cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

4974
Views
5
Helpful
5
Replies

why mac suppresion works in ISE?

in the last month we have been receiving many requests regarding the one of the corporate SSIDs. Users get the following error message "Unable to connect to the network"  even if the credentials are correct via AD.

 

One of the processes that we found is doing a Bypass suppression on the ISE tool after that the users have access.

 

I would like to understand why this happens and what could be the cause of it, since just by bypassing the user or mac address it works.

 

the only thing I can see in the logs via ISE is the following,

 

have you experienced this kind of experience before? if so, what is the fix for this since I dont want to be keeping adding like if Im whitelisting and this seems to be that works only as work around 

 

Event 5440 Endpoint abandoned EAP session and started new
Failure Reason 5440 Endpoint abandoned EAP session and started new
Resolution Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root cause Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.

 

 

 

Event 5411 Supplicant stopped responding to ISE
Failure Reason 12934 Supplicant stopped responding to ISE during PEAP tunnel establishment
Resolution Verify that supplicant is configured properly to conduct a full EAP conversation with ISE. Verify that NAS is configured properly to transfer EAP messages to/from supplicant. Verify that supplicant or NAS does not have a short timeout for EAP conversation. Check the network that connects the Network Access Server to ISE. Verify that ISE local server certificate is trusted on supplicant.
Root cause

Supplicant stopped responding to ISE during PEAP tunnel establishment

 

please let me know if you need further info about it

 

1 ACCEPTED SOLUTION

Accepted Solutions
RichardAtkin
Participant

There is a feature that rejects clients who repeatedly fail...  Go to Administration > System > Settings > Protocols > RADIUS and review what is configured.

 

I would hazard a guess and say that you have got the 'reject repeated failed requests' feature enabled (the specific wording of it varies by ISE version - you'll know it when you see it).  Either turn it off, or adjust the detection thresholds to better suit your Clients' behaviour.

View solution in original post

5 REPLIES 5
RichardAtkin
Participant

There is a feature that rejects clients who repeatedly fail...  Go to Administration > System > Settings > Protocols > RADIUS and review what is configured.

 

I would hazard a guess and say that you have got the 'reject repeated failed requests' feature enabled (the specific wording of it varies by ISE version - you'll know it when you see it).  Either turn it off, or adjust the detection thresholds to better suit your Clients' behaviour.

View solution in original post

Thank you,  

I will play with the settings, I will do a research on the best practices since not sure what should be the correct settings or if its merely depends on the infra environment

 

I will keep you posted, 

 

thanks a bunch

 

Currently I have the following settings

Capture.JPG

 

 

There are plenty of people who have come unstuck with this feature - myself included.

 

On one hand it helps keep logs tidy and reduces the load on ISE, especially if a client is persistent / demandingly rapid with its (failing) connection attempts.  On the other hand, anything with Wireless and/or the Public will occasionally produce errors and having this feature enabled often causes more problems than it seems to fix.  It may be that you can keep it enabled but only deny access for a short period of time (instead of 60 minutes), or just turn it off.

 

As you're new to it - I suggest you fully turn it off just to prove this is what's causing the issue, then you can experiment with if/to what extent you turn it back on.

Richard, I agree with you on this feature.  I usually disable it initially until the customer is comfortable and understand what it does.  It is very similar to client exclusions on the WLCs.  The feature makes sense, but when you are troubleshooting and trying to figure out why something is failing it is annoying when you forget this option is enabled.

Thanks for all your feedback, 

I requested a change approval for this, cause I dont know what will be the impact of this, which I guess by unchecking it, it wont restart or make a disconnections, 

 

I will also check the commands for debugging a specific client mac address if thats the case and see what happens before and after, 

Thanks,

Content for Community-Ad