Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3235
Views
0
Helpful
3
Replies

ISE Alarm : Warning : RADIUS Authentication Request dropped : Server=XXXX; NAS IP Address=x.x.x.x; NAS Identifier=N/A; Failure Reason=5440 Endpoint abandoned EAP session and started new

Go to solution
pnowikow
Level 1
Level 1

‎12-20-2019 08:09 AM

Good morning everyone.  Is there a fix for these alerts?

 

Alarm Name : 
RADIUS Request Dropped

Details : 
RADIUS Authentication Request dropped : Server=CiscoISEVM01; NAS IP Address=x.x.x.x; NAS Identifier=N/A; Failure Reason=5440 Endpoint abandoned EAP session and started new

Description : 
The authentication/accounting request from a NAD is silently discarded. This maybe because the NAD is unknown to ISE,  mismatched Shared Secrets, or invalid packet content per RFC.

Severity : 
Warning

Suggested Actions : 
Check that the NAD/AAA Client has a valid configuration in ISE.  Check whether the Shared Secrets on the NAD/AAA Client and ISE match. Ensure that the AAA Client and the network device, have no hardware problems or problems with RADIUS compatibility. Also ensure that the network that connects the device to the ISE, has no hardware problems.

*** This message is generated by Cisco Identity Services Engine (ISE) ***

Sent By Host : XXXXX

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎12-20-2019 01:27 PM

These are normal alerts and can be ignored for the most part.  What this is saying is that the endpoint started an EAP session and before it was completed, the endpoint started a new session so ISE dropped the original request.  This happens when Windows machines are booting up.  The machine will start the 802.1x process and once GPO's get applied, the machine will stop and start again with a new exchange.  That causes the 5440 alerts on ISE.  If it is happening quite a bit and users are complaining, then I would recommend opening a TAC case.  But most times, it doesn't impact users.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎12-20-2019 01:27 PM

These are normal alerts and can be ignored for the most part.  What this is saying is that the endpoint started an EAP session and before it was completed, the endpoint started a new session so ISE dropped the original request.  This happens when Windows machines are booting up.  The machine will start the 802.1x process and once GPO's get applied, the machine will stop and start again with a new exchange.  That causes the 5440 alerts on ISE.  If it is happening quite a bit and users are complaining, then I would recommend opening a TAC case.  But most times, it doesn't impact users.

0 Helpful

Go to solution
pnowikow
Level 1
Level 1
In response to Colby LeMaire

‎12-23-2019 07:11 AM

Thanks for the info.  I'll suppress the alerting as they are frequent but so far no one is complaining.  We have 30 locations online and about 900 employees.  

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to pnowikow

‎12-23-2019 02:28 PM

I'd recommend looking at tuning your wireless network and other items to suppress these as well. @cgambrel has a nice session on further tuning BRKSEC-2059 check out http://cs.co.ise-training, Also check out BRKSEC-3432 slides and recording over the years

 

0 Helpful
Customers Also Viewed These Support Documents