cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
58098
Views
15
Helpful
17
Replies

Authentication failed "5440 Endpoint abandoned EAP session and started new" error

welmjendel
Level 1
Level 1

Hello Guys,

i faced this error "5440 Endpoint abandoned EAP session and started new"when users try to authoticate to network ( wired 802.1X) with ISE 2.3 .

 

FYI: before rebooting client machine users can authenticate normaly to the network.

In event manager on windows 10 i have this error: "Unable to identify a user for 802.1X authentication"

any idea please ???

 

 Regards,

1 Accepted Solution

Accepted Solutions

@raam, the "authentication mac-move permit" is on the switch side, and disabling the "EAP-TLS L-bit" is on the ISE side. What is the problem you're having?

View solution in original post

17 Replies 17

Hi,

 

When the users stop responding to EAP reauthentication or start authentication while the NAD already have existing session, this message gets generated. Exmaple, when the endpoint hibernate and comes back online.

 

On the switch try the command 'authentication mac-move permit'. This will enable the NAD to terminate the existing 802.1x session and starts new one when a request is received while there is an existing session for the endpoint. 

 

Also, there are couple of bugs related to windows 7 which can generate this message on ISE. Worth checking if they are applicable to windows 10. Here you go.

 

https://supportforums.cisco.com/t5/security-blogs/getting-past-intermittent-unexplained-802-1x-problems-on-windows/ba-p/3104109

 

Please remeber to rate useful posts.

thank you for your response !

i will see tomorrow this command can resolve the problem or not.

 

To set the expectations, the log will still pop but machine should
authenticate with this command

hi,

the problem persist with this command.

 

Regards,

hello,

it works fine with NAM cisco Annyconnect.

 

Regards,

Can you create the issue or is it random? Did you try to install the
hotfixes which I mentioned.

go to:
policy > resoult > AUTHENTICATION > allowed protocol > default Network access and DISABLE "EAP-TLS L-bit" under "allow eap-ttls"


Let me know if this will fix your problem

And news in this issue? Did it solve the problem of disconnections?

as said in the previus post, disabiling "eap-tls l-bit" fixed the problem for me.
rgds

It also worked for me

Hi Can you please tell me which place are you telling this settings on PC or on ISE side?

 

Thanks

@raam, the "authentication mac-move permit" is on the switch side, and disabling the "EAP-TLS L-bit" is on the ISE side. What is the problem you're having?

Hey ,

I have the same issue as mentioned before but its between ISE and Xerox printer and between them there is a meraki SW .so on meraki SW the printer cannot get an  dynamic IP address with the same error 5440 .

 

 

please let me know what can i do 

I ✔ "EAP-TLS L-bit" on the ISE side, it worked. I dont know why. I just update the agent resources from cisco site. And then appeared this same case.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: