Overview
| Event | 5434 Endpoint conducted several failed authentications of the same scenario |
| Username | USERNAME |
| Endpoint Id | DC:A2:66:1A:0C:4B |
| Endpoint Profile | |
| Authentication Policy | Ordos_802.1x_AD_auth |
| Authorization Policy | Ordos_802.1x_AD_auth |
| Authorization Result |
Authentication Details
| Source Timestamp | 2022-05-16 16:40:50.601 |
| Received Timestamp | 2022-05-16 16:40:50.601 |
| Policy Server | ise |
| Event | 5434 Endpoint conducted several failed authentications of the same scenario |
| Failure Reason | 12309 PEAP handshake failed |
| Resolution | Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is properly installed in client's supplicant. Check the previous steps in the log for this PEAP conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information. |
| Root cause | PEAP handshake failed. |
| Username | USERNAME |
| Endpoint Id | DC:A2:66:1A:0C:4B |
| Audit Session Id | 033CCC0A00000197CDBA6B2E |
| Authentication Method | dot1x |
| Authentication Protocol | PEAP |
| Service Type | Framed |
| Network Device | Ordos_C9800 |
| Device Type | All Device Types |
| Location | All Locations |
| NAS IPv4 Address | 10.204.60.3 |
| NAS Port Id | capwap_90000005 |
| NAS Port Type | Wireless - IEEE 802.11 |
| Response Time | 9 milliseconds |
Other Attributes
| ConfigVersionId | 82 |
| Device Port | 57622 |
| DestinationPort | 1812 |
| RadiusPacketType | AccessRequest |
| UserName | USERNAME |
| Protocol | Radius |
| NAS-IP-Address | 10.204.60.3 |
| NAS-Port | 91920 |
| Framed-MTU | 1485 |
| State | 37CPMSessionID=033CCC0A00000197CDBA6B2E;29SessionID=ise/441870738/71681; |
| Airespace-Wlan-Id | 2 |
| IsEndpointInRejectMode | false |
| NetworkDeviceProfileName | Cisco |
| NetworkDeviceProfileId | b0699505-3150-4215-a80e-6753d45bf56c |
| IsThirdPartyDeviceFlow | false |
| RadiusFlowType | Wireless802_1x |
| SSID | 48-8b-0a-33-eb-20:Envision-AESC |
| AcsSessionID | ise/441870738/71681 |
| OpenSSLErrorMessage | SSL alert: code=0x246=582 ; source=local ; type=fatal ; message="protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]" |
| OpenSSLErrorStack | 140005319513856:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686: |
| CPMSessionID | 033CCC0A00000197CDBA6B2E |
| EndPointMACAddress | DC-A2-66-1A-0C-4B |
| ISEPolicySetName | Ordos_802.1x_AD_auth |
| StepData | 4= Normalised Radius.RadiusFlowType |
| StepData | 5= Radius.Called-Station-ID |
| DTLSSupport | Unknown |
| Network Device Profile | Cisco |
| Location | Location#All Locations |
| Device Type | Device Type#All Device Types |
| IPSEC | IPSEC#Is IPSEC Device#No |
| Called-Station-ID | 48-8b-0a-33-eb-20:Envision-AESC |
| CiscoAVPair | service-type=Framed |
| audit-session-id | 033CCC0A00000197CDBA6B2E |
| method | dot1x |
| client-iif-id | 3607103665 |
| vlan-id | 602 |
| cisco-wlan-ssid | Envision-AESC |
| wlan-profile-name | Envision-AESC |
Result
| RadiusPacketType | AccessReject |
Steps
| | 11001 | Received RADIUS Access-Request |
| | 11017 | RADIUS created a new session |
| | 15049 | Evaluating Policy Group |
| | 15008 | Evaluating Service Selection Policy |
| | 15048 | Queried PIP |
| | 15048 | Queried PIP |
| | 11507 | Extracted EAP-Response/Identity |
| | 12300 | Prepared EAP-Request proposing PEAP with challenge |
| | 12625 | Valid EAP-Key-Name attribute received |
| | 11006 | Returned RADIUS Access-Challenge |
| | 11001 | Received RADIUS Access-Request |
| | 11018 | RADIUS is re-using an existing session |
| | 12302 | Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated |
| | 12318 | Successfully negotiated PEAP version 0 |
| | 12800 | Extracted first TLS record; TLS handshake started |
| | 12805 | Extracted TLS ClientHello message |
| | 12814 | Prepared TLS Alert message |
| | 12817 | TLS handshake failed |
| | 12309 | PEAP handshake failed |
| | 12307 | PEAP authentication failed |
| | 12305 | Prepared EAP-Request with another PEAP challenge |
| | 11006 | Returned RADIUS Access-Challenge |
| | 11001 | Received RADIUS Access-Request |
| | 11018 | RADIUS is re-using an existing session |
| | 12304 | Extracted EAP-Response containing PEAP challenge-response |
| | 61025 | Open secure connection with TLS peer |
| | 11504 | Prepared EAP-Failure |
| | 11003 | Returned RADIUS Access-Reject |
| | 5434 | Endpoint conducted several failed authentications of the same scenario |
I have many PC terminals, and there are a batch of windows10 802.1x authentication failures. I have not found the specific reason. Other Androids, iphones, etc. are all certified without problems, why? This is one of the reasons for the error. Why do some PCs have problems with the same configuration, and some have no problems?
