cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

539
Views
0
Helpful
5
Replies
Highlighted
Beginner

Cisco ISE Live logs

Hi,

Its a kind of annoying to see many of the following logs throughout the day in cisco ise. 

Jan 14, 2020 02:27:05.460 PM
 
 
 
Default >> Default
Default

 

why the switch is kept on sending access-request massages from the port, where the device had been already authenticated and working fine.

Moreover, this NAD is sending unnecessary requests to ISE even no device or users connect to the switch.  

 

Is there a way to stop it? Please see the attached screenshot.

 

Best Regards,

MD

5 REPLIES 5
Cisco Employee

Re: Cisco ISE Live logs

First of all, need to un-mask what INVALID is. ISE 2.4+ is masking the usernames of the failed authentications. ISE 2.4 has an option to disclose it temporally for 30 minutes. Once that identified, then we will try and determine why it repeating the authentications.

Screen Shot 2020-01-16 at 2.41.48 PM.png

Beginner

Re: Cisco ISE Live logs

Hi ,

 

Thanks for your reply. 

Well i cannot see this option in my case 2.6 ISE. Please see attached. 

 

 

Regards,

MD

Cisco Employee

Re: Cisco ISE Live logs

ISE 2.6 has it under Security Settings. Note a known issue CSCvo24097 is resolved in ISE 2.6 Patch 3.

Screen Shot 2020-01-18 at 6.30.19 PM.png

Beginner

Re: Cisco ISE Live logs

Hi ,

 

Yes, Now I can see the name "admin" and getting the following logs. But no one tiring to authenticate, i have configured only a single port for dot1x and MAB. Both IP-phone and laptop is working fine.. If i disconnect one of the device from that post ,it starts sending an unnecessary authentication request to the ISE. Am i doing something wrong?

 

Switch port Configuration :

 

interface FastEthernet0/8
description 802.1x Enabled
switchport access vlan 11
switchport mode access
switchport voice vlan 156
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication control-direction in
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation replace
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 3
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

 

 

BR,

MD

 

Event5400 Authentication failed
Failure Reason22056 Subject not found in the applicable identity store(s)
ResolutionCheck whether the subject is present in any one of the chosen identity stores. Note that some identity stores may have been skipped due to identity resoultion settings or if they do not support the current authentication protocol.
Root causeSubject not found in the applicable identity store(s).
Usernameadmin
Authentication MethodPAP_ASCII
Authentication ProtocolPAP_ASCII
Service TypeLogin

 

SelectedAuthenticationIdentityStoresInternal Users
SelectedAuthenticationIdentityStoresAll_AD_Join_Points
SelectedAuthenticationIdentityStoresGuest Users
IdentityPolicyMatchedRuleDefault
ISEPolicySetNameDefault
IdentitySelectionMatchedRuleDefault
IsMachineIdentityfalse
DTLSSupportUnknown
Network Device ProfileCisco
LocationLocation#All Locations
Device TypeDevice Type#All Device Types
IPSECIPSEC#Is IPSEC Device#No
RADIUS Usernameadmin

 

Event5400 Authentication failed
Usernameadmin
Endpoint Id 
Endpoint Profile 
Authentication PolicyDefault >> Default
Authorization PolicyDefault
Authorization Result
Beginner

Re: Cisco ISE Live logs

Thanks, I guess i have found the root cause. I configured automate-tester on the switch which was causing this behavior.

 

BR,

MD