cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
82167
Views
53
Helpful
17
Replies

5440 Endpoint abandoned EAP session and started new

getaway51
Level 2
Level 2

Hi,

I gt this error and checked authentication report. I attached logs here. 

May I knw wht could be causing the problem? is it a bug?

It seems the device nvr established session with the ISE. It just keeps authenticating.

 

 

 

1 Accepted Solution

Accepted Solutions

What the logs show is that ISE is sending an Access-Challenge but, instead of receiving a response to that challenge, it is receiving a new Access-Request from the client. As @thomas stated, this is an issue with the supplicant not completing the process.

As I suggested in your other post here, you need to start looking at packet captures on the client and possibly debugs on the switch. This can be related to certificate issues, supplicant configuration issues or bugs, or even 3rd-party software (I've seen an old Citrix client adapter intercept EAPOL traffic in a customer's environment in the past).

I would suggest opening a TAC case to investigate in more detail.

View solution in original post

17 Replies 17

I am also facing a similar issue. Do let me know as well if you find out any helpful guide.

Hi,

Previously dot1x laptop was working fine. Only recently after the lockdown,
problem started. These are windows10.
Not sure if it is cert issue.
The timer when sh auth br keeps resetting due to AZ and UZ intermittent.
Are yours the same?

thomas
Cisco Employee
Cisco Employee

From your attached text file:

Event	5440 Endpoint abandoned EAP session and started new
Failure Reason	5440 Endpoint abandoned EAP session and started new
Resolution	Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root cause	Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.

This is almost always an endpoint supplicant configuration issue. Specifically, it does not trust the ISE certificate. This is similar to what your web browser does when it goes to a site using HTTPS with a self-signed/mis-matched domain/expired certificate.

Please verify your endpoint is properly configured for 802.1X and that ISE has a certificate provisioned from a publicly-signed CA. Never use a self-signed certificate in ISE for a production deployment.

Hi,

Is there a way I can get more details from the ISE troubleshooting tool
tcpdump or endpoint debug?
Really running out of option here

Hi,

 

I have check the radius log and attached the full steps here. Last few steps keeps repeating itself. Based in the full steps, Can I said tht ISE received the client certs but Client Cert Validation failed? 

 

11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge

What the logs show is that ISE is sending an Access-Challenge but, instead of receiving a response to that challenge, it is receiving a new Access-Request from the client. As @thomas stated, this is an issue with the supplicant not completing the process.

As I suggested in your other post here, you need to start looking at packet captures on the client and possibly debugs on the switch. This can be related to certificate issues, supplicant configuration issues or bugs, or even 3rd-party software (I've seen an old Citrix client adapter intercept EAPOL traffic in a customer's environment in the past).

I would suggest opening a TAC case to investigate in more detail.

Yes, please call TAC.

You have provided very little information to allow us to help you troubleshoot across the endpoint or supplicant, the network device, or ISE configuration. See How to Ask the Community for Help.

Thomas,

in environment where ISE's system certificates are mandatory to be unique per function&node having public CA as n issuer is impractically expensive. Usually enterprise allocate its own CA to sign certificates for admin/eap functions accompanied with gpupdates across AD-assets pushing domestic generated certs to internal clients. of course it's irrelevant to functions like portal.

laurathaqi
Level 3
Level 3

Guys, I am having the same issue.

 

Did someone solve this issue or has any recommendation to try further deep debugging. 

 

Thank you,

Laura 

Hi Laura

did u uncheck already EAP-TLS L-bit in protocols list u allowed for corresponding policy?

capturing on port with endpoint would be useful otherwise.

Hi @andy!doesnt!like!uucp 

 

I did that, in fact it wasn't checked at all on the ISE version 3.0. But I made sure to doublecheck however the issue persists. 

 

Do you have any idea on the troubleshooting steps I would be needing to take to narrow the issues scope. 

 

Looking forward to hearing from you. 

 

Thank you,

Laura 


Did you solve the problem?
I have ISE 3.0 and I have the same problem in several users.
Did you solve the problem?
I have ISE 3.0 and I have the same problem in several users.

Hi @FernandoDiaz1992 

 

The issue at my end was the root cert was not selected on the supplicant side. 

 

Root cert needs to be imported and installed on supplicant, and then on Security settings, needs to be checked. 

 

Hope it helps. 

 

Best,

Laura

Hello Laura,

 

do you mean with "the root cert was not selected on the supplicant side", that the proper root CA was not checked in the list of root CAs under the Network Authentication Method Properties ?

Is this also what you mean with the security settings?

 

Thank you

Rishi

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: