Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4537
Views
2
Helpful
7
Replies

5238 Endpoint authentication problem was fixed

Arne Bier
VIP
VIP

‎01-29-2018 08:19 PM

I am seeing a lot of these lately ... I did a google search and I saw a comment from the Support Forum that it relates to clients that were being suppressed, and are now authenticating again.  I have no idea what that means ... and the LiveLog detail below doesn't tell me which client or endpoint has been 'fixed'.  

Any clues?  The image below has not been edited - it's a straight copy and paste.

1 person had this problem
0 Helpful
7 Replies 7

vrostowsky
Level 5
Level 5

‎01-30-2018 06:49 AM

Arne-

Which version of ISE are you running?

If you click on the "Misconfigured Supplicant" alarm from the home page, it will give you a lot more information see example below:


Endpoint Id: 14:B0:1F:20:F0:10

Username: 14:B0:1F:20:F0:10

Radius Username: 14:B0:1F:20:F0:10

Network Device Name: Switch name

Access Type: All Device Types#Switches

Location: All Locations#Department

NAS IP: x.x.x.x 15039 Rejected per authorization profile

Selected Authorization Profile contains ACCESS_REJECT attribute

Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule.

Check the appropriate Authorization policy rule-results.


The "silent" means that it has been a quite device and there is no real impact.  You may want to check the "Anomolous Client Suppression" settings for the version you are using


HTH


Vince

0 Helpful

Arne Bier
VIP
VIP
In response to vrostowsky

‎01-30-2018 11:37 AM

HI Vince

using 2.3 patch 1 in production. Not patched to patch 2 yet.

I’ll have a look at my settings. But I was mostly questioning the quite useless LiveLog entry that doesn’t tell me what endpoint it’s referring to.

Does your version populate the endpoint for that LiveLog entry which then correlated to the Alarm data you mentioned?

0 Helpful

vrostowsky
Level 5
Level 5
In response to Arne Bier

‎01-30-2018 01:26 PM

Arne-

I am running 2.3 patch 2, but i do not even see those events in my Radius live logs,

i go into the Alarm panel from home and view the events through there.  That is where all the details show

Vince

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎02-03-2018 03:40 PM

CSCvg36508 is an existing defect. It will take about 1 day for review before external accessible, as I just updated it.

It's addressed in ISE 2.4 only at the moment.

ciscoworlds
Level 4
Level 4
In response to hslai

‎06-08-2018 05:20 AM

I'm using ISE 2.4 but I got this message too while trying to test BYOD with an Android device and Cisco WLC 2504.

wlc2.png

I checked the WLC and enabling/disabling the features on the WLC had no effect. How can I get rid of this problem?

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to ciscoworlds

‎06-08-2018 06:10 AM

In your case, the report has an endpoint ID. Thus, it's not the same.

Please run RADIUS error report and RADIUS auth report on that endpoint ID. If that is not giving you enough info, please engage Cisco TAC.

0 Helpful

rezaalikhani
Level 3
Level 3

‎04-28-2023 08:41 AM - edited ‎04-28-2023 08:54 AM

Found good information regarding this functionality in the following link:

https://www.networkworld.com/article/3053669/troubleshooting-ciscos-ise-without-tac.html

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents