ISE messages in log

startx001 · ‎11-30-2018

Why im seeing this in the logs constantly?

Is there any way to turn off ?

On picture, under Authentication details, Policy server 1 is secondary ISE node

Pictures are taken from ISE primary node log.

pan · ‎11-30-2018

The authentication are failing for the machine multiple time so you are getting that error message. To troubleshoot the issue you need to check why authentication are failing.

Why kind of authentication client is supposed to do mab or dot1x?

You would have following check box selected

startx001 · ‎12-03-2018

HI pan,

Is is dot1x on WLC.

But strange is that this message apears in logs of primary ISE, and log message shows policy server is secondary ISE.

I already have selected "Suppress repeated failed clients"

Regards,

VZ

Surendra · ‎12-03-2018

It is a mab authentication based on the service-type = Call check and also authentication method as mab that i see in the detailed authentication report. Based on the OUI of the mac address, it is a Cisco device which i'm guessing to be a Cisco IP Phone.

1. The reason why you are seeing the username as "INVALID" is because of a new feature introduced in the ISE 2.4 to mask the username for a failed authentication.
2. The reason why you see the logs on PAN for an authentication that happened on a PSN is by design. All the logs are stored in the MnT node and displayed on the PAN for the entire deployment.

If you do not wish to see the logs for this endpoint at all, then configure as follows :

Administration > System > Logging > Collection Filters > Add. Select the username as the mac address you see in the image (I cannot type that out here as it is sensitive information) and save it.

If you would want to know the real reason for failure then disable suppression for failed authentications and let it fail again and check the reason.