cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15591
Views
5
Helpful
3
Replies

802.1x authentication failed

lin.yang2
Level 1
Level 1

Overview

Event5434 Endpoint conducted several failed authentications of the same scenario
UsernameUSERNAME
Endpoint IdDC:A2:66:1A:0C:4B 
 
Endpoint Profile 
Authentication PolicyOrdos_802.1x_AD_auth
Authorization PolicyOrdos_802.1x_AD_auth
Authorization Result

 

Authentication Details

Source Timestamp2022-05-16 16:40:50.601
Received Timestamp2022-05-16 16:40:50.601
Policy Serverise
Event5434 Endpoint conducted several failed authentications of the same scenario
Failure Reason12309 PEAP handshake failed
ResolutionCheck whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is properly installed in client's supplicant. Check the previous steps in the log for this PEAP conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.
Root causePEAP handshake failed.
UsernameUSERNAME
Endpoint IdDC:A2:66:1A:0C:4B
Audit Session Id033CCC0A00000197CDBA6B2E
Authentication Methoddot1x
Authentication ProtocolPEAP
Service TypeFramed
Network DeviceOrdos_C9800
Device TypeAll Device Types
LocationAll Locations
NAS IPv4 Address10.204.60.3
NAS Port Idcapwap_90000005
NAS Port TypeWireless - IEEE 802.11
Response Time

9 milliseconds

 

Other Attributes

ConfigVersionId82
Device Port57622
DestinationPort1812
RadiusPacketTypeAccessRequest
UserNameUSERNAME
ProtocolRadius
NAS-IP-Address10.204.60.3
NAS-Port91920
Framed-MTU1485
State37CPMSessionID=033CCC0A00000197CDBA6B2E;29SessionID=ise/441870738/71681;
Airespace-Wlan-Id2
IsEndpointInRejectModefalse
NetworkDeviceProfileNameCisco
NetworkDeviceProfileIdb0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlowfalse
RadiusFlowTypeWireless802_1x
SSID48-8b-0a-33-eb-20:Envision-AESC
AcsSessionIDise/441870738/71681
OpenSSLErrorMessageSSL alert: code=0x246=582 ; source=local ; type=fatal ; message="protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]"
OpenSSLErrorStack140005319513856:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:
CPMSessionID033CCC0A00000197CDBA6B2E
EndPointMACAddressDC-A2-66-1A-0C-4B
ISEPolicySetNameOrdos_802.1x_AD_auth
StepData4= Normalised Radius.RadiusFlowType
StepData5= Radius.Called-Station-ID
DTLSSupportUnknown
Network Device ProfileCisco
LocationLocation#All Locations
Device TypeDevice Type#All Device Types
IPSECIPSEC#Is IPSEC Device#No
Called-Station-ID48-8b-0a-33-eb-20:Envision-AESC
CiscoAVPairservice-type=Framed
audit-session-id033CCC0A00000197CDBA6B2E
methoddot1x
client-iif-id3607103665
vlan-id602
cisco-wlan-ssidEnvision-AESC
wlan-profile-nameEnvision-AESC

Result

RadiusPacketTypeAccessReject

 

Steps

 11001Received RADIUS Access-Request
 11017RADIUS created a new session
 15049Evaluating Policy Group
 15008Evaluating Service Selection Policy
 15048Queried PIP
 15048Queried PIP
 11507Extracted EAP-Response/Identity
 12300Prepared EAP-Request proposing PEAP with challenge
 12625Valid EAP-Key-Name attribute received
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12302Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
 12318Successfully negotiated PEAP version 0
 12800Extracted first TLS record; TLS handshake started
 12805Extracted TLS ClientHello message
 12814Prepared TLS Alert message
 12817TLS handshake failed
 12309PEAP handshake failed
 12307PEAP authentication failed
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 61025Open secure connection with TLS peer
 11504Prepared EAP-Failure
 11003Returned RADIUS Access-Reject
 5434

Endpoint conducted several failed authentications of the same scenario

 

I have many PC terminals, and there are a batch of windows10 802.1x authentication failures. I have not found the specific reason. Other Androids, iphones, etc. are all certified without problems, why? This is one of the reasons for the error. Why do some PCs have problems with the same configuration, and some have no problems?

 

1 Accepted Solution

Accepted Solutions

Looks like those client PCs do not have the ISE certificate as a trusted certificate/CA in their trusted store.  Are these machines managed via AD/GPO?  Are you using an internal, external, or self-signed certificate on ISE?  Is your expected EAP type PEAP?

 

View solution in original post

3 Replies 3

Looks like those client PCs do not have the ISE certificate as a trusted certificate/CA in their trusted store.  Are these machines managed via AD/GPO?  Are you using an internal, external, or self-signed certificate on ISE?  Is your expected EAP type PEAP?

 

Authentication Details

Source Timestamp2022-05-18 00:11:23.996
Received Timestamp2022-05-18 00:11:23.996
Policy Serverise
Event5200 Authentication succeeded
Usernamehwuser001
Endpoint Id9C:DA:3E:6F:8A:01
Calling Station Id9c-da-3e-6f-8a-01
Endpoint ProfileWindows10-Workstation
IPv4 Address10.204.24.194
IPv6 Addressfe80::14fb:2c56:31bf:47d
Authentication Identity Storesslvpnadmin
Identity GroupGuestEndpoints
Audit Session Id033CCC0A000001CED4601835
Authentication Methoddot1x
Authentication ProtocolPEAP (EAP-MSCHAPv2)
Service TypeFramed
Network DeviceOrdos_C9800
Device TypeAll Device Types
LocationAll Locations
NAS IPv4 Address10.204.60.3
NAS Port Idcapwap_90000002
NAS Port TypeWireless - IEEE 802.11
Authorization ProfilePermitAccessVLAN602
Response Time783 milliseconds

 

Other Attributes

ConfigVersionId82
DestinationPort1812
ProtocolRadius
NAS-Port91920
Framed-MTU1485
State37CPMSessionID=033CCC0A000001CED4601835;30SessionID=ise/441870738/113986;
NetworkDeviceProfileIdb0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlowfalse
AcsSessionIDise/441870738/113986
SelectedAuthenticationIdentityStoresInternal Users
SelectedAuthenticationIdentityStoresAll_AD_Join_Points
SelectedAuthenticationIdentityStoresGuest Users
SelectedAuthenticationIdentityStoresInternal Endpoints
SelectedAuthenticationIdentityStoressslvpnadmin
AuthenticationStatusAuthenticationPassed
IdentityPolicyMatchedRuleDefault
AuthorizationPolicyMatchedRuleAuthorization Rule 1
EndPointMACAddress9C-DA-3E-6F-8A-01
ISEPolicySetNameOrdos_802.1x_AD_auth
IdentitySelectionMatchedRuleDefault
AD-User-Resolved-Identitieshwuser001@ch.envision-aesc.com
AD-User-Candidate-Identitieshwuser001@ch.envision-aesc.com
TotalAuthenLatency1243
ClientLatency460
AD-User-Resolved-DNsCN=hwuser001,OU=外包人员,OU=用户,DC=ch,DC=envision-aesc,DC=com
AD-User-DNS-Domainch.envision-aesc.com
AD-User-NetBios-NameCH
IsMachineIdentityfalse
UserAccountControl512
AD-User-SamAccount-Namehwuser001
AD-User-Qualified-Namehwuser001@ch.envision-aesc.com
TLSCipherECDHE-RSA-AES256-GCM-SHA384
TLSVersionTLSv1.2
DTLSSupportUnknown
HostIdentityGroupEndpoint Identity Groups:GuestEndpoints
Network Device ProfileCisco
LocationLocation#All Locations
Device TypeDevice Type#All Device Types
IPSECIPSEC#Is IPSEC Device#No
IdentityAccessRestrictedfalse
RADIUS Usernamehwuser001
NAS-IdentifierEnvision-AESC
Device IP Address10.204.60.3
CPMSessionID033CCC0A000001CED4601835
Called-Station-ID48-8b-0a-33-eb-20:Envision-AESC
CiscoAVPair

service-type=Framed, audit-session-id=033CCC0A000001CED4601835, method=dot1x, addrv6=fe80::14fb:2c56:31bf:47d, client-iif-id=2801803242, vlan-id=602, cisco-wlan-ssid=Envision-AESC, wlan-profile-name=Envision-AESC, AuthenticationIdentityStore=sslvpnadmin, FQSubjectName=2f61b640-bedf-11ec-

-e2f1729a5b7f#hwuser001@ch.envision-aesc.com, UniqueSubjectID=a4b6cca657c08a89b07cdd7bbf2720b8558c0248

-------------------------------------------------------------------

The above is the record of successful authentication

 

 

Yes, all of my PCs are domain-added PCs. Most of the PCs are capable of 802.1x authentication. At present, it is found that some people cannot be 802.1x authenticated and cannot connect.

 

@lin.yang2 if PC don't have ISE certificate as @ahollifield mention, please add it
if have ISE certificate then there is issue in ISE certificate.