Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1091
Views
0
Helpful
4
Replies

Event 5400 Authentication failed with 22056 Failure

Go to solution
latenaite2011
Level 4
Level 4

‎11-08-2022 09:40 AM

Hey everyone,

Just wondering if anyone knows why a user would get a Event 5400 Authentication failed (Failure Reason is 22056 Subnet not found in the applicable identity store(s).  The laptop has just gone through a successful authentication and switched to a docking station (to test how a normal user would do) and we're testing this new configuration now. 

In the live logs, we can see it switched from 802.1x to MAB and not sure why if it just worked with 802.1x about several minutes ago.

See attached snapshots.  This is a new setup.   Not sure if the mac address is still in the cache so it is not prompting to re-authenticate.

Preview file
56 KB
Preview file
121 KB
Preview file
99 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎11-13-2022 10:32 AM

@latenaite2011 

I would suggest the following:

  • verifying ISE working with other use cases
  • trying another switch port, in case the switch port gone bad
  • trying another docking station, in case the existing docking station is bad or has a bad network interface
  • trying rebooting the PC and trying another PC, in case something wrong with the client O/S

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Thomas Schmitt
Level 1
Level 1

‎11-08-2022 10:45 AM

I didn't read your trace, but just from idea - after successful dot1x authentication an endpoint with the MC of the endpoint was created on the ISE, but docking station has another MAC address, so you got disconnected.

0 Helpful

Go to solution
latenaite2011
Level 4
Level 4
In response to Thomas Schmitt

‎11-08-2022 11:45 AM

Thanks for the reply Thomas.

I did ask if the docking station has a different network adapter but it doesn't. Customer connects the laptop docking station that connects to the laptop using a USB C. The connection worked with the docking station at first then when he connected it, it wouldn't work anymore.  Since the laptop doesn't have any physical network, he uses the docking station to connect.  You can see the Live logs that the mac address is the same for the successful and the failed attempt.

 

Thanks!

 

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎11-11-2022 01:59 PM

You redacted the user/host information so I don't know if you are doing the same user/host for all of these.

Capture 1 is doing EAP-TLS which is certificate based authentication.

Capture 2 is doing PEAP+EAP-MSCHAPv2 which is username+password authentication.

Capture 3 is doing MAB and failing because the MAC Address was not found in ISE (it has never been seen before).

If you want to allow new (never-before-seen) MAC addresses onto your network, you should change the authentication policy of your respective Policy Set to simply Continue if User Not Found:

image.png

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎11-13-2022 10:32 AM

@latenaite2011 

I would suggest the following:

  • verifying ISE working with other use cases
  • trying another switch port, in case the switch port gone bad
  • trying another docking station, in case the existing docking station is bad or has a bad network interface
  • trying rebooting the PC and trying another PC, in case something wrong with the client O/S

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents