Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
914
Views
5
Helpful
2
Replies

ISE RADIUS - 5400 Authentication Failure - No Endpoint Data found

Go to solution
SergGutierrez
Level 1
Level 1

‎02-22-2023 12:32 PM

Hello,

I've recently ran into an issue in which I'm being locked out of my account consistently throughout the day. I figured that my credentials are stored somewhere on a device that continues to use my old password as this started happening a few days after I changed my password.

I hopped into ISE and took a look into the RADIUS live logs, zoning into the authentication attempts utilizing my username. Sure enough there is a ton of failed authentications with my username.
Please see the attached txt file to see additional details in regards to the event failure.

In the past, I normally would receive some endpoint data such as a MAC address. I could then at least trace back to a physical location where this device is at, and then remove bad credentials on said device. But I'm noticing that the event failures that I'm getting are not providing any endpoint data, making it impossible to locate what device this could be.

Does anyone have any advice on how I can gain more Endpoint data in this scenario?

Thanks!

Preview file
2 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dalbanil
Cisco Employee
Cisco Employee

‎02-22-2023 12:54 PM - edited ‎02-22-2023 12:55 PM

Hello SergGutierrez, I can see that you'd like to locate the device that is failing on the authentication, to go to that specific device and update the credentials. Have you attempted going to Operations>Troubleshooting tools>TCP Dump>Run a PCAP for about 5 mins from the PSN/Policy Server that is rejecting those authentications? and filtering by the WLC IP that you attached in the live log, then once you have it filtered, you can apply another filter by "Calling Station ID" then you will see which Radius Access-Request packets were rejected (Access-Reject) and also you will have the mac address, please let me know if this helped you

View solution in original post

2 Replies 2

Go to solution
dalbanil
Cisco Employee
Cisco Employee

‎02-22-2023 12:54 PM - edited ‎02-22-2023 12:55 PM

Hello SergGutierrez, I can see that you'd like to locate the device that is failing on the authentication, to go to that specific device and update the credentials. Have you attempted going to Operations>Troubleshooting tools>TCP Dump>Run a PCAP for about 5 mins from the PSN/Policy Server that is rejecting those authentications? and filtering by the WLC IP that you attached in the live log, then once you have it filtered, you can apply another filter by "Calling Station ID" then you will see which Radius Access-Request packets were rejected (Access-Reject) and also you will have the mac address, please let me know if this helped you

Go to solution
SergGutierrez
Level 1
Level 1
In response to dalbanil

‎02-24-2023 07:24 AM

Thank you for your response. This definitely helped me find source and dest MAC addresses. Awesome tool that I didn't know about before. Thanks a bunch!

0 Helpful
Customers Also Viewed These Support Documents