Cisco Community
English
Register
Great changes are coming to Cisco Community in July. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

12476
Views
0
Helpful
16
Replies
agipkcoat
Beginner
Beginner
‎01-29-2019 01:51 AM
‎01-29-2019 01:51 AM

ISE 2.4 and Win10 issue - 5440 Endpoint abandoned EAP session and started new

We faced with an issue 5440 Endpoint abandoned EAP session and started new

Use case: Corporate users using corporate machine – Dot1x authentication using certificates (User + Machine) EAP-FAST and Posture assessment

 

Network Devices:

Cisco WS-3750X - IOS 15.2(4)E7

Cisco WS-3650 - IOS 16.3.7

 

Deployment details:

ISE 2.4.0.357, Patch 1,2,3,4,5

AnyConnect module v.4.7.00136

Windows 7, 10.

 

Use case works perfect with 3650 switch IOS 16.3.7 on Win7 and Win10.

But if we trying to use 3750X with IOS 15.2(4)E7, we have a problems only with Win10 while Win7 works correctly. 

 

 

0 Helpful
16 REPLIES 16
Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor
‎01-29-2019 01:57 AM
‎01-29-2019 01:57 AM

does the 3750X have configured with ip device tracking command?

have you test the same windows pc working fine on one switch and not working on the different switch.

you can check the windows server log

https://social.technet.microsoft.com/Forums/windowsserver/en-US/cd4bb679-6412-45e1-b928-3a229cd217c4/why-unable-to-identify-a-user-for-8021x-authentication-0x50001?forum=winserverNAP

please do not forget to rate.
0 Helpful
agipkcoat
Beginner
Beginner
In response to Sheraz.Salim
‎01-29-2019 04:05 AM
‎01-29-2019 04:05 AM

No, 3750X haven't configured with ip device-tracking command. But I think that it shouldn't be a main problem, because the switch can authorize and authenticate Win7.
And there is no way to test worked Win10 workstations on the same switch because of separated locations.

0 Helpful
Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor
In response to agipkcoat
‎01-29-2019 04:06 AM
‎01-29-2019 04:06 AM

can you share the switch config please.

please do not forget to rate.
0 Helpful
dporod
Beginner
Beginner
In response to Sheraz.Salim
‎09-26-2019 07:48 AM
‎09-26-2019 07:48 AM

Do you know of an issue with ip device tracking being configured?

0 Helpful
ldanny
Cisco Employee
Cisco Employee
‎01-29-2019 04:09 AM
‎01-29-2019 04:09 AM

Sounds like your looking at IOS/OS issue here.

You could try another code but this doesnt seem to be related to ISE .

0 Helpful
Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor
In response to ldanny
‎01-29-2019 04:11 AM
‎01-29-2019 04:11 AM

yes could be as the gentleman is on

Cisco WS-3750X - IOS 15.2(4)E7

Cisco WS-3650 - IOS 16.3.7

 

 

please do not forget to rate.
0 Helpful
agipkcoat
Beginner
Beginner
In response to ldanny
‎01-29-2019 04:15 AM
‎01-29-2019 04:15 AM

I think that the main problem related to ISE, not to IOS version because it have to be compatible with ISE 2.4.
0 Helpful
Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor
In response to agipkcoat
‎01-29-2019 04:17 AM
‎01-29-2019 04:17 AM

check this cisco ise 2.4 switch matrix/compatiable table

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/compatibility/b_ise_sdt_24.html

please do not forget to rate.
0 Helpful
ldanny
Cisco Employee
Cisco Employee
‎01-29-2019 04:22 AM
‎01-29-2019 04:22 AM

when you mention failing are these all Win10 clients or a single one?

If these are Win10 client are they all hanging off the same switch?

0 Helpful
Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor
In response to ldanny
‎01-29-2019 04:23 AM
‎01-29-2019 04:23 AM

@ldannyI asked the similar question and the answer was

"And there is no way to test worked Win10 workstations on the same switch because of separated locations."

please do not forget to rate.
0 Helpful
ldanny
Cisco Employee
Cisco Employee
In response to Sheraz.Salim
‎01-29-2019 04:34 AM
‎01-29-2019 04:34 AM

If Win7 works just fine then this just could be OS behavior and not ISE , but just relying on one win10 workstation will not suffice obviously. Not much to go on if with just testing one endpoint on a specific switch.

 

You could try to run a sniffer to see if you find anything interesting.

0 Helpful
agipkcoat
Beginner
Beginner
In response to ldanny
‎01-29-2019 04:57 AM
‎01-29-2019 04:57 AM

Sorry, but I don't want to open a dispute to which of devices this topic related because this is not a solution of this problem.
We have a lot of Win10 workstations on the same switch and a lot of Win7. And the use case "Win10 + 3750X IOS 15.2(4)E7 + ISE2.4 EAP-FAST (EAP-TLS User and Computer)" doesn't work.
It could be an IOS behavior, but I'm not pretty sure stat it's not a supplicant side issue.
0 Helpful
ldanny
Cisco Employee
Cisco Employee
In response to agipkcoat
‎01-29-2019 05:02 AM
‎01-29-2019 05:02 AM

Are you using NAM or Native supplicant for dot1x?

Could you send a sniffer.

0 Helpful
Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor
In response to ldanny
‎01-29-2019 05:47 AM
‎01-29-2019 05:47 AM

using Dot1x authentication using certificates (User + Machine) EAP-FAST and Posture assessment

if you see the first post :)

please do not forget to rate.
0 Helpful
Latest Contents
Earn $100! Interview with Cisco on Network Risk, Compliance ...
Created by S Nath on 06-27-2022 01:56 PM
0
0
0
0
Are you responsible for risk management, compliance management and auditing of a network?    If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ... view more
Converting Cisco Secure Endpoint Connectors from Audit to Pr...
Created by Sohaib Ahmed on 06-23-2022 05:19 PM
0
0
0
0
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari... view more
🧦💚 Tell us about your ZTNA journey in exchange for a pair ...
Created by betswang on 06-23-2022 03:05 PM
0
15
0
15
  Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ... view more
Cisco ASA Access-list ACL using network object
Created by Meddane on 06-23-2022 06:59 AM
0
0
0
0
  A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se... view more
How To: Cisco ISE Captive Portals with Aruba Wireless
Created by ahollifield on 06-22-2022 06:23 PM
4
10
4
10
How To: Cisco ISE Captive Portals with Aruba Wireless Authors: Adam Hollifield, Brad Johnson IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube