cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

168
Views
5
Helpful
8
Replies
Explorer

ISE Auth Issues after upgrading to 2.4

We recently upgraded from ISE 2.1 to 2.4, and since we have been seeing more random client auth issues.  We are using ISE mainly for authentications using PEAP on a wireless network.  Since the upgrade, clients are reporting issues and in the ISE logs we are mainly seeing this error. 

 5440 Endpoint abandoned EAP session and started new

 

We have seen this error before, but it is more related now to clients actually having connection issues.  We have not applied the patches yet, as we were waiting a couple of weeks to let the upgrade burn in.  Any ideas or suggestions, or known issues with this issue?

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Engager

Re: ISE Auth Issues after upgrading to 2.4

I would definitely patch the deployment immediately following upgrading, there are about 500 known bugs if you run unpatched, it could be any number of them.
8 REPLIES 8
VIP Engager

Re: ISE Auth Issues after upgrading to 2.4

I would definitely patch the deployment immediately following upgrading, there are about 500 known bugs if you run unpatched, it could be any number of them.
Rising star

Re: ISE Auth Issues after upgrading to 2.4

 

 - Or let your Intranet burn out ? Bear me I don't want to get into simple bashing towards Cisco. I believe CISCO ISE is a marvelous product with a vast number of possibilities BUT as many people have experienced before : due to it's complexity (configuration and the different-nodes-complexity) AND It being mission critical on the Intranet it is simply not designed for upgrading production nodes. Many people therefore build a second/new environment in place to replace the old-versioned-ISE setup. I used to have a script witch could switch radius servers(PSN Nodes)  on the millisecond in the running config of a switch using the CISCO-CONFIG-MIB.  Sometimes for new major version it's even better then to re-enter the policies from scratch to take advantage of new features in the most optimal way. Consider following these practices when upgrading to new ISE versions.

 M.

Cisco Employee

Re: ISE Auth Issues after upgrading to 2.4

upgrade the patch as suggested. Also, are these Windows clients? any event log which can be seen ?

 

Explorer

Re: ISE Auth Issues after upgrading to 2.4

We applied the 2.4 Patch 9, and this seemed to make auth issues better at first, but we are continuing to see problems.  Most of our endpoints are mobile iphones or android devices.  From the client perspective, it appears that they cannot connect to the SSID.  ISE shows the client constantly abandoning and establishing a new EAP session.  The wireless controller shows the client authenticated.  A debug basically shows the client going through the EAP process over and over.  This all started after upgrading to 2.4

 

See a lot of these errors in ISE:

5440 Endpoint abandoned EAP session and started new

12934 Supplicant stopped responding to ISE during PEAP tunnel establishment

Rising star

Re: ISE Auth Issues after upgrading to 2.4

- As an additional debug-resource you may also involve the Wireless Debug Analyzer , which can be found from the link below  :

                            https://developer.cisco.com/docs/wireless-troubleshooting-tools/

M.

Highlighted
VIP Engager

Re: ISE Auth Issues after upgrading to 2.4

A common cause of this is when iphones don't trust the certificate. Did the ISE cert change?
Explorer

Re: ISE Auth Issues after upgrading to 2.4

The cert did not change, and I have had clients forget, and accept the cert again anyways.  At this time, it appears this issue may be related to the radius timeout setting on the WLC default at 2 secs.  We are increasing this to 10.  Not a lot of evidence yet to back this up, but looking at the logs it appears that maybe this is the cause of the EAP retransmits.  Is anyone aware of increased latency being introduced in 2.4?  We were previously on 2.1 without any issues.

Cisco Employee

Re: ISE Auth Issues after upgrading to 2.4

No known issues as such but would recommend you get it checked with TAC if you are facing this regularly.