12-06-2024 12:23 PM
I'm deploying Cisco ISE with Meraki to authenticate computers on wifi using eap-tls with machine certificate.
when users click on ssid it complete the authentication and join the network properly. If windows computers try connecting automatically I see ISE shows the hostname has host/ prepend on it. I have adjusted the advanced setting on ISE to rewrite host/[hostnam].[domain] to [hostname].[domain] but this seems to be not fixing the problem for me.
Also this is the error and after this client will fail to connect automatically so users must click on ssid to join
vent | 5440 Endpoint abandoned EAP session and started new |
Failure Reason | 5440 Endpoint abandoned EAP session and started new |
Resolution | Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration. |
Root cause | Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication. |
Solved! Go to Solution.
12-08-2024 05:35 PM
If the user is prompted when trying to connect, it usually means that the supplicant is not configured to trust the Root CA certificate that signed the ISE EAP certificate.
You should confirm your supplicant settings to ensure you have ticked the proper Root CA certificate as per this example:
12-06-2024 12:41 PM
The „host/„ is what differentiates a machine auth from a user auth. It has to be there and there is nothing that has to be manipulated. The error suggests that you are not using certificates but still have credential guard enabled. Short-term solution is to disable credential guard which can be done with GPOs. Long term solution is to deploy certificates.
12-06-2024 01:06 PM - edited 12-06-2024 01:11 PM
I have disabled the credential guard on a few test machine and that didn't help. We are using machine certificate for authentication. We have a profile deployed to computers so that they automatically connect and when they turned on but they never complete the authentication by themselves without user interaction. as soon as users click on the ssid and confirm the connection the process takes place. this is an example of Successful authentication when user click to connect the ssid.
24319 | Single matching account found in forest - xxxx.local | 0 | |
24323 | Identity resolution detected single matching account | 1 | |
24700 | Identity resolution by certificate succeeded - copany-AD | 0 | |
22037 | Authentication Passed | 0 | |
12506 | EAP-TLS authentication succeeded | 0 | |
61026 | Shutdown secure connection with TLS peer | 0 | |
15036 | Evaluating Authorization Policy | 0 | |
24209 | Looking up Endpoint in Internal Endpoints IDStore - company-machine@domain.local | 1 | |
24211 | Found Endpoint in Internal Endpoints IDStore | 37 | |
15048 | Queried PIP - Radius.User-Name | 1 | |
24433 | Looking up machine in Active Directory - company-machine@domain.local | ||
24355 | LDAP fetch succeeded | ||
24435 | Machine Groups retrieval from Active Directory succeeded | ||
15048 | Queried PIP - compay-AD.ExternalGroups | 3 | |
15016 | Selected Authorization Profile - PermitAccess | 0 | |
22081 | Max sessions policy passed | 0 | |
22080 | New accounting session created in Session cache | 0 | |
11503 | Prepared EAP-Success | 1 | |
11002 | Returned RADIUS Access-Accept |
12-08-2024 05:35 PM
If the user is prompted when trying to connect, it usually means that the supplicant is not configured to trust the Root CA certificate that signed the ISE EAP certificate.
You should confirm your supplicant settings to ensure you have ticked the proper Root CA certificate as per this example:
12-11-2024 03:23 AM
The problem could be in the Authorization policy as authentication is success, do you have the Domain Computers group under any of the authorization policies?
01-24-2025 10:36 AM
yes I have setup an authorization policy to check against existence of identity in external identity source which is my AD in this case.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide