Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6160
Views
5
Helpful
5
Replies

why mac suppresion works in ISE?

Go to solution
Kn1ghtR1d3rOfD00m
Level 1
Level 1

‎08-17-2018 05:02 PM

in the last month we have been receiving many requests regarding the one of the corporate SSIDs. Users get the following error message "Unable to connect to the network"  even if the credentials are correct via AD.

 

One of the processes that we found is doing a Bypass suppression on the ISE tool after that the users have access.

 

I would like to understand why this happens and what could be the cause of it, since just by bypassing the user or mac address it works.

 

the only thing I can see in the logs via ISE is the following,

 

have you experienced this kind of experience before? if so, what is the fix for this since I dont want to be keeping adding like if Im whitelisting and this seems to be that works only as work around 

 

Event 5440 Endpoint abandoned EAP session and started new
Failure Reason 5440 Endpoint abandoned EAP session and started new
Resolution Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root cause Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.

 

 

 

Event 5411 Supplicant stopped responding to ISE
Failure Reason 12934 Supplicant stopped responding to ISE during PEAP tunnel establishment
Resolution Verify that supplicant is configured properly to conduct a full EAP conversation with ISE. Verify that NAS is configured properly to transfer EAP messages to/from supplicant. Verify that supplicant or NAS does not have a short timeout for EAP conversation. Check the network that connects the Network Access Server to ISE. Verify that ISE local server certificate is trusted on supplicant.
Root cause

Supplicant stopped responding to ISE during PEAP tunnel establishment

 

please let me know if you need further info about it

 

2 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
RichardAtkin
Level 3
Level 3

‎08-18-2018 08:43 AM - edited ‎08-18-2018 08:44 AM

There is a feature that rejects clients who repeatedly fail...  Go to Administration > System > Settings > Protocols > RADIUS and review what is configured.

 

I would hazard a guess and say that you have got the 'reject repeated failed requests' feature enabled (the specific wording of it varies by ISE version - you'll know it when you see it).  Either turn it off, or adjust the detection thresholds to better suit your Clients' behaviour.

View solution in original post

5 Replies 5

Go to solution
RichardAtkin
Level 3
Level 3

‎08-18-2018 08:43 AM - edited ‎08-18-2018 08:44 AM

There is a feature that rejects clients who repeatedly fail...  Go to Administration > System > Settings > Protocols > RADIUS and review what is configured.

 

I would hazard a guess and say that you have got the 'reject repeated failed requests' feature enabled (the specific wording of it varies by ISE version - you'll know it when you see it).  Either turn it off, or adjust the detection thresholds to better suit your Clients' behaviour.

Go to solution
Kn1ghtR1d3rOfD00m
Level 1
Level 1
In response to RichardAtkin

‎08-18-2018 10:23 AM

Thank you,  

I will play with the settings, I will do a research on the best practices since not sure what should be the correct settings or if its merely depends on the infra environment

 

I will keep you posted, 

 

thanks a bunch

 

Currently I have the following settings

Capture.JPG

 

 

0 Helpful

Go to solution
RichardAtkin
Level 3
Level 3
In response to Kn1ghtR1d3rOfD00m

‎08-19-2018 04:50 AM

There are plenty of people who have come unstuck with this feature - myself included.

 

On one hand it helps keep logs tidy and reduces the load on ISE, especially if a client is persistent / demandingly rapid with its (failing) connection attempts.  On the other hand, anything with Wireless and/or the Public will occasionally produce errors and having this feature enabled often causes more problems than it seems to fix.  It may be that you can keep it enabled but only deny access for a short period of time (instead of 60 minutes), or just turn it off.

 

As you're new to it - I suggest you fully turn it off just to prove this is what's causing the issue, then you can experiment with if/to what extent you turn it back on.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to RichardAtkin

‎08-20-2018 06:26 AM

Richard, I agree with you on this feature.  I usually disable it initially until the customer is comfortable and understand what it does.  It is very similar to client exclusions on the WLCs.  The feature makes sense, but when you are troubleshooting and trying to figure out why something is failing it is annoying when you forget this option is enabled.

0 Helpful

Go to solution
Kn1ghtR1d3rOfD00m
Level 1
Level 1
In response to paul

‎08-21-2018 06:22 AM

Thanks for all your feedback, 

I requested a change approval for this, cause I dont know what will be the impact of this, which I guess by unchecking it, it wont restart or make a disconnections, 

 

I will also check the commands for debugging a specific client mac address if thats the case and see what happens before and after, 

Thanks,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents