01-28-2021 02:53 AM
Hi guys i keep getting this error message when trying to authenticate user and machine. it worked fine before but now it gives me this error.
I am not sure what is going on,
Overview
Event 5440 Endpoint abandoned EAP session and started new
Username \tempadmin
Endpoint Id E8:D8:D1:40:35:DD
Endpoint Profile
Authentication Policy Wired
Authorization Policy Wired
Authorization Result
Authentication Details
Source Timestamp 2021-01-28 10:48:42.487
Received Timestamp 2021-01-28 10:48:42.487
Policy Server -ISE-PAN
Event 5440 Endpoint abandoned EAP session and started new
Failure Reason 5440 Endpoint abandoned EAP session and started new
Resolution Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root cause Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.
Username \tempadmin
Endpoint Id E8:D8:D1:40:35:DD
IPv4 Address 10.100.105.73
Authentication Protocol PEAP
Network Device Test_Switch
Device Type All Device Types#Wired
Location All Locations#test_switch
NAS IPv4 Address 10.200.208.100
NAS Port Id GigabitEthernet1/0/10
NAS Port Type Ethernet
Other Attributes
ConfigVersionId 1597
AcsSessionID -ISE-PAN/400522847/105868
NAS-Port 50110
CPMSessionID 0AC8D064000000210F5A7666
EndPointMACAddress E8-D8-D1-40-35-DD
EapChainingResult No chaining
ISEPolicySetName Wired
StepLatency 74=18042
TLSCipher ECDHE-RSA-AES256-GCM-SHA384
TLSVersion TLSv1.2
DTLSSupport Unknown
Network Device Profile Cisco
Location Location#All Locations#test_switch
Device Type Device Type#All Device Types#Wired
IPSEC IPSEC#Is IPSEC Device#No
Device IP Address 10.200.208.100
Result
RadiusPacketType Drop
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - DEVICE.Device Type
15048 Queried PIP - DEVICE.Location
11507 Extracted EAP-Response/Identity
12100 Prepared EAP-Request proposing EAP-FAST with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12808 Prepared TLS ServerKeyExchange message
12810 Prepared TLS ServerDone message
12811 Extracted TLS Certificate message containing client certificate
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
5440 Endpoint abandoned EAP session and started new ( [step latency=18042 ms] Step latency=18042 ms)
01-28-2021 05:51 AM - edited 01-28-2021 05:52 AM
Event 5440 Endpoint abandoned EAP session and started new
-Typically from my experience this means that your client supplicant is not finishing the entire process. Usually this is due to misconfiguration.
You can see ISE prepares EAP-Req (step 12100), sends it back to client via challenge (11006), but then receives another Access-Request (11001). In the new request your client is asking to use PEAP instead (step 12301).
12100 Prepared EAP-Request proposing EAP-FAST with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
What supplicant are you using (native or nam)? Please verify client side supplicant configs. HTH!
01-28-2021 05:58 AM
Im using native supplicant.
01-28-2021 06:40 AM
Just so you know EAP-FAST is a Cisco proprietary protocol and only works with the NAM supplicant. In order to support native supplicant eap-chaining with EAP-TEAP (industry standard) you need at least ISE 2.7 with Windows 10 build 2004 (May 2020). See here:
Using TEAP for EAP Chaining – Cisco ISE Tips, Tricks, and Lessons Learned (ise-support.com)
HTH!
01-28-2021 08:02 AM
Hi @Tutu
ISE sent the Access-Challenge but did not receive a response after 18sec:
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
5440 Endpoint abandoned EAP session and started new ( [step latency=18042 ms] Step latency=18042 ms)
Could please double check on the NAD if the RADIUS Access-Challenge was received (for ex.: debug radius) ?
Hope this helps !!!
02-02-2021 12:47 PM
We see this a lot when wireless clients are on the move and eventually move out of range of the wifi signal.
In addition, if you ALWAYS see this and are unable to connect clients even when in range, then check the MTU on the L3 interface on which the ISE PSN is connected. It must be 1500 bytes because ISE does not support jumbo frames. If the SVI's MTU is > 1500 then it will allow larger certificate payloads and this will break the ISE TLS negotiation at the point where a large cert chain is exchanged ... TLS breaks down at that point.
02-04-2021 01:58 AM
Hello This is for wired. i have checked the mtu of the switch as it is set to 1500 but i am still facing the same issue.
Source Timestamp 2021-02-04 09:58:32.671
Received Timestamp 2021-02-04 09:58:32.671
Policy Server -ISE-PAN
Event 5440 Endpoint abandoned EAP session and started new
Failure Reason 5440 Endpoint abandoned EAP session and started new
Resolution Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root cause Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.
Username \tempadmin
Endpoint Id BC:E9:2F:B1:66:51
IPv4 Address 10.100.105.55
Authentication Protocol PEAP
Network Device Test_Switch
Device Type All Device Types#Wired
Location All Locations#test_switch
NAS IPv4 Address 10.200.208.100
NAS Port Id GigabitEthernet1/0/11
02-04-2021 04:36 AM
Please share your native supplicant configuration so we can further/better assist.
02-04-2021 08:52 AM
02-04-2021 01:51 PM
Hello @Tutu
Minor point, but why does your 802.1X Authentication Policy have a "If auth fail" Continue? That is not usual and not recommended unless you know what you're doing. Likewise for "If user not found" Continue - that is to be used in MAB only.
It's a personal decision, but I don't like lumping 802.1X and MAB into the same Policy Set. Yes it can be done, but ISE will be doing more unnecessary checks and I believe it's cleaner to separate out 802.1X and MAB from the very first packet received. The Policy Set might not be the issue here, but it helps to separate this out to avoid any ambiguity.
In the case of your Wired Condition "DEVICE Equals #Wired" - I would substitute that with the built in Condition as below - if the overall condition matches, then you don't need to keep testing it again in Authentication and Authorization rules:
In Authentication you would check against you Identity Source Sequence (which should probably only check AD and nothing else? Why check Internal Endpoints for 802.1X?)
And in Authorization you can check against your AD Security Groups etc.
Then create another Policy Set for Wired MAB, and use the Condition:
For MAB authentication ensure that if User Not Found that you set to Continue - leave the other settings alone. For Allowed Protocols I always create a separate one- should only be "Process Host Lookup" - uncheck all the others.
If you narrow it down like this then you can see where ISE is going.
And then also check your switch port config. Perhaps there is a timer / sync issue. It seems that the supplicant starts an EAPOL conversation and then something happens on the switch to cause the process to start again?
Provide us a
show run int xxx
and also
show derived int xxx
02-04-2021 10:43 PM
hello please see below
sh run int gig1/0/11
Building configuration...
Current configuration : 779 bytes
!
interface GigabitEthernet1/0/11
switchport access vlan 105
switchport mode access
switchport voice vlan 301
ip device tracking maximum 65535
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 25.00
storm-control multicast level 25.00
storm-control unicast level 25.00
spanning-tree portfast edge
end
............................................................
show derived int gigabitEthernet 1/0/11
Building configuration...
Derived configuration : 779 bytes
!
interface GigabitEthernet1/0/11
switchport access vlan 105
switchport mode access
switchport voice vlan 301
ip device tracking maximum 65535
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 25.00
storm-control multicast level 25.00
storm-control unicast level 25.00
spanning-tree portfast edge
end
02-04-2021 11:04 PM
i also keep getting this error and both the passwords on ISE and switch are exactly the same.
#Overview
Event 5400 Authentication failed
Username radius-test
Endpoint Id
Endpoint Profile
Authentication Policy Wired
Authorization Policy Wired
Authorization Result
Authentication Details
Source Timestamp 2021-02-05 07:03:02.821
Received Timestamp 2021-02-05 07:03:02.821
Policy Server -ISE-PAN
Event 5400 Authentication failed
Failure Reason 22040 Wrong password or invalid shared secret
Resolution Check the Device shared secret in Administration > Network Resources > Network Devices and user for credentials.
Root cause Wrong password or invalid shared secret
Username radius-test
Authentication Method PAP_ASCII
Authentication Protocol PAP_ASCII
Service Type Login
Network Device Test_Switch
Device Type All Device Types#Wired
Location All Locations#-HQ
NAS IPv4 Address 10.200.208.23
Response Time 4 milliseconds
Other Attributes
ConfigVersionId 1567
Device Port 1645
DestinationPort 1645
RadiusPacketType AccessRequest
Protocol Radius
NetworkDeviceProfileId b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow false
AcsSessionID -ISE-PAN/401212985/87391
DetailedInfo UserPassword is corrupted
ISEPolicySetName Wired
DTLSSupport Unknown
Network Device Profile Cisco
Location Location#All Locations#-HQ
Device Type Device Type#All Device Types#Wired
IPSEC IPSEC#Is IPSEC Device#No
RADIUS Username radius-test
Device IP Address 10.200.208.23
CPMSessionID 0ac8de52mfNd5y/MB4wyhtVLoSmSPBgWHsH9j0M4ZAV9CvRqN8o
Result
RadiusPacketType AccessReject
AuthenticationResult Failed
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11117 Generated a new session ID
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - DEVICE.Device Type
22040 Wrong password or invalid shared secret
22002 Authentication complete
11003 Returned RADIUS Access-Reject
02-04-2021 11:24 PM - edited 02-04-2021 11:25 PM
Hi @Tutu
Do you have radius-server attribute 6 on-for-login-auth configured on your switch? Because neither your custom 802.1X rule nor your custom MAB rule have hits, only the default authentication rule. For me that indicates that the service type attribute is missing.
02-04-2021 11:31 PM
02-05-2021 12:41 AM - edited 02-05-2021 12:45 AM
Okay so i at least know the problem of what is going on,
When i connect a pc that has anyconnect network access manager it goes through the dot1x process even authorizes the machine,
But when i remove the network access manager it brings up the error.
I do not require anyconnect NAM.
How do i go about this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide