cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1637
Views
1
Helpful
6
Replies
Highlighted
VIP Advisor

5238 Endpoint authentication problem was fixed

I am seeing a lot of these lately ... I did a google search and I saw a comment from the Support Forum that it relates to clients that were being suppressed, and are now authenticating again.  I have no idea what that means ... and the LiveLog detail below doesn't tell me which client or endpoint has been 'fixed'.  

Any clues?  The image below has not been edited - it's a straight copy and paste.

6 REPLIES 6
Highlighted
Contributor

Arne-

Which version of ISE are you running?

If you click on the "Misconfigured Supplicant" alarm from the home page, it will give you a lot more information see example below:


Endpoint Id: 14:B0:1F:20:F0:10

Username: 14:B0:1F:20:F0:10

Radius Username: 14:B0:1F:20:F0:10

Network Device Name: Switch name

Access Type: All Device Types#Switches

Location: All Locations#Department

NAS IP: x.x.x.x 15039 Rejected per authorization profile

Selected Authorization Profile contains ACCESS_REJECT attribute

Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule.

Check the appropriate Authorization policy rule-results.


The "silent" means that it has been a quite device and there is no real impact.  You may want to check the "Anomolous Client Suppression" settings for the version you are using


HTH


Vince

Highlighted

HI Vince

using 2.3 patch 1 in production. Not patched to patch 2 yet.

I’ll have a look at my settings. But I was mostly questioning the quite useless LiveLog entry that doesn’t tell me what endpoint it’s referring to.

Does your version populate the endpoint for that LiveLog entry which then correlated to the Alarm data you mentioned?

Highlighted

Arne-

I am running 2.3 patch 2, but i do not even see those events in my Radius live logs,

i go into the Alarm panel from home and view the events through there.  That is where all the details show

Vince

Highlighted
Cisco Employee

CSCvg36508 is an existing defect. It will take about 1 day for review before external accessible, as I just updated it.

It's addressed in ISE 2.4 only at the moment.

Highlighted

I'm using ISE 2.4 but I got this message too while trying to test BYOD with an Android device and Cisco WLC 2504.

wlc2.png

I checked the WLC and enabling/disabling the features on the WLC had no effect. How can I get rid of this problem?

Highlighted

In your case, the report has an endpoint ID. Thus, it's not the same.

Please run RADIUS error report and RADIUS auth report on that endpoint ID. If that is not giving you enough info, please engage Cisco TAC.