Re: Cisco ISE Multipe usernames for same mac address

Geert Reijnders · ‎12-23-2020

Hi all,

I have a problem. We have a SSID to wchich users can authenticate if they are in a particular AD group and if their MAC address is an endpoint identity group. However, when I take a look at the radius live log I see one mac address with multiple usernames..

event: 5440 Endpoint abandoned EAP session and started new

failure reason: 24408 User authentication against Active Directory failed since user has entered the wrong password

The AD username and password are correct.

We use ISE 2.7 and the WLC to which the client is authenticating is a WLC 5508 with firmware version 8.5.151.0

Does anyone have an idea where this is coming from?

Mohammed al Baqari · ‎12-24-2020

Hi,

Are you running dot1x for the AP? Also, what authentication are you using
on the switch port multi-auth or single-auth?

***** please remember to rate useful posts

Geert Reijnders · ‎01-03-2021

Hi Mohammed,

No we are not running 802.1x for the AP itself. Just for the users authenticating to one of the SSID's.

hslai · ‎12-27-2020

On the AD username and password are correct while getting the failure reason 24408, please go to ISE dashboard, click on the number of the rejected endpoints, and see if the MAC address is shown in the filtered list. If so, then manually release it from rejected before attempting more authentications.

On one mac address with multiple usernames, if you are not using any of chained authentications (e.g. EAP Chaining), then it appears some potential of MAC spoofing. I would suggest to verify it by over-the-air packet captures. Good to verify it on the 802.1X supplicant side of the endpoint, as well.