Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13236
Views
25
Helpful
4
Replies

5440 Endpoint abandoned EAP session and started new

Go to solution
lin.yang2
Level 1
Level 1

‎04-24-2022 11:46 PM

Overview

Event5440 Endpoint abandoned EAP session and started new
Usernamezhenwei.zhang
Endpoint IdB6:E3:3D:A9:F3:94 
 
Endpoint Profile 
Authentication PolicyOrdos_802.1x_AD_auth
Authorization PolicyOrdos_802.1x_AD_auth
Authorization Result 

 

Authentication Details

Source Timestamp2022-04-25 06:34:47.92
Received Timestamp2022-04-25 06:34:47.92
Policy Serverise
Event5440 Endpoint abandoned EAP session and started new
Failure Reason5440 Endpoint abandoned EAP session and started new
ResolutionVerify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root causeEndpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.
Usernamezhenwei.zhang
Endpoint IdB6:E3:3D:A9:F3:94
Authentication ProtocolPEAP
Network DeviceOrdos_C9800
Device TypeAll Device Types
LocationAll Locations
NAS IPv4 Address10.204.60.3
NAS Port Idcapwap_90000029
NAS Port TypeWireless - IEEE 802.11
Response Time41 milliseconds

 

Other Attributes

ConfigVersionId217
AcsSessionIDise/439644191/19875
NAS-Port91918
CPMSessionID033CCC0A00003896611F97C9
EndPointMACAddressB6-E3-3D-A9-F3-94
ISEPolicySetNameOrdos_802.1x_AD_auth
StepLatency21=18618
DTLSSupportUnknown
Network Device ProfileCisco
LocationLocation#All Locations
Device TypeDevice Type#All Device Types
IPSECIPSEC#Is IPSEC Device#No
Device IP Address10.204.60.3
Called-Station-ID9c-d5-7d-bc-d8-40:Envision-AESC

 

Result

RadiusPacketTypeDrop

 Steps

 11001Received RADIUS Access-Request
 11017RADIUS created a new session
 15049Evaluating Policy Group
 15008Evaluating Service Selection Policy
 15048Queried PIP - Radius.NAS-Port-Type
 11507Extracted EAP-Response/Identity
 12300Prepared EAP-Request proposing PEAP with challenge
 12625Valid EAP-Key-Name attribute received
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12302Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
 12318Successfully negotiated PEAP version 0
 12800Extracted first TLS record; TLS handshake started
 12805Extracted TLS ClientHello message
 12806Prepared TLS ServerHello message
 12807Prepared TLS Certificate message
 12808Prepared TLS ServerKeyExchange message
 12810Prepared TLS ServerDone message
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 5440Endpoint abandoned EAP session and started new (
 

 

 Step latency=18618 ms)

问题:用户认证失败,提示5440错误

我的无线AC的version为

C9800#SHOW VERsion
Cisco IOS XE Software, Version 17.03.03
Cisco IOS Software [Amsterdam], C9800 Software (C9800_IOSXE-K9), Version 17.3.3, RELEASE SOFTWARE (fc7)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2021 by Cisco Systems, Inc.
Compiled Thu 04-Mar-21 12:37 by mcpre

我的ISE版本为3.1

3 people had this problem
Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP

‎04-25-2022 06:19 AM

Hi @lin.yang2 ,

 please take a look at: BRKSEC-3383 Troubleshooting ISE, special attention to pg. 10 - 802.1x Endpoint Abandoned EAP Session.

 

Hope this helps !!!

View solution in original post

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-25-2022 06:53 AM

5440 Endpoint abandoned EAP session and started new

-This is usually an indication of a misconfigured supplicant and/or end user possibly being inpatient and initiating a new auth session before initial one completes.  This may help too: ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community

View solution in original post

Go to solution
Marcelo Morais
VIP
VIP

‎12-14-2022 06:01 AM

Although this is an old post ... I would like to add some points for future reference:

1. special attention to: CSCwd35786 ENH: ISE: 5440 Endpoint abandoned EAP session events need to have visibility in ISE reports

Note: the best Workaround is, at Operations > Reports > Reports > Diagnostics > RADIUS Errors, click the Advanced Filter and Failure Reason CONTAINS 5440.

2. check the CSCwc93451 Profiler should ignore non-positive RADIUS syslog messages for forwarding from default RADIUS probe

" ... Conditions:
Normal operation with profiler default RADIUS probe enabled. You will see messages forwarded like: "5440 NOTICE RADIUS: Endpoint abandoned EAP session and started new , 12934 WARN Failed-Attempt: Supplicant stopped responding, etc. We should only be sending successful authentications, accounting start/stop/interim, ie, 5200, 3000, 3001 & 3002. There are additional successful codes other than 5200. These need to be inculded as well. Everything else should be filtered out and not sent to VCS or DB. ... "

Fixed on ISE3.1 P5 and ISE2.7 P8.

Hope this helps !!!

View solution in original post

4 Replies 4

Go to solution
Marcelo Morais
VIP
VIP

‎04-25-2022 06:19 AM

Hi @lin.yang2 ,

 please take a look at: BRKSEC-3383 Troubleshooting ISE, special attention to pg. 10 - 802.1x Endpoint Abandoned EAP Session.

 

Hope this helps !!!

Go to solution
maggie.26.1989
Level 1
Level 1
In response to Marcelo Morais

‎10-02-2023 09:55 AM

That link doesn't work.It says page not found.

 

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-25-2022 06:53 AM

5440 Endpoint abandoned EAP session and started new

-This is usually an indication of a misconfigured supplicant and/or end user possibly being inpatient and initiating a new auth session before initial one completes.  This may help too: ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community

Go to solution
Marcelo Morais
VIP
VIP

‎12-14-2022 06:01 AM

Although this is an old post ... I would like to add some points for future reference:

1. special attention to: CSCwd35786 ENH: ISE: 5440 Endpoint abandoned EAP session events need to have visibility in ISE reports

Note: the best Workaround is, at Operations > Reports > Reports > Diagnostics > RADIUS Errors, click the Advanced Filter and Failure Reason CONTAINS 5440.

2. check the CSCwc93451 Profiler should ignore non-positive RADIUS syslog messages for forwarding from default RADIUS probe

" ... Conditions:
Normal operation with profiler default RADIUS probe enabled. You will see messages forwarded like: "5440 NOTICE RADIUS: Endpoint abandoned EAP session and started new , 12934 WARN Failed-Attempt: Supplicant stopped responding, etc. We should only be sending successful authentications, accounting start/stop/interim, ie, 5200, 3000, 3001 & 3002. There are additional successful codes other than 5200. These need to be inculded as well. Everything else should be filtered out and not sent to VCS or DB. ... "

Fixed on ISE3.1 P5 and ISE2.7 P8.

Hope this helps !!!

Customers Also Viewed These Support Documents