Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6656
Views
10
Helpful
2
Replies

ISE Alarm : Info : EAP Connection Timeout : Server=<Name>; NAS IP Address=x.x.x.x; NAS Identifier=N/A

Go to solution
pnowikow
Level 1
Level 1

‎12-23-2019 07:14 AM

Alarm Name : 
Supplicant stopped responding

Details : 
EAP Connection Timeout : Server=<Name>; NAS IP Address=x.x.x.x; NAS Identifier=N/A

Description : 
ISE sent last message to the client 120 seconds ago but client still has not responded

Severity : 
Info

Suggested Actions : 
Verify that supplicant is configured properly to conduct a full EAP conversation with ISE. Verify that NAS is configured properly to transfer EAP messages to/from supplicant. Verify that supplicant or NAS does not have a short timeout for EAP conversation. Check the network that connects the Network Access Server to ISE. If external ID store is used for the authentication then is may be not responding fast enough for current timeouts.

*** This message is generated by Cisco Identity Services Engine (ISE) ***

Sent By Host : CiscoISEVM01

4 people had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎12-23-2019 07:48 AM

This is another normal alarm.  If the client starts the authentication process but then doesn't finish, ISE will fire this alarm after 2 minutes.  So this can happen if a client is connecting to wireless but then switches to wired in the middle of authentication.  Or if a client computer is woken up but then disconnected from the wired network.  It isn't an issue unless it is widespread and impacting users.

View solution in original post

2 Replies 2

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎12-23-2019 07:48 AM

This is another normal alarm.  If the client starts the authentication process but then doesn't finish, ISE will fire this alarm after 2 minutes.  So this can happen if a client is connecting to wireless but then switches to wired in the middle of authentication.  Or if a client computer is woken up but then disconnected from the wired network.  It isn't an issue unless it is widespread and impacting users.

Go to solution
pnowikow
Level 1
Level 1
In response to Colby LeMaire

‎02-09-2021 10:50 AM

@Colby LeMaire I'm getting way too many of these errors so feel comfortable suppressing them.  How can I troubleshoot EAP issues in ISE?  Would wireshark help prove anything or Event Logs for 802.1x.  It's only Win10 machines which experience failures periodically.  Recently we moved from Monitor Mode to Low-Impact Mode so each time the EAP communication fails, Windows 10 waits 20 min until it tries again and by then the user has called the HelpDesk.  As a workaround, we add them to a MAB identity group which gives them network access. 

 

I've tried to force the endpoints to use TLS 1.2 by editing this reg key HKLM\SYSTEM\CurrentcontrolSet\Services\RasMan\PPP\EAP\13 and adding a DWORD called TlsVersion with c00 in the data.  Some work fine with this change while others don't.  Over the summer we were upgrading Windows 10 from 1803 to 1909 and simultaneously migrating to Low-Impact Mode.  I know it's a Windows supplicant issue but I can't seem to resolve it.  I'm trying my best not to remove Low-Impact Mode across the board but I'm going to have to unless I can find a fix. 

0 Helpful
Customers Also Viewed These Support Documents