01-23-2014 02:22 PM - edited 03-10-2019 09:19 PM
Hi.
I have lots of clients that are not able to log on to both wired and wireless networks, and they always fails with these errors.
5411 Supplicant stopped responding to ISE
5440 Endpoint abandoned EAP session and started new
This is with certificate authentication, both for client and for machine.
The clients are for the most part Windows 7.
We use both Cisco and Aerohive for wireless, and the switch I have tested with is a Cisco2960S
A few strange things:
It works perfectly for a lot of clients too, with the excact same configuration.
One PC I'm testing with works fine when authenticating via wireless, but when I plug it into the switch, I get these errors.
I seems to be a timeout of some kind, either to short or too long, but where?
In the Win7 supplicant?
In the switch?
In the Cisco WLC
or in the Aerohive AP?
I have spent hours and hours on this problem, but I can't make it go away, it is very exhausting.
There surely must have been others with the same problem?
Thank you.
01-23-2014 06:01 PM
Im a wireless guy .. On your WLC if you do a client debug in the cli .. If you see the WLC expiring the mobile it means the client isn't passing Eap in the time allowed and expires the session .. Only for the client to try again.
You can expand those timers .. Check this out
https://supportforums.cisco.com/docs/DOC-12110
Sent from Cisco Technical Support iPhone App
01-30-2014 12:51 PM
How many policy nodes is your switch or controller pointing to?
If it's more than one, can you change your switch to temporarily point to one (remove the second node) and see if the issue persists?
01-30-2014 02:05 PM
Hi.
The switch is pointing to only one policy node.
01-30-2014 02:07 PM
Hi.
A good tip. But the wireless authentication is mosty resolved. In that specific case I had, it was a MTU problem somewhere between the Accesspoint and ISE.
The problems I have with wired authentication through the switch is not resolved, though.
01-31-2014 12:12 PM
Did you exclude all potential cable problems?
Is the issue reproducible? Any improvement after you restart the Wired AutoConfig service on the Windows client?
On the switch:
debug authentication all
02-06-2014 10:10 PM
Verify that the supplicant is configured properly to conduct a full EAP conversation with Cisco ISE. Verify that NAS is configured properly to transfer EAP messages to/from the supplicant. Verify that the supplicant or NAS does not have a short timeout for EAP conversation.
04-06-2014 04:11 AM
Thank for trying to help out, but this is.. insanely vague.
How can i verify that NAS (the C2960S) is properly configured?
What timers are we talking about here? There are many to choose from..
The problem is still here, even with the latest patch 7 for ISE 1.2. It works fine on wireless, but not with wired, from the same computer. So it is logic to assume it has something to do with the switch.
This is the configuration from the switch:
interface GigabitEthernet1/0/20
switchport mode access
authentication event fail action next-method
authentication open
authentication order dot1x mab
authentication port-control auto
snmp trap mac-notification change added
dot1x pae authenticator
spanning-tree portfast
end
sh dot1x int g1/0/20
Dot1x Info for GigabitEthernet1/0/20
-----------------------------------
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
sh run aaa
!
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec default group radius local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius!
!
!
!
aaa server radius dynamic-author
client 192.168.100.85
server-key nope!
auth-type any
!
!
radius server hmz
address ipv4 192.168.100.85 auth-port 1812 acct-port 1813
key nope!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
!
aaa new-model
aaa session-id common
!
Some debug from the switch:
Apr 6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] Create attr list, session 0x1E0000E0:
Apr 6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding MAC d43d.7e97.1e26
Apr 6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Swidb 0x4F8BAC8
Apr 6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding AAA_ID=14B
Apr 6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Audit_sid=C0A864FA0000014B6983A2E0
Apr 6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Domain=DATA (1)
Apr 6 11:07:01.745: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Username=Dal@gaasdal.net
Apr 6 11:07:01.745: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e97.1e26) on Interface Gi1/0/20 AuditSessionID C0A864FA0000014B6983A2E0
Apr 6 11:07:01.745: AUTH-DETAIL: No default action(s) for event RX_METHOD_AGENT_FOUND.
Apr 6 11:08:21.182: %DOT1X-5-FAIL: Authentication failed for client (d43d.7e97.1e26) on Interface Gi1/0/20 AuditSessionID C0A864FA0000014B6983A2E0
Apr 6 11:08:21.187: %AUTHMGR-7-STOPPING: Stopping 'dot1x' for client d43d.7e97.1e26 on Interface Gi1/0/20 AuditSessionID C0A864FA0000014B6983A2E0
Apr 6 11:08:21.187: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (d43d.7e97.1e26) on Interface Gi1/0/20 AuditSessionID C0A864FA0000014B6983A2E0
Apr 6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] Create attr list, session 0x1E0000E0:
Apr 6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding MAC d43d.7e97.1e26
Apr 6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Swidb 0x4F8BAC8
Apr 6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding AAA_ID=14B
Apr 6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Audit_sid=C0A864FA0000014B6983A2E0
Apr 6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Domain=DATA (1)
Apr 6 11:08:21.187: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Username=host/HovedPC.gaasdal.net
Apr 6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] Create attr list, session 0x1E0000E0:
Apr 6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding MAC d43d.7e97.1e26
Apr 6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Swidb 0x4F8BAC8
Apr 6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding AAA_ID=14B
Apr 6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Audit_sid=C0A864FA0000014B6983A2E0
Apr 6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Domain=DATA (1)
Apr 6 11:09:22.079: AUTH-DETAIL: [d43d.7e97.1e26, Gi1/0/20] - adding Username=host/HovedPC.gaasdal.net
Apr 6 11:09:22.079: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e97.1e26) on Interface Gi1/0/20 AuditSessionID C0A864FA0000014B6983A2E0
Apr 6 11:09:22.079: AUTH-DETAIL: No default action(s) for event SESSION_STARTED.
04-06-2014 03:23 PM
I had a similar issue on wired where most hosts could connect but some would not - with the above mentioned errors. Ultimately this issue is very much related to the supplicant and myself and TAC came to the conclusion there was nothing wrong with the configuration of the network with regards to EAP.
I think this is the nature of dot1x - sometimes there will be hosts that can't connect for some reason and the question is do you troubleshoot the issue or tell the client that the issue is with their PC?? In out case it was "contractor byod" machines that couldn't connect so the answer was not so simple.
11-19-2014 11:00 AM
Hi.
I still have this problem.
Or, it works fine on wireless now, but not on wired.
I use the same computer for testing with both wired and wireless. Same certificate, and the same authentication and authorization rules in ISE.
ISE is upgraded to v1.3 now, btw.
If I use Microsoft PEAP as auth metod, it works, but not if I use certificate as auth method (which is the way I prefer it, and that's the way it is done on wireless)
So in my opinion, it must be something with the switch configuration.
But what? Some kind of timeout that needs to be adjusted?
Thanks
02-20-2015 09:04 AM
For what it's worth, I see the same errors on our wired environment using PEAP.
08-25-2015 02:48 AM
I finally figured this out.
Or at least what's causing it: Jumbo frames.
As soon as jumbo frames is enabled on the switch, or system mtu is increased from 1500, the authentication stops working. Because the Framed-MTU being sent seems to use the jumbo frames setting.
By typing no system mtu and no system mtu jumbo, and the rebooting the switch, 802.1x with EAP-TLS started to work fine.
The problem is of course, that I need jumbo frames enabled on the switch, because I have iSCSI connections enabled on some computers.
So some more testing revealed that jumbo frames CAN be enabled on the switch, as long as all the network nodes in the chain from switch to ISE-server has enabled jumbo frames as well.
Like this:
Client (1500) - Switch (9198) - Switch2 (9198) - vSwitch (9198) - virtual ISE (1500)
This works fine, until I enable jumbo frames on the client. Then it stops working again.
So the question is: How to fix this?
There should be a way to enable jumbo frames on the ISE server, IMO
Or is there a way to decrease the Framed MTU being sent from the switch? Or on the client?
Thanks.
08-29-2015 02:30 AM
Why do you want to use jumbo frames on the client?
Why do you think ISE needs jumbo frames? It does not talk to the client directly. Please capture the RADIUS packets sent by switch and check if the size exceeds 1500 bytes. (I'd be surprised)
I think you have collected enough info to open a TAC case.
12-08-2016 07:00 AM
This worked for me.
MTU on Cisco 3850 was changed from custom to default and EAP-TLS worked.
11-24-2015 06:16 AM
Hi,
Do you solved it ?
I have a similar issue on eap_chaining with user and machine authentication.
When the user has the certificate all works fine, but if the user not have it, I can see a very large latency and the Endpoint abandoned EAP session. I need to complete the machine authentication to remediation.
I have windows 7 Enterprise, anyconnect 3.1.x and ISE 1.4
thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide