Re: 5411 Supplicant stopped responding to ISE

tohuindo · ‎04-11-2025

I have a two node deployment, the primary node is the one configured on top in the radius configuration, on the switch (test).

Dot1x authentication is fully functional on the first node. The first node went off due to a power issue, but the second node couldn't authenticate the devices through dot1x.

Both nodes are synchronized, the certificate is a wildcard one and has been imported on the second node.

All dot1x authentication fails with a 5411 Supplicant stopped responding to ISE after sending it the first EAP-TLS message.

On the windows native supplicant I have unchecked the "Server Certificate Verification" and it failed still

Saeed Abd Elhalim Hamada · ‎04-14-2025

please try this CLI at your switch

test aaa group radius server (ise IP) auth-port 1812 (user) (password ) legacy

This checks if user can authenticate or not

tohuindo · ‎04-14-2025

Yeah we have already tried that and the user was able to successfully authenticate, but from the ISE log we notice that the policy server seems to remain the first node even though we specified the second node IP.

Saeed Abd Elhalim Hamada · ‎04-14-2025

you use the SEC node ip in the cli ?

tohuindo · ‎04-14-2025

Yeah the secondary node IP has been used in the CLI

Saeed Abd Elhalim Hamada · ‎04-14-2025

test aaa group radius server (ise IP) auth-port 1812 (user) (password ) legacy

use this command and put the sec ise IP not the primary

tohuindo · ‎04-14-2025

as I mentionned earlier it has been done but the log only show the first node. The result is successful but it only shows the policy server as being the first node even though the second node IP has been used