Solved: Authentication failed "5440 Endpoint abandoned EAP session and started new" error

welmjendel · ‎09-30-2017

Hello Guys,

i faced this error "5440 Endpoint abandoned EAP session and started new"when users try to authoticate to network ( wired 802.1X) with ISE 2.3 .

FYI: before rebooting client machine users can authenticate normaly to the network.

In event manager on windows 10 i have this error: "Unable to identify a user for 802.1X authentication"

any idea please ???

Regards,

walwar · ‎11-15-2018

@raam, the "authentication mac-move permit" is on the switch side, and disabling the "EAP-TLS L-bit" is on the ISE side. What is the problem you're having?

View solution in original post

Mohammed al Baqari · ‎09-30-2017

Hi,

When the users stop responding to EAP reauthentication or start authentication while the NAD already have existing session, this message gets generated. Exmaple, when the endpoint hibernate and comes back online.

On the switch try the command 'authentication mac-move permit'. This will enable the NAD to terminate the existing 802.1x session and starts new one when a request is received while there is an existing session for the endpoint.

Also, there are couple of bugs related to windows 7 which can generate this message on ISE. Worth checking if they are applicable to windows 10. Here you go.

https://supportforums.cisco.com/t5/security-blogs/getting-past-intermittent-unexplained-802-1x-problems-on-windows/ba-p/3104109

Please remeber to rate useful posts.

welmjendel · ‎10-01-2017

thank you for your response !

i will see tomorrow this command can resolve the problem or not.

Mohammed al Baqari · ‎10-01-2017

To set the expectations, the log will still pop but machine should
authenticate with this command

welmjendel · ‎10-02-2017

hi,

the problem persist with this command.

Regards,

welmjendel · ‎10-02-2017

hello,

it works fine with NAM cisco Annyconnect.

Regards,

Mohammed al Baqari · ‎10-02-2017

Can you create the issue or is it random? Did you try to install the
hotfixes which I mentioned.

Dikkia · ‎10-06-2017

go to:
policy > resoult > AUTHENTICATION > allowed protocol > default Network access and DISABLE "EAP-TLS L-bit" under "allow eap-ttls"

Let me know if this will fix your problem

rps.soares · ‎06-28-2018

And news in this issue? Did it solve the problem of disconnections?

Dikkia · ‎07-03-2018

as said in the previus post, disabiling "eap-tls l-bit" fixed the problem for me.
rgds

slizarraga · ‎08-15-2019

It also worked for me

raamin · ‎11-15-2018

Hi Can you please tell me which place are you telling this settings on PC or on ISE side?

Thanks

walwar · ‎11-15-2018

@raam, the "authentication mac-move permit" is on the switch side, and disabling the "EAP-TLS L-bit" is on the ISE side. What is the problem you're having?

azzawim · ‎03-10-2020

Hey ,

I have the same issue as mentioned before but its between ISE and Xerox printer and between them there is a meraki SW .so on meraki SW the printer cannot get an dynamic IP address with the same error 5440 .

please let me know what can i do

Vitus · ‎02-03-2021

I ✔ "EAP-TLS L-bit" on the ISE side, it worked. I dont know why. I just update the agent resources from cisco site. And then appeared this same case.