Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10532
Views
5
Helpful
8
Replies

Cisco ISE - Excessive "Misconfigured Supplicant Detected/Fixed" events

Go to solution
cjkaufman@dmgov.org
Level 1
Level 1

‎03-12-2015 12:50 PM - edited ‎03-10-2019 10:32 PM

I have noticed recently that I am getting a LOT of Misconfigured Supplicant Detected messages, followed anywhere from 3-6 hours later by a "fixed" message.  Example below:

Misconfigured Supplicant Detected with EndpointID=00:1B:77:xx:xx:xx from user=host/Example

Misconfigured Supplicant Detected with EndpointID=00:1B:77:xx:xx:xx is fixed.

 

I'm getting 100+ of these messages every day.   The amount of these messages doesn't seem normal to me.  I currently have my ISE deployment in Monitor mode, and I am guessing that if I was in Low-impact mode, I would be getting many calls about user authentication failures every day.

Anyone have any insight/advise on this?

thx

 

 

 

5 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hafiez_abn
Level 1
Level 1
In response to hafiez_abn

‎12-16-2016 04:12 AM

Hi ...i found the solution with disabling the anamalous in the admin>setting>protocol>radius..

https://supportforums.cisco.com/document/12501851/configuring-anomalous-client-suppression-ise

 thx cisco community

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎03-12-2015 05:27 PM

What version of ISE are you running on?

Is this error occurring for same endpoints all the time?

Do you have client suppression feature enable on ISE?

 

Regards,

Jatin

~Jatin
0 Helpful

Go to solution
cjkaufman@dmgov.org
Level 1
Level 1
In response to Jatin Katyal

‎03-13-2015 09:55 AM

What version of ISE are you running on?

Version:1.3.0.876
Patch Information:1

Is this error occurring for same endpoints all the time?

I ran a report on misconfigured supplicants over the past week and discovered that of the 92 offenders 71 are wireless clients using Intel wireless NICs and 21 are connected to a WS-C3560-48PS switch running 12.2(55)SE9.  I cannot get a 15.x image on it because of flash memory limitations.

Do you have client suppression feature enable on ISE?

I have Anomalous client suppression enabled for logging.

Are there known issues with Intel NICs?  There are 4 different Intel MACs among the 71 wireless clients. 

0 Helpful

Go to solution
Venkatesh Attuluri
Cisco Employee
Cisco Employee
In response to cjkaufman@dmgov.org

‎03-17-2015 07:39 AM

click on misconfigured supplicant in operations  and a new page will open with details like failure reason etc can you paste that output here
 

0 Helpful

Go to solution
hafiez_abn
Level 1
Level 1
In response to cjkaufman@dmgov.org

‎12-16-2016 02:40 AM

Hi Bransom,

Do you still encounter this problem, i also have same issue. 

At some point, there is no workaround to solved this problem unless waiting several minutes or hour and the endpoint fixed itself. 

using ise v2.0.1.130..

regards.

 

0 Helpful

Go to solution
hafiez_abn
Level 1
Level 1
In response to hafiez_abn

‎12-16-2016 04:12 AM

Hi ...i found the solution with disabling the anamalous in the admin>setting>protocol>radius..

https://supportforums.cisco.com/document/12501851/configuring-anomalous-client-suppression-ise

 thx cisco community

0 Helpful

Go to solution
mohanak
Cisco Employee
Cisco Employee

‎03-12-2015 11:17 PM

Alarms notify you of critical conditions on a network and are displayed in the Alarms dashlet. They also provide information on system activities, such as data purge events. You can configure how you want to be notified about system activities, or disable them entirely. You can also configure the threshold for certain alarms.

Alarms do not have an associated schedule and are sent immediately after an event occurs. At any given point in time, only the latest 15,000 alarms are retained.

If the event re-occurs, then the same alarms are suppressed for a minimum duration of two hours. During the time that the event re-occurs, depending up on the trigger, it may take up to three hours for the alarms to re-appear.


http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_mnt.html#61701

Alarm Name
Alarm Description
Alarm Resolution

Misconfigured Supplicant Detected

Cisco ISE has detected mis-configured supplicant on the network

Ensure that the configuration on Supplicant is correct.

Go to solution
cchubb
Level 1
Level 1

‎07-30-2018 10:50 AM

With hundreds of messages per day i found the easiest fix was to disable the alarm notification for this.

 

Go to Administration/System/Settings


Go to Alarm Settings and select the "Misconfigured Supplicant Detected" button then click "Edit"

Select the "Disable" drop down.

 

Submit the changes.

 

Hope this helps

Chris

 

 

0 Helpful

Go to solution
Kirk
Level 1
Level 1
In response to cchubb

‎09-05-2018 08:24 AM - last edited on ‎09-05-2018 09:04 AM by Cisco Employee

Disabling the alarm, that sounds like what a customer did.  They were getting notifications of breaches but were ignoring the alarms.  I think it would be better to solve the problem.  Though we all have our priorities, I understand if it falls low on the priority list, I'm just saying ignoring it may not be the best option.

 

-Kirk  

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents