ISE ISSUE

natixis — Mon, 13 Oct 2025 07:41:27 GMT

After upgrading several corporate laptops from Windows 10 to Windows 11, the IT team begins to notice that many devices are being blocked by the Cisco Identity Services Engine (ISE) during network authentication. Upon investigation, they discover that the issue stems from session duplication caused by the OS upgrade.

When Windows 11 is installed over Windows 10, certain machine identifiers—such as the MAC address, hostname, and certificate—remain unchanged. However, the upgrade process triggers a re-registration of the device in Active Directory and the endpoint database used by ISE. This results in two conflicting sessions being created for the same physical device: one associated with the old Windows 10 profile and another with the new Windows 11 profile.

Cisco ISE, configured with strict posture and profiling policies, detects this duplication as a potential security risk. It flags the device as non-compliant due to inconsistent endpoint attributes and blocks network access. The NAC system interprets the duplicated session as a rogue device or a spoofing attempt.

Re: ISE ISSUE

thomas — Mon, 13 Oct 2025 21:54:57 GMT

Please share the exact errors and "strict posture and profiling policies" that cause non-compliance.
If you think it's an bug, call TAC.

Re: ISE ISSUE

natixis — Tue, 14 Oct 2025 15:06:24 GMT

11001 Received RADIUS Access-Request - AD
11017 RADIUS created a new session - zz@dz.zzbp.corp
15049 Evaluating Policy Group - dz.zzbp.corp
15008 Evaluating Service Selection Policy - dz.zzbp.corp
15048 Queried PIP - DEVICE.Device Type
15048 Queried PIP - dz.zzbp.corp
11507 Extracted EAP-Response/Identity - AD
12500 Prepared EAP-Request proposing EAP-TLS with challenge - dz.zzbp.corp
12625 Valid EAP-Key-Name attribute received - AD
11006 Returned RADIUS Access-Challenge - AD
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12808 Prepared TLS ServerKeyExchange message
12810 Prepared TLS ServerDone message
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12810 Prepared TLS ServerDone message
12812 Extracted TLS ClientKeyExchange message
12803 Extracted TLS ChangeCipherSpec message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12523 Extracted EAP-Response/NAK for inner method requesting to use EAP-TLS instead
12522 Prepared EAP-Request for inner method proposing EAP-TLS with challenge
12625 Valid EAP-Key-Name attribute received
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12524 Extracted EAP-Response containing EAP-TLS challenge-response for inner method and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12545 Client requested EAP-TLS session ticket
12546 The EAP-TLS session ticket received from supplicant. Inner EAP-TLS does not support stateless session resume. Performing full authentication
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12808 Prepared TLS ServerKeyExchange message
12809 Prepared TLS CertificateRequest message
12810 Prepared TLS ServerDone message
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12526 Extracted EAP-Response for inner method containing TLS challenge-response
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12526 Extracted EAP-Response for inner method containing TLS challenge-response
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12526 Extracted EAP-Response for inner method containing TLS challenge-response
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12526 Extracted EAP-Response for inner method containing TLS challenge-response
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12526 Extracted EAP-Response for inner method containing TLS challenge-response
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12526 Extracted EAP-Response for inner method containing TLS challenge-response
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12526 Extracted EAP-Response for inner method containing TLS challenge-response
12810 Prepared TLS ServerDone message
12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for
12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for NATIXIS-ALG-DCRT01-CA
12811 Extracted TLS Certificate message containing client certificate
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12803 Extracted TLS ChangeCipherSpec message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12526 Extracted EAP-Response for inner method containing TLS challenge-response
61025 Open secure connection with TLS peer
15041 Evaluating Identity Policy
15048 Queried PIP - Normalised Radius.RadiusFlowType
22072 Selected identity source sequence - zz_Cert_AD_Intern
22070 Identity name is taken from certificate attribute
22037 Authentication Passed
12528 Inner EAP-TLS authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12314 PEAP inner method finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
24715 ISE has not confirmed locally previous successful machine authentication for user in Active Directory
15036 Evaluating Authorization Policy
24209 Looking up Endpoint in Internal Endpoints IDStore - zz@dz.zzbp.corp
24211 Found Endpoint in Internal Endpoints IDStore
15048 Queried PIP - Radius.User-Name
15048 Queried PIP - EndPoints.LogicalProfile
24432 Looking up user in Active Directory - xxx@dz.xxx.corp
24325 Resolving identity
24313 Search for matching accounts at join point
24319 Single matching account found in forest
24323 Identity resolution detected single matching account
24355 LDAP fetch succeeded
24416 User's Groups retrieval from Active Directory succeeded
24355 LDAP fetch succeeded
24420 User's Attributes retrieval from Active Directory succeeded
24100 Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes
15048 Queried PIP - AD.ExternalGroups
15016 Selected Authorization Profile - zz_Users
11022 Added the dACL specified in the Authorization Profile
22081 Max sessions policy passed
22080 New accounting session created in Session cache
12306 PEAP authentication succeeded
11503 Prepared EAP-Success
11002 Returned RADIUS Access-Accep

topic ISE ISSUE in Network Access Control

ISE ISSUE

Re: ISE ISSUE

Re: ISE ISSUE