09-08-2017 11:59 AM
Hi Team,
ISE set to 0 retries for PEAP inner methods because of below reason from some internal documentation.
I do not see any erroneous debugs from WLC log.
From the latest captures in ISE, it’s clear that ISE detects the wrong password, but I see different flow in case of iPhone vs android.
iPhone:
========
24212 Found User in Internal Users IDStore
22063 Wrong password
22057 The advanced option that is configured for a failed authentication used
22061 The 'Reject' advanced option is configured in case of a failed authentication
request
11823 EAP-MSCHAP authentication attempt failed
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP 11815 Inner EAP-MSCHAP authentication failed – Why ISE is not sending Access-Reject from here???
11520 Prepared EAP-Failure for inner EAP method
22028 Authentication failed and the advanced options are ignored
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
5440
Endpoint abandoned EAP session and started new
Android:
========
24212 Found User in Internal Users IDStore
22063 Wrong password
22057 The advanced option that is configured for a failed authentication request is used
22061 The 'Reject' advanced option is configured in case of a failed authentication request
11823 EAP-MSCHAP authentication attempt failed
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11815 Inner EAP-MSCHAP authentication failed
11520 Prepared EAP-Failure for inner EAP method
22028 Authentication failed and the advanced options are ignored
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12917 Expected TLS acknowledge for PEAPv1 protected termination but received another message
11500 Invalid or unexpected EAP payload received
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
The only difference found is that if “Authentication Method comes as dot1x “, ISE will reject it.
If it comes as “MSCHAPv2”, ISE doesn’t reject it. Instead sending another Access-challenge packet.
Need to know the reason behind coming different authentication method.
I have tested in LAB with Iphone6 + with IOS 10.3.3 and got failed authentication with access-reject.
Identity Services Engine
Overview
Event 5400 Authentication failed
Username abcd
Endpoint Id 9C:4F:DA:1B:C5:35
Endpoint Profile
Authentication Policy Default >> Dot1X
Authorization Policy Default
Authorization Result
Authentication Details
Source Timestamp 2017-08-10 17:41:28.023
Received Timestamp 2017-08-10 17:41:28.024
Policy Server ISE23
Event 5400 Authentication failed
Failure Reason 22063 Wrong password
Resolution Check the user credentials. Also check whether the password is wrong.
Root cause Wrong password
Username abcd
User Type User
Endpoint Id 9C:4F:DA:1B:C5:35
Calling Station Id 9c-4f-da-1b-c5-35
Authentication Identity Store Internal Users
Identity Group User Identity Groups:ALL_ACCOUNTS (default)
Audit Session Id 0ac9e875000000c3598ce117
Authentication Method dot1x
Authentication Protocol PEAP (EAP-MSCHAPv2)
.............
.....
WLC engineer filed an internal bug "WLC/ISE unable to exclude iOS 10.3.3 client with failed authentication" but they want this thing to be validated on ISE side.
Any help would be appreciated.
Regards
Gagan
Solved! Go to Solution.
09-11-2017 07:04 AM
Per the message "Endpoint abandoned EAP session and started new". This is saying that before auth event came to a conclusion (pass/fail), endpoint started new EAP session. ISE can return access reject for these cases by using suppression with reject option. This will allow client exclusion to kick in on WLC.
Craig
09-11-2017 07:04 AM
Per the message "Endpoint abandoned EAP session and started new". This is saying that before auth event came to a conclusion (pass/fail), endpoint started new EAP session. ISE can return access reject for these cases by using suppression with reject option. This will allow client exclusion to kick in on WLC.
Craig
03-23-2021 08:02 AM
I have this same problem and even configuring suppression with reject option, ISE does not send rejects, the request timeout so exclusion does not kick in, causing ultimately that AD password locks out...
06-23-2021 07:30 AM
I know this is an old threat but I seem to be experiencing a very similar issue with iOS devices. Can anyone provide clarification on what actually solved this issue? I see the note about suppression and rejection, but what was the actual fix?
06-23-2021 08:57 AM
I opened a case and no solution... They told me it is an IOS issue because they cannot control how the client behaves, so if the client stops responding and causes the timeout and the wrong password trigger, they cannot do anything about it... I told them to get in contact with Apple to fix the issue, good luck with that...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide