Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1033
Views
0
Helpful
1
Replies

Supplicant wont send Authentication Failed log to ISE

ccna_security
Level 3
Level 3

‎04-18-2020 12:08 PM

Dear friends. i finally completed the configuration of switch for dot1x. then i tested by typing "test aaa group ise admin password new-code" and User rejected message appeared as expected because ISE authentication had not configured yet.And this log shown on ISE radius live logs. So, i created only Authentication Policy for testing purposes and configured windows 7 supplicant. So when i entered windows 7 domain user Authentication Fails as expected(Because Authorization Policy not configured yet). But this failure message didn't appear on Radius Live Logs. please see my switch configuration below and the result of "show authentication sessions"

 

interface Ethernet 0/2
switchport mode access
duplex auto
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!

 

Switch#show authentication sessions

Interface       MAC Address       Method     Domain     Status      Session ID
Et0/2            (unknown)           mab        UNKNOWN  Running   0A0A0A640000000200348BD9

 

0 Helpful
1 Reply 1

Colby LeMaire
VIP Alumni
VIP Alumni

‎04-19-2020 09:20 AM

The supplicant does not send logs to ISE.  When an authentication/authorization failure happens, ISE logs the message itself since it is the system failing the attempt.  By default, ISE is configured to suppress repeated failure and repeated successful attempts.  So when you are initially deploying ISE or just troubleshooting an issue, I recommend to turn off suppression.  Then once things are working as expected, turn suppression back on.  Go to Administration->System->Settings->Protocols->Radius.  That is where the suppression settings are.

0 Helpful
Customers Also Viewed These Support Documents