I have noticed recently that I am getting a LOT of Misconfigured Supplicant Detected messages, followed anywhere from 3-6 hours later by a "fixed" message. Example below:
Misconfigured Supplicant Detected with EndpointID=00:1B:77:xx:xx:xx from user=host/Example
Misconfigured Supplicant Detected with EndpointID=00:1B:77:xx:xx:xx is fixed.
I'm getting 100+ of these messages every day. The amount of these messages doesn't seem normal to me. I currently have my ISE deployment in Monitor mode, and I am guessing that if I was in Low-impact mode, I would be getting many calls about user authentication failures every day.
Anyone have any insight/advise on this?
Solved! Go to Solution.
What version of ISE are you running on?
Is this error occurring for same endpoints all the time?
I ran a report on misconfigured supplicants over the past week and discovered that of the 92 offenders 71 are wireless clients using Intel wireless NICs and 21 are connected to a WS-C3560-48PS switch running 12.2(55)SE9. I cannot get a 15.x image on it because of flash memory limitations.
Do you have client suppression feature enable on ISE?
I have Anomalous client suppression enabled for logging.
Are there known issues with Intel NICs? There are 4 different Intel MACs among the 71 wireless clients.
Alarms notify you of critical conditions on a network and are displayed in the Alarms dashlet. They also provide information on system activities, such as data purge events. You can configure how you want to be notified about system activities, or disable them entirely. You can also configure the threshold for certain alarms.
If the event re-occurs, then the same alarms are suppressed for a minimum duration of two hours. During the time that the event re-occurs, depending up on the trigger, it may take up to three hours for the alarms to re-appear.
Misconfigured Supplicant Detected
With hundreds of messages per day i found the easiest fix was to disable the alarm notification for this.
Go to Administration/System/Settings
Go to Alarm Settings and select the "Misconfigured Supplicant Detected" button then click "Edit"
Select the "Disable" drop down.
Submit the changes.
Hope this helps
Disabling the alarm, that sounds like what a customer did. They were getting notifications of breaches but were ignoring the alarms. I think it would be better to solve the problem. Though we all have our priorities, I understand if it falls low on the priority list, I'm just saying ignoring it may not be the best option.