12-23-2020 05:43 AM
Hi all,
I have a problem. We have a SSID to wchich users can authenticate if they are in a particular AD group and if their MAC address is an endpoint identity group. However, when I take a look at the radius live log I see one mac address with multiple usernames..
event: 5440 Endpoint abandoned EAP session and started new
failure reason: 24408 User authentication against Active Directory failed since user has entered the wrong password
The AD username and password are correct.
We use ISE 2.7 and the WLC to which the client is authenticating is a WLC 5508 with firmware version 8.5.151.0
Does anyone have an idea where this is coming from?
12-24-2020 12:04 AM
01-03-2021 11:46 PM
Hi Mohammed,
No we are not running 802.1x for the AP itself. Just for the users authenticating to one of the SSID's.
12-27-2020 12:18 AM
On the AD username and password are correct while getting the failure reason 24408, please go to ISE dashboard, click on the number of the rejected endpoints, and see if the MAC address is shown in the filtered list. If so, then manually release it from rejected before attempting more authentications.
On one mac address with multiple usernames, if you are not using any of chained authentications (e.g. EAP Chaining), then it appears some potential of MAC spoofing. I would suggest to verify it by over-the-air packet captures. Good to verify it on the 802.1X supplicant side of the endpoint, as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide