400-authentication-failed-with-22056-failure/m-p/4718145#M578127 Thomas Schmitt 2022-11-08T18:45:35Z https://community.cisco.com/t5/network-access-control/event-5400-authentication-failed-with-22056-failure/m-p/4718189#M578130 <P>Thanks for the reply Thomas.</P> <P>I did ask if the docking station has a different network adapter but it doesn't. Customer connects the laptop docking station that connects to the laptop using a USB C. The connection worked with the docking station at first then when he connected it, it wouldn't work anymore.&nbsp; Since the laptop doesn't have any physical network, he uses the docking station to connect.&nbsp; You can see the Live logs that the mac address is the same for the successful and the failed attempt.</P> <P>&nbsp;</P> <P>Thanks!</P> <P>&nbsp;</P> Tue, 08 Nov 2022 19:45:43 GMT https://community.cisco.com/t5/network-access-control/event-5400-authentication-failed-with-22056-failure/m-p/4718189#M578130 latenaite2011 2022-11-08T19:45:43Z https://community.cisco.com/t5/network-access-control/event-5400-authentication-failed-with-22056-failure/m-p/4719987#M578189 <P>You redacted the user/host information so I don't know if you are doing the same user/host for all of these.</P> <P>Capture 1 is doing EAP-TLS which is certificate based authentication.</P> <P>Capture 2 is doing PEAP+EAP-MSCHAPv2 which is username+password authentication.</P> <P>Capture 3 is doing <EM><STRONG>MAB</STRONG></EM> and failing because the MAC Address <STRONG><EM>was not found</EM></STRONG> in ISE (it has never been seen before).</P> <P>If you want to allow new (never-before-seen) MAC addresses onto your network, you should change the authentication policy of your respective Policy Set to simply Continue if User Not Found:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/167719i3701784D365F4DCB/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Fri, 11 Nov 2022 21:59:27 GMT https://community.cisco.com/t5/network-access-control/event-5400-authentication-failed-with-22056-failure/m-p/4719987#M578189 thomas 2022-11-11T21:59:27Z https://community.cisco.com/t5/network-access-control/event-5400-authentication-failed-with-22056-failure/m-p/4720513#M578204 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/306399">@latenaite2011</a>&nbsp;</P> <P>I would suggest the following:</P> <UL> <LI>verifying ISE working with other use cases</LI> <LI>trying another switch port, in case the switch port gone bad</LI> <LI>trying another docking station, in case the existing docking station is bad or has a bad network interface</LI> <LI>trying rebooting the PC and trying another PC, in case something wrong with the client O/S</LI> </UL> <P>&nbsp;</P> Sun, 13 Nov 2022 18:32:29 GMT https://community.cisco.com/t5/network-access-control/event-5400-authentication-failed-with-22056-failure/m-p/4720513#M578204 hslai 2022-11-13T18:32:29Z