Solved: Re: 5440 Endpoint abandoned EAP session and started new

getaway51 · ‎06-01-2020

Hi,

I gt this error and checked authentication report. I attached logs here.

May I knw wht could be causing the problem? is it a bug?

It seems the device nvr established session with the ISE. It just keeps authenticating.

Greg Gibbs · ‎06-02-2020

What the logs show is that ISE is sending an Access-Challenge but, instead of receiving a response to that challenge, it is receiving a new Access-Request from the client. As @thomas stated, this is an issue with the supplicant not completing the process.

As I suggested in your other post here, you need to start looking at packet captures on the client and possibly debugs on the switch. This can be related to certificate issues, supplicant configuration issues or bugs, or even 3rd-party software (I've seen an old Citrix client adapter intercept EAPOL traffic in a customer's environment in the past).

I would suggest opening a TAC case to investigate in more detail.

View solution in original post

RaphaelRich29893 · ‎06-01-2020

I am also facing a similar issue. Do let me know as well if you find out any helpful guide.

getaway51 · ‎06-01-2020

Hi,

Previously dot1x laptop was working fine. Only recently after the lockdown,
problem started. These are windows10.
Not sure if it is cert issue.
The timer when sh auth br keeps resetting due to AZ and UZ intermittent.
Are yours the same?

thomas · ‎06-02-2020

From your attached text file:

Event	5440 Endpoint abandoned EAP session and started new
Failure Reason	5440 Endpoint abandoned EAP session and started new
Resolution	Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root cause	Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.

This is almost always an endpoint supplicant configuration issue. Specifically, it does not trust the ISE certificate. This is similar to what your web browser does when it goes to a site using HTTPS with a self-signed/mis-matched domain/expired certificate.

Please verify your endpoint is properly configured for 802.1X and that ISE has a certificate provisioned from a publicly-signed CA. Never use a self-signed certificate in ISE for a production deployment.

getaway51 · ‎06-02-2020

Hi,

Is there a way I can get more details from the ISE troubleshooting tool
tcpdump or endpoint debug?
Really running out of option here

getaway51 · ‎06-02-2020

Hi,

I have check the radius log and attached the full steps here. Last few steps keeps repeating itself. Based in the full steps, Can I said tht ISE received the client certs but Client Cert Validation failed?

11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge

Greg Gibbs · ‎06-02-2020

What the logs show is that ISE is sending an Access-Challenge but, instead of receiving a response to that challenge, it is receiving a new Access-Request from the client. As @thomas stated, this is an issue with the supplicant not completing the process.

As I suggested in your other post here, you need to start looking at packet captures on the client and possibly debugs on the switch. This can be related to certificate issues, supplicant configuration issues or bugs, or even 3rd-party software (I've seen an old Citrix client adapter intercept EAPOL traffic in a customer's environment in the past).

I would suggest opening a TAC case to investigate in more detail.

thomas · ‎06-02-2020

Yes, please call TAC.

You have provided very little information to allow us to help you troubleshoot across the endpoint or supplicant, the network device, or ISE configuration. See How to Ask the Community for Help.

Ravi Verman · ‎06-27-2024

Is that issue resolved ? same issue i am facing on Windows 23 H2 version machines.

pls. share if any found.

andy!doesnt!like!uucp · ‎02-19-2021

Thomas,

in environment where ISE's system certificates are mandatory to be unique per function&node having public CA as n issuer is impractically expensive. Usually enterprise allocate its own CA to sign certificates for admin/eap functions accompanied with gpupdates across AD-assets pushing domestic generated certs to internal clients. of course it's irrelevant to functions like portal.

Mateen Ahmad · ‎09-10-2024

I am using self sign certificate only but also from supplicant settings I have disabled to verify server certificate

laurathaqi · ‎05-12-2021

Guys, I am having the same issue.

Did someone solve this issue or has any recommendation to try further deep debugging.

Thank you,

Laura

andy!doesnt!like!uucp · ‎05-12-2021

Hi Laura

did u uncheck already EAP-TLS L-bit in protocols list u allowed for corresponding policy?

capturing on port with endpoint would be useful otherwise.

laurathaqi · ‎05-12-2021

Hi @andy!doesnt!like!uucp

I did that, in fact it wasn't checked at all on the ISE version 3.0. But I made sure to doublecheck however the issue persists.

Do you have any idea on the troubleshooting steps I would be needing to take to narrow the issues scope.

Looking forward to hearing from you.

Thank you,

Laura

FernandoDiaz1992 · ‎07-13-2021

Did you solve the problem?
I have ISE 3.0 and I have the same problem in several users.

Did you solve the problem?
I have ISE 3.0 and I have the same problem in several users.