cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

10499
Views
0
Helpful
16
Replies
agipkcoat
Beginner

ISE 2.4 and Win10 issue - 5440 Endpoint abandoned EAP session and started new

We faced with an issue 5440 Endpoint abandoned EAP session and started new

Use case: Corporate users using corporate machine – Dot1x authentication using certificates (User + Machine) EAP-FAST and Posture assessment

 

Network Devices:

Cisco WS-3750X - IOS 15.2(4)E7

Cisco WS-3650 - IOS 16.3.7

 

Deployment details:

ISE 2.4.0.357, Patch 1,2,3,4,5

AnyConnect module v.4.7.00136

Windows 7, 10.

 

Use case works perfect with 3650 switch IOS 16.3.7 on Win7 and Win10.

But if we trying to use 3750X with IOS 15.2(4)E7, we have a problems only with Win10 while Win7 works correctly. 

 

 

16 REPLIES 16
Sheraz.Salim
VIP Advocate

does the 3750X have configured with ip device tracking command?

have you test the same windows pc working fine on one switch and not working on the different switch.

you can check the windows server log

https://social.technet.microsoft.com/Forums/windowsserver/en-US/cd4bb679-6412-45e1-b928-3a229cd217c4/why-unable-to-identify-a-user-for-8021x-authentication-0x50001?forum=winserverNAP

please do not forget to rate.

No, 3750X haven't configured with ip device-tracking command. But I think that it shouldn't be a main problem, because the switch can authorize and authenticate Win7.
And there is no way to test worked Win10 workstations on the same switch because of separated locations.

can you share the switch config please.

please do not forget to rate.

Do you know of an issue with ip device tracking being configured?

ldanny
Cisco Employee

Sounds like your looking at IOS/OS issue here.

You could try another code but this doesnt seem to be related to ISE .

yes could be as the gentleman is on

Cisco WS-3750X - IOS 15.2(4)E7

Cisco WS-3650 - IOS 16.3.7

 

 

please do not forget to rate.

I think that the main problem related to ISE, not to IOS version because it have to be compatible with ISE 2.4.

check this cisco ise 2.4 switch matrix/compatiable table

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/compatibility/b_ise_sdt_24.html

please do not forget to rate.
ldanny
Cisco Employee

when you mention failing are these all Win10 clients or a single one?

If these are Win10 client are they all hanging off the same switch?

@ldannyI asked the similar question and the answer was

"And there is no way to test worked Win10 workstations on the same switch because of separated locations."

please do not forget to rate.

If Win7 works just fine then this just could be OS behavior and not ISE , but just relying on one win10 workstation will not suffice obviously. Not much to go on if with just testing one endpoint on a specific switch.

 

You could try to run a sniffer to see if you find anything interesting.

Sorry, but I don't want to open a dispute to which of devices this topic related because this is not a solution of this problem.
We have a lot of Win10 workstations on the same switch and a lot of Win7. And the use case "Win10 + 3750X IOS 15.2(4)E7 + ISE2.4 EAP-FAST (EAP-TLS User and Computer)" doesn't work.
It could be an IOS behavior, but I'm not pretty sure stat it's not a supplicant side issue.

Are you using NAM or Native supplicant for dot1x?

Could you send a sniffer.

using Dot1x authentication using certificates (User + Machine) EAP-FAST and Posture assessment

if you see the first post :)

please do not forget to rate.
Content for Community-Ad