LOG cisco ISE

Tutu — Mon, 02 Nov 2020 10:08:50 GMT

Hello can someone please help me understand this live log from cisco ise

Overview
Event 5400 Authentication failed
Username host/DESKTOP-QEDO10M
Endpoint Id 70:5A:0F:2A:47:DE
Endpoint Profile
Authentication Policy Wired
Authorization Policy Wired
Authorization Result

Authentication Details
Source Timestamp 2020-11-02 09:22:20.802
Received Timestamp 2020-11-02 09:22:20.802
Policy Server -ISE-PAN
Event 5400 Authentication failed
Failure Reason 12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
Resolution Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.
Root cause Session was not found on this PSN. Possible unexpected NAD behavior. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.
Username host/DESKTOP-QEDO10M
Endpoint Id 70:5A:0F:2A:47:DE
Calling Station Id 70-5A-0F-2A-47-DE
IPv4 Address 10.100.105.53
Audit Session Id 0AC8D0640000000D00202A45
Authentication Method dot1x
Service Type Framed
Network Device Test
Device Type All Device Types#Wired
Location All Locations#-HQ
NAS IPv4 Address 10.200.208.100
NAS Port Id GigabitEthernet1/0/10
NAS Port Type Ethernet
Response Time 5 milliseconds

Other Attributes
ConfigVersionId 148
Device Port 1645
DestinationPort 1812
RadiusPacketType AccessRequest
Protocol Radius
NAS-Port 50110
Framed-MTU 1500
NetworkDeviceProfileId b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow false
AcsSessionID -ISE-PAN/392570377/111256
EndPointMACAddress 70-5A-0F-2A-47-DE
ISEPolicySetName Wired
DTLSSupport Unknown
Network Device Profile Cisco
Location Location#All Locations#-HQ
Device Type Device Type#All Device Types#Wired
IPSEC IPSEC#Is IPSEC Device#No
RADIUS Username host/DESKTOP-QEDO10M
Device IP Address 10.200.208.100
CPMSessionID 0AC8D0640000000D00202A45
Called-Station-ID 3C:41:0E:F2:25:0A
CiscoAVPair service-type=Framed,
audit-session-id=0AC8D0640000000D00202A45,
method=dot1x

Result
RadiusPacketType AccessReject

Session Events

Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - Normalised Radius.RadiusFlowType
15048 Queried PIP - DEVICE.Device Type
12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject

Re: LOG cisco ISE

Mohammed al Baqari — Mon, 02 Nov 2020 12:25:13 GMT

Hi, it seems that you are using distributed PSNs. Not sure what flow is
triggering this for you but but the message states that the radius packet
came to this PSN is not an initial access request message. Instead it's a
message for an existing conversation and since this PSN has no context
about this conversation it dropped it.

Typical example, you have user redirected to guest portal. The user
authenticated initial radius request to PSN-1 but PSN-1 responded to user
with guest portal redirection with URL of the portal pointing to PSN-2.
PSN-2 will drop the next message that want to access guest portal since it
didn't get the initial request.

**** please remember to rate useful posts

Re: LOG cisco ISE

Marvin Rhoads — Mon, 02 Nov 2020 13:40:11 GMT

...or if the PSNs are behind a load balancer and the LB directed the non-initial packet to the wrong PSN.

topic Re: LOG cisco ISE in Network Security

LOG cisco ISE

Re: LOG cisco ISE

Re: LOG cisco ISE