cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
915
Views
5
Helpful
2
Replies

ISE RADIUS - 5400 Authentication Failure - No Endpoint Data found

SergGutierrez
Level 1
Level 1

Hello,

I've recently ran into an issue in which I'm being locked out of my account consistently throughout the day. I figured that my credentials are stored somewhere on a device that continues to use my old password as this started happening a few days after I changed my password.

I hopped into ISE and took a look into the RADIUS live logs, zoning into the authentication attempts utilizing my username. Sure enough there is a ton of failed authentications with my username.
Please see the attached txt file to see additional details in regards to the event failure.

In the past, I normally would receive some endpoint data such as a MAC address. I could then at least trace back to a physical location where this device is at, and then remove bad credentials on said device. But I'm noticing that the event failures that I'm getting are not providing any endpoint data, making it impossible to locate what device this could be.

Does anyone have any advice on how I can gain more Endpoint data in this scenario?

Thanks!

1 Accepted Solution

Accepted Solutions

dalbanil
Cisco Employee
Cisco Employee

Hello SergGutierrez, I can see that you'd like to locate the device that is failing on the authentication, to go to that specific device and update the credentials. Have you attempted going to Operations>Troubleshooting tools>TCP Dump>Run a PCAP for about 5 mins from the PSN/Policy Server that is rejecting those authentications? and filtering by the WLC IP that you attached in the live log, then once you have it filtered, you can apply another filter by "Calling Station ID" then you will see which Radius Access-Request packets were rejected (Access-Reject) and also you will have the mac address, please let me know if this helped you

View solution in original post

2 Replies 2

dalbanil
Cisco Employee
Cisco Employee

Hello SergGutierrez, I can see that you'd like to locate the device that is failing on the authentication, to go to that specific device and update the credentials. Have you attempted going to Operations>Troubleshooting tools>TCP Dump>Run a PCAP for about 5 mins from the PSN/Policy Server that is rejecting those authentications? and filtering by the WLC IP that you attached in the live log, then once you have it filtered, you can apply another filter by "Calling Station ID" then you will see which Radius Access-Request packets were rejected (Access-Reject) and also you will have the mac address, please let me know if this helped you

Thank you for your response. This definitely helped me find source and dest MAC addresses. Awesome tool that I didn't know about before. Thanks a bunch!