cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1816
Views
5
Helpful
10
Replies

ISE Auth Issues after upgrading to 2.4

awatson20
Level 4
Level 4

We recently upgraded from ISE 2.1 to 2.4, and since we have been seeing more random client auth issues.  We are using ISE mainly for authentications using PEAP on a wireless network.  Since the upgrade, clients are reporting issues and in the ISE logs we are mainly seeing this error. 

 5440 Endpoint abandoned EAP session and started new

 

We have seen this error before, but it is more related now to clients actually having connection issues.  We have not applied the patches yet, as we were waiting a couple of weeks to let the upgrade burn in.  Any ideas or suggestions, or known issues with this issue?

1 Accepted Solution

Accepted Solutions

Damien Miller
VIP Alumni
VIP Alumni
I would definitely patch the deployment immediately following upgrading, there are about 500 known bugs if you run unpatched, it could be any number of them.

View solution in original post

10 Replies 10

Damien Miller
VIP Alumni
VIP Alumni
I would definitely patch the deployment immediately following upgrading, there are about 500 known bugs if you run unpatched, it could be any number of them.

marce1000
VIP
VIP

 

 - Or let your Intranet burn out ? Bear me I don't want to get into simple bashing towards Cisco. I believe CISCO ISE is a marvelous product with a vast number of possibilities BUT as many people have experienced before : due to it's complexity (configuration and the different-nodes-complexity) AND It being mission critical on the Intranet it is simply not designed for upgrading production nodes. Many people therefore build a second/new environment in place to replace the old-versioned-ISE setup. I used to have a script witch could switch radius servers(PSN Nodes)  on the millisecond in the running config of a switch using the CISCO-CONFIG-MIB.  Sometimes for new major version it's even better then to re-enter the policies from scratch to take advantage of new features in the most optimal way. Consider following these practices when upgrading to new ISE versions.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Nidhi
Cisco Employee
Cisco Employee

upgrade the patch as suggested. Also, are these Windows clients? any event log which can be seen ?

 

We applied the 2.4 Patch 9, and this seemed to make auth issues better at first, but we are continuing to see problems.  Most of our endpoints are mobile iphones or android devices.  From the client perspective, it appears that they cannot connect to the SSID.  ISE shows the client constantly abandoning and establishing a new EAP session.  The wireless controller shows the client authenticated.  A debug basically shows the client going through the EAP process over and over.  This all started after upgrading to 2.4

 

See a lot of these errors in ISE:

5440 Endpoint abandoned EAP session and started new

12934 Supplicant stopped responding to ISE during PEAP tunnel establishment

- As an additional debug-resource you may also involve the Wireless Debug Analyzer , which can be found from the link below  :

                            https://developer.cisco.com/docs/wireless-troubleshooting-tools/

M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

A common cause of this is when iphones don't trust the certificate. Did the ISE cert change?

The cert did not change, and I have had clients forget, and accept the cert again anyways.  At this time, it appears this issue may be related to the radius timeout setting on the WLC default at 2 secs.  We are increasing this to 10.  Not a lot of evidence yet to back this up, but looking at the logs it appears that maybe this is the cause of the EAP retransmits.  Is anyone aware of increased latency being introduced in 2.4?  We were previously on 2.1 without any issues.

Hello awatson20 ,
Did it work to change the timeout setting on the WLC?

Yes, it did.

Surendra
Cisco Employee
Cisco Employee
No known issues as such but would recommend you get it checked with TAC if you are facing this regularly.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: