cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14928
Views
10
Helpful
18
Replies

Eap tls / PEap authentication failing cisco ise 2.7

Tutu
Level 1
Level 1

Hi guys i keep getting this error message when trying to authenticate user and machine. it worked fine before but now it gives me this error.

 

I am not sure what is going on,

 

Overview
Event 5440 Endpoint abandoned EAP session and started new
Username \tempadmin
Endpoint Id E8:D8:D1:40:35:DD
Endpoint Profile
Authentication Policy Wired
Authorization Policy Wired
Authorization Result

Authentication Details
Source Timestamp 2021-01-28 10:48:42.487
Received Timestamp 2021-01-28 10:48:42.487
Policy Server -ISE-PAN
Event 5440 Endpoint abandoned EAP session and started new
Failure Reason 5440 Endpoint abandoned EAP session and started new
Resolution Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root cause Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.
Username \tempadmin
Endpoint Id E8:D8:D1:40:35:DD
IPv4 Address 10.100.105.73
Authentication Protocol PEAP
Network Device Test_Switch
Device Type All Device Types#Wired
Location All Locations#test_switch
NAS IPv4 Address 10.200.208.100
NAS Port Id GigabitEthernet1/0/10
NAS Port Type Ethernet

Other Attributes
ConfigVersionId 1597
AcsSessionID -ISE-PAN/400522847/105868
NAS-Port 50110
CPMSessionID 0AC8D064000000210F5A7666
EndPointMACAddress E8-D8-D1-40-35-DD
EapChainingResult No chaining
ISEPolicySetName Wired
StepLatency 74=18042
TLSCipher ECDHE-RSA-AES256-GCM-SHA384
TLSVersion TLSv1.2
DTLSSupport Unknown
Network Device Profile Cisco
Location Location#All Locations#test_switch
Device Type Device Type#All Device Types#Wired
IPSEC IPSEC#Is IPSEC Device#No
Device IP Address 10.200.208.100

Result
RadiusPacketType Drop


Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - DEVICE.Device Type
15048 Queried PIP - DEVICE.Location
11507 Extracted EAP-Response/Identity
12100 Prepared EAP-Request proposing EAP-FAST with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12808 Prepared TLS ServerKeyExchange message
12810 Prepared TLS ServerDone message
12811 Extracted TLS Certificate message containing client certificate
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
5440 Endpoint abandoned EAP session and started new ( [step latency=18042 ms] Step latency=18042 ms)

18 Replies 18

Mike.Cifelli
VIP Alumni
VIP Alumni

Event 5440 Endpoint abandoned EAP session and started new

-Typically from my experience this means that your client supplicant is not finishing the entire process.  Usually this is due to misconfiguration.  

 

You can see ISE prepares EAP-Req (step 12100), sends it back to client via challenge (11006), but then receives another Access-Request (11001).  In the new request your client is asking to use PEAP instead (step 12301).  

12100 Prepared EAP-Request proposing EAP-FAST with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead

 

What supplicant are you using (native or nam)? Please verify client side supplicant configs.  HTH!

Im using native supplicant. 

Mike.Cifelli
VIP Alumni
VIP Alumni

Just so you know EAP-FAST is a Cisco proprietary protocol and only works with the NAM supplicant.  In order to support native supplicant eap-chaining with EAP-TEAP (industry standard) you need at least ISE 2.7 with Windows 10 build 2004 (May 2020).  See here:

Using TEAP for EAP Chaining – Cisco ISE Tips, Tricks, and Lessons Learned (ise-support.com)

HTH!

Hi @Tutu 

 ISE sent the Access-Challenge but did not receive a response after 18sec:

 

12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge

5440 Endpoint abandoned EAP session and started new ( [step latency=18042 ms] Step latency=18042 ms)

 

Could please double check on the NAD if the RADIUS Access-Challenge was received (for ex.: debug radius) ?

 

Hope this helps !!!

We see this a lot when wireless clients are on the move and eventually move out of range of the wifi signal.

In addition, if you ALWAYS see this and are unable to connect clients even when in range, then check the MTU on the L3 interface on which the ISE PSN is connected. It must be 1500 bytes because ISE does not support jumbo frames. If the SVI's MTU is > 1500 then it will allow larger certificate payloads and this will break the ISE TLS negotiation at the point where a large cert chain is exchanged ... TLS breaks down at that point.

Hello This is for wired. i have checked the mtu of the switch as it is set to 1500 but i am still facing the same issue.

 

Source Timestamp 2021-02-04 09:58:32.671
Received Timestamp 2021-02-04 09:58:32.671
Policy Server -ISE-PAN
Event 5440 Endpoint abandoned EAP session and started new
Failure Reason 5440 Endpoint abandoned EAP session and started new
Resolution Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root cause Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.
Username \tempadmin
Endpoint Id BC:E9:2F:B1:66:51
IPv4 Address 10.100.105.55
Authentication Protocol PEAP
Network Device Test_Switch
Device Type All Device Types#Wired
Location All Locations#test_switch
NAS IPv4 Address 10.200.208.100
NAS Port Id GigabitEthernet1/0/11

 

Mike.Cifelli
VIP Alumni
VIP Alumni

Please share your native supplicant configuration so we can further/better assist.

Please see below native supplicant configuration.It just doesnt seem to hit the dot1x authentication policy and goes straight to MAB.

 

Hello @Tutu 

 

Minor point, but why does your 802.1X Authentication Policy have a "If auth fail" Continue? That is not usual and not recommended unless you know what you're doing. Likewise for "If user not found" Continue - that is to be used in MAB only.

 

It's a personal decision, but I don't like lumping 802.1X and MAB into the same Policy Set. Yes it can be done, but ISE will be doing more unnecessary checks and I believe it's cleaner to separate out 802.1X and MAB from the very first packet received. The Policy Set might not be the issue here, but it helps to separate this out to avoid any ambiguity.

 

In the case of your Wired Condition "DEVICE Equals #Wired" - I would substitute that with the built in Condition as below - if the overall condition matches, then you don't need to keep testing it again in Authentication and Authorization rules:

wired.png

 

In Authentication you would check against you Identity Source Sequence (which should probably only check AD and nothing else?  Why check Internal Endpoints for 802.1X?)

 

And in Authorization you can check against your AD Security Groups etc.

 

Then create another Policy Set for Wired MAB, and use the Condition:

wired mab.png

For MAB authentication ensure that if User Not Found that you set to Continue - leave the other settings alone. For Allowed Protocols I always create a separate one-  should only be "Process Host Lookup" - uncheck all the others.

 

If you narrow it down like this then you can see where ISE is going.

 

And then also check your switch port config. Perhaps there is a timer / sync issue. It seems that the supplicant starts an EAPOL conversation and then something happens on the switch to cause the process to start again? 

Provide us a

show run int xxx

and also

 

show derived int xxx

 

 

hello please see below

sh run int gig1/0/11
Building configuration...

Current configuration : 779 bytes
!
interface GigabitEthernet1/0/11
switchport access vlan 105
switchport mode access
switchport voice vlan 301
ip device tracking maximum 65535
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 25.00
storm-control multicast level 25.00
storm-control unicast level 25.00
spanning-tree portfast edge
end

............................................................

show derived int gigabitEthernet 1/0/11
Building configuration...

Derived configuration : 779 bytes
!
interface GigabitEthernet1/0/11
switchport access vlan 105
switchport mode access
switchport voice vlan 301
ip device tracking maximum 65535
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 25.00
storm-control multicast level 25.00
storm-control unicast level 25.00
spanning-tree portfast edge
end

 

 

i also keep getting this error and both the passwords on ISE and switch are exactly the same.

 

#Overview
Event 5400 Authentication failed
Username radius-test
Endpoint Id
Endpoint Profile
Authentication Policy Wired
Authorization Policy Wired
Authorization Result

Authentication Details
Source Timestamp 2021-02-05 07:03:02.821
Received Timestamp 2021-02-05 07:03:02.821
Policy Server -ISE-PAN
Event 5400 Authentication failed
Failure Reason 22040 Wrong password or invalid shared secret
Resolution Check the Device shared secret in Administration > Network Resources > Network Devices and user for credentials.
Root cause Wrong password or invalid shared secret
Username radius-test
Authentication Method PAP_ASCII
Authentication Protocol PAP_ASCII
Service Type Login
Network Device Test_Switch
Device Type All Device Types#Wired
Location All Locations#-HQ
NAS IPv4 Address 10.200.208.23
Response Time 4 milliseconds

Other Attributes
ConfigVersionId 1567
Device Port 1645
DestinationPort 1645
RadiusPacketType AccessRequest
Protocol Radius
NetworkDeviceProfileId b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow false
AcsSessionID -ISE-PAN/401212985/87391
DetailedInfo UserPassword is corrupted
ISEPolicySetName Wired
DTLSSupport Unknown
Network Device Profile Cisco
Location Location#All Locations#-HQ
Device Type Device Type#All Device Types#Wired
IPSEC IPSEC#Is IPSEC Device#No
RADIUS Username radius-test
Device IP Address 10.200.208.23
CPMSessionID 0ac8de52mfNd5y/MB4wyhtVLoSmSPBgWHsH9j0M4ZAV9CvRqN8o

Result
RadiusPacketType AccessReject
AuthenticationResult Failed


Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11117 Generated a new session ID
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - DEVICE.Device Type
22040 Wrong password or invalid shared secret
22002 Authentication complete
11003 Returned RADIUS Access-Reject

Hi @Tutu

Do you have radius-server attribute 6 on-for-login-auth configured on your switch? Because neither your custom 802.1X rule nor your custom MAB rule have hits, only the default authentication rule. For me that indicates that the service type attribute is missing.

Hello,

Yes i  do have it

 

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3

 

Only the MAB and default keeps getting hits, but not dot1x

Tutu
Level 1
Level 1

Okay so i at least know the problem of what is going on,

When i connect a pc that has anyconnect network access manager it goes through the dot1x process even authorizes the machine,

But when i remove the network access manager it brings up the error.

I do not require anyconnect NAM.

 

How do i go about this?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: