Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1173
Views
0
Helpful
6
Replies

ISE 1.2.1 logs full of Identity/Endpoint ID of 00:00:00:00:00:03, authentication failed

Nicholas Poole
Level 1
Level 1

‎08-20-2014 06:32 AM - last edited on ‎03-25-2019 05:32 PM by Community Manager

After an upgrade to 1.2.1, I now see a lot of auth failed entries with an Identity/Endpoint ID of 00:00:00:00:00:03.

I dont see this MAC on the switch port of the NAS where ISE reports it.

 

Anybody know what this is and how to stop it from happening?

 

thanks

Labels:
0 Helpful
6 Replies 6

nspasov
Cisco Employee
Cisco Employee

‎08-21-2014 09:04 AM

Looks like that mac address belongs to Xerox. With that being said, it could be someone spoofing that mac address as well. It is interesting that you don't see it on the switchport that is reporting it. Couple of quesitons:

1. Do you have physical access to that port/jack? If yes, can you confirm what exactly is plugged there

2. Have you tried shutting down the port and see if the authentications for that mac address stop?

3. Can you post the output of "show authentication session interface interface_name_number"

 

 

 

0 Helpful

Nicholas Poole
Level 1
Level 1
In response to nspasov

‎08-22-2014 04:31 AM

Answers are:

  1. Its a HP ESXi server.  2x Win7 VM PC's run on this machine, each with a dedicated NIC.
  2. I haven't, will shut the VM's and shut the ports and see what happens.
  3. The auth session shows the MAC, but the switch MAC table doesn't
SW1-C3750X#show authentication sessions int gi 1/0/19

Interface    MAC Address    Method  Domain  Status Fg Session ID
----------------------------------------------------------------------
Gi1/0/19     000c.2931.54f6 dot1x   DATA    Auth      0A0A01FE000000870EDF8C3B
Gi1/0/19     0000.0000.0003 N/A     UNKNOWN Unauth    0A0A01FE000000B219576F86

SW1-C3750X#show mac address-table int gi 1/0/19
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 100    000c.2931.54f6    STATIC      Gi1/0/19

 

 

Thanks for replying.

 

0 Helpful

Nicholas Poole
Level 1
Level 1
In response to Nicholas Poole

‎08-22-2014 04:36 AM

VM turned off it makes no difference.  One other thing to note is that I said there are 2 VM PC's, each with their own dedicated NIC.  This is only happening on one of those interfaces!

0 Helpful

Nicholas Poole
Level 1
Level 1
In response to Nicholas Poole

‎08-22-2014 04:37 AM

The switch is full of these events:

 

Aug 22 11:36:05.856: %AUTHMGR-5-START: Starting 'mab' for client (0000.0000.0003) on Inte                                                            rface Gi1/0/19 AuditSessionID 0A0A01FE000000B219576F86
Aug 22 11:36:05.890: %MAB-5-FAIL: Authentication failed for client (0000.0000.0003) on In                                                            terface Gi1/0/19 AuditSessionID 0A0A01FE000000B219576F86
0 Helpful

Nicholas Poole
Level 1
Level 1
In response to Nicholas Poole

‎08-22-2014 04:54 AM

With interface shutdown the events do not happen.

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Nicholas Poole

‎08-22-2014 07:26 AM

That is so strange. So with the VM shut off the issue still persists? But when you shutdown the port the issue goes away. This leads me to believe that the issue is with the NIC card. Are the two NICs residing on the same or different NIC card?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents