topic Why do you want to use jumbo in Network Access Control

ISE v1.2 - Endpoint abandoned EAP session and started new

dal — Mon, 11 Mar 2019 04:19:16 GMT

Hi.

I have lots of clients that are not able to log on to both wired and wireless networks, and they always fails with these errors.

5411 Supplicant stopped responding to ISE

5440 Endpoint abandoned EAP session and started new

This is with certificate authentication, both for client and for machine.

The clients are for the most part Windows 7.

We use both Cisco and Aerohive for wireless, and the switch I have tested with is a Cisco2960S

A few strange things:

It works perfectly for a lot of clients too, with the excact same configuration.

One PC I'm testing with works fine when authenticating via wireless, but when I plug it into the switch, I get these errors.

I seems to be a timeout of some kind, either to short or too long, but where?

In the Win7 supplicant?

In the switch?

In the Cisco WLC

or in the Aerohive AP?

I have spent hours and hours on this problem, but I can't make it go away, it is very exhausting.

There surely must have been others with the same problem?

Thank you.

Re: ISE v1.2 - Endpoint abandoned EAP session and started new

George Stefanick — Fri, 24 Jan 2014 02:01:04 GMT

Im a wireless guy .. On your WLC if you do a client debug in the cli .. If you see the WLC expiring the mobile it means the client isn't passing Eap in the time allowed and expires the session .. Only for the client to try again.

You can expand those timers .. Check this out

https://supportforums.cisco.com/docs/DOC-12110

Sent from Cisco Technical Support iPhone App

ISE v1.2 - Endpoint abandoned EAP session and started new

Robert Salazar — Thu, 30 Jan 2014 20:51:46 GMT

How many policy nodes is your switch or controller pointing to?

If it's more than one, can you change your switch to temporarily point to one (remove the second node) and see if the issue persists?

ISE v1.2 - Endpoint abandoned EAP session and started new

dal — Thu, 30 Jan 2014 22:05:36 GMT

Hi.

The switch is pointing to only one policy node.

ISE v1.2 - Endpoint abandoned EAP session and started new

dal — Thu, 30 Jan 2014 22:07:24 GMT

Hi.

A good tip. But the wireless authentication is mosty resolved. In that specific case I had, it was a MTU problem somewhere between the Accesspoint and ISE.

The problems I have with wired authentication through the switch is not resolved, though.

ISE v1.2 - Endpoint abandoned EAP session and started new

Peter Koltl — Fri, 31 Jan 2014 20:12:45 GMT

Did you exclude all potential cable problems?

Is the issue reproducible? Any improvement after you restart the Wired AutoConfig service on the Windows client?

On the switch:

debug authentication all

ISE v1.2 - Endpoint abandoned EAP session and started new

Saurav Lodh — Fri, 07 Feb 2014 06:10:58 GMT

Verify that the supplicant is configured properly to conduct a full EAP conversation with Cisco ISE. Verify that NAS is configured properly to transfer EAP messages to/from the supplicant. Verify that the supplicant or NAS does not have a short timeout for EAP conversation.

Thank for trying to help out,

dal — Sun, 06 Apr 2014 11:11:26 GMT

Thank for trying to help out, but this is.. insanely vague.

How can i verify that NAS (the C2960S) is properly configured?

What timers are we talking about here? There are many to choose from..

The problem is still here, even with the latest patch 7 for ISE 1.2. It works fine on wireless, but not with wired, from the same computer. So it is logic to assume it has something to do with the switch.

This is the configuration from the switch:

interface GigabitEthernet1/0/20
switchport mode access
authentication event fail action next-method
authentication open
authentication order dot1x mab
authentication port-control auto
snmp trap mac-notification change added
dot1x pae authenticator
spanning-tree portfast
end

sh dot1x int g1/0/20
Dot1x Info for GigabitEthernet1/0/20
-----------------------------------
PAE                       = AUTHENTICATOR
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30

sh run aaa
!
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec default group radius local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius!
!
!
!
aaa server radius dynamic-author
client 192.168.100.85
server-key nope!
auth-type any
!
!
radius server hmz
address ipv4 192.168.100.85 auth-port 1812 acct-port 1813
key nope!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
!
aaa new-model
aaa session-id common
!

Some debug from the switch:

Apr 6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] Create attr list, session 0x1E0000E0:
Apr 6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding MAC d43d.7e97.1e26
Apr 6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Swidb 0x4F8BAC8
Apr 6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding AAA_ID=14B
Apr 6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Audit_sid=C0A864FA0000014B6983A2E0
Apr 6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Domain=DATA (1)
Apr 6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Username=Dal@gaasdal.net
Apr 6 11:07:01.745: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e97.1e26) on Interface Gi1/0/20 AuditSessionID C0A864FA0000014B6983A2E0
Apr 6 11:07:01.745: AUTH-DETAIL: No default action(s) for event RX_METHOD_AGENT_FOUND.
Apr 6 11:08:21.182: %DOT1X-5-FAIL: Authentication failed for client (d43d.7e97.1e26) on Interface Gi1/0/20 AuditSessionID C0A864FA0000014B6983A2E0
Apr 6 11:08:21.187: %AUTHMGR-7-STOPPING: Stopping 'dot1x' for client d43d.7e97.1e26 on Interface Gi1/0/20 AuditSessionID C0A864FA0000014B6983A2E0
Apr 6 11:08:21.187: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (d43d.7e97.1e26) on Interface Gi1/0/20 AuditSessionID C0A864FA0000014B6983A2E0
Apr 6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] Create attr list, session 0x1E0000E0:
Apr 6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding MAC d43d.7e97.1e26
Apr 6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Swidb 0x4F8BAC8
Apr 6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding AAA_ID=14B
Apr 6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Audit_sid=C0A864FA0000014B6983A2E0
Apr 6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Domain=DATA (1)
Apr 6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Username=host/HovedPC.gaasdal.net
Apr 6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] Create attr list, session 0x1E0000E0:
Apr 6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding MAC d43d.7e97.1e26
Apr 6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Swidb 0x4F8BAC8
Apr 6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding AAA_ID=14B
Apr 6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Audit_sid=C0A864FA0000014B6983A2E0
Apr 6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Domain=DATA (1)
Apr 6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Username=host/HovedPC.gaasdal.net
Apr 6 11:09:22.079: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e97.1e26) on Interface Gi1/0/20 AuditSessionID C0A864FA0000014B6983A2E0
Apr 6 11:09:22.079: AUTH-DETAIL: No default action(s) for event SESSION_STARTED.

I had a similar issue on

Stephen McBride — Sun, 06 Apr 2014 22:23:59 GMT

I had a similar issue on wired where most hosts could connect but some would not - with the above mentioned errors. Ultimately this issue is very much related to the supplicant and myself and TAC came to the conclusion there was nothing wrong with the configuration of the network with regards to EAP.

I think this is the nature of dot1x - sometimes there will be hosts that can't connect for some reason and the question is do you troubleshoot the issue or tell the client that the issue is with their PC?? In out case it was "contractor byod" machines that couldn't connect so the answer was not so simple.

Hi.I still have this problem

dal — Wed, 19 Nov 2014 19:00:14 GMT

Hi.

I still have this problem.

Or, it works fine on wireless now, but not on wired.

I use the same computer for testing with both wired and wireless. Same certificate, and the same authentication and authorization rules in ISE.

ISE is upgraded to v1.3 now, btw.

If I use Microsoft PEAP as auth metod, it works, but not if I use certificate as auth method (which is the way I prefer it, and that's the way it is done on wireless)

So in my opinion, it must be something with the switch configuration.

But what? Some kind of timeout that needs to be adjusted?

Thanks

For what it's worth, I see

Michael Thornton — Fri, 20 Feb 2015 17:04:03 GMT

For what it's worth, I see the same errors on our wired environment using PEAP.

I finally figured this out.Or

dal — Tue, 25 Aug 2015 09:48:31 GMT

I finally figured this out.

Or at least what's causing it: Jumbo frames.

As soon as jumbo frames is enabled on the switch, or system mtu is increased from 1500, the authentication stops working. Because the Framed-MTU being sent seems to use the jumbo frames setting.

By typing no system mtu and no system mtu jumbo, and the rebooting the switch, 802.1x with EAP-TLS started to work fine.

The problem is of course, that I need jumbo frames enabled on the switch, because I have iSCSI connections enabled on some computers.

So some more testing revealed that jumbo frames CAN be enabled on the switch, as long as all the network nodes in the chain from switch to ISE-server has enabled jumbo frames as well.

Like this:

Client (1500) - Switch (9198) - Switch2 (9198) - vSwitch (9198) - virtual ISE (1500)

This works fine, until I enable jumbo frames on the client. Then it stops working again.

So the question is: How to fix this?

There should be a way to enable jumbo frames on the ISE server, IMO

Or is there a way to decrease the Framed MTU being sent from the switch? Or on the client?

Thanks.

Why do you want to use jumbo

Peter Koltl — Sat, 29 Aug 2015 09:30:28 GMT

Why do you want to use jumbo frames on the client?

Why do you think ISE needs jumbo frames? It does not talk to the client directly. Please capture the RADIUS packets sent by switch and check if the size exceeds 1500 bytes. (I'd be surprised)

I think you have collected enough info to open a TAC case.

Hi,

mukka — Tue, 24 Nov 2015 14:16:21 GMT

Hi,

Do you solved it ?

I have a similar issue on eap_chaining with user and machine authentication.

When the user has the certificate all works fine, but if the user not have it, I can see a very large latency and the Endpoint abandoned EAP session. I need to complete the machine authentication to remediation.

I have windows 7 Enterprise, anyconnect 3.1.x and ISE 1.4

thanks.

Hi mukka,

alberx — Fri, 18 Dec 2015 10:02:11 GMT

Hi mukka,

I had this same prolbem this week and I finally found that bug:

https://quickview.cloudapps.cisco.com/quickview/bug/CSCuw91763

Disabling AES Key wrap in WLC all my authentications started to work perfectly.

I was debugging aaa in WLC finding this error "Rejecting Cisco MAC Attribute due to MAC mismatch" and googling it drived me to the bug.

Hope this helps.

This worked for me.

edwardonelife — Thu, 08 Dec 2016 15:00:40 GMT

This worked for me.

MTU on Cisco 3850 was changed from custom to default and EAP-TLS worked.