Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
1828
Views
5
Helpful
5
Comments

Cisco ISE debugging

Tutu
Level 1
Level 1
‎10-05-2020 04:44 AM

Hello,

Can someone please help me with understanding this log message.

 

vent 5434 Endpoint conducted several failed authentications of the same scenario
Username anonymous
Endpoint Id E8:D8:D1:40:36:8B
Endpoint Profile
Authentication Policy Wired >> TCRA Dot1x
Authorization Policy Wired
Authorization Result

Authentication Details
Source Timestamp 2020-10-05 11:19:49.04
Received Timestamp 2020-10-05 11:19:49.04
Policy Server TCRA-ISE-PAN
Event 5434 Endpoint conducted several failed authentications of the same scenario
Failure Reason 12117 EAP-FAST inner method finished with failure
Resolution Verify that the client supplied the correct credentials, such as username and password. Verify that the client's supplicant is properly configured to use an inner method protocol that is supported by ISE. Check the previous 'Steps' in the Log for this EAP-MD5 conversation for any message that might hint why the inner method failed.
Root cause EAP-FAST inner method finished with failure.
Username anonymous
Endpoint Id E8:D8:D1:40:36:8B
Authentication Identity Store Guest Users
Audit Session Id 0AC8D06400000027155F8377
Authentication Method dot1x
Authentication Protocol EAP-FAST (EAP-MSCHAPv2)
Service Type Framed
Network Device Test
Device Type All Device Types#Wired
Location All Locations#TCRA-HQ
NAS IPv4 Address 10.200.208.100
NAS Port Id GigabitEthernet1/0/10
NAS Port Type Ethernet
Response Time 1 milliseconds

Other Attributes
ConfigVersionId 74
Device Port 1645
DestinationPort 1812
RadiusPacketType AccessRequest
UserName test
Protocol Radius
NAS-IP-Address 10.200.208.100
NAS-Port 50110
Framed-MTU 1500
State 37CPMSessionID=0AC8D06400000027155F8377;36SessionID=TCRA-ISE-PAN/391268742/257;
IsEndpointInRejectMode false
NetworkDeviceProfileName Cisco
NetworkDeviceProfileId b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow false
RadiusFlowType Wired802_1x
SSID 3C-41-0E-F2-25-0A
AcsSessionID TCRA-ISE-PAN/391268742/257
SelectedAuthenticationIdentityStores Guest Users
IdentityPolicyMatchedRule TCRA Dot1x
CPMSessionID 0AC8D06400000027155F8377
EndPointMACAddress E8-D8-D1-40-36-8B
EapChainingResult No chaining
ISEPolicySetName Wired
IdentitySelectionMatchedRule TCRA Dot1x
StepData 4= Normalised Radius.RadiusFlowType
StepData 5= DEVICE.Device Type
StepData 84=Guest Users
TLSCipher ECDHE-RSA-AES256-GCM-SHA384
TLSVersion TLSv1.2
DTLSSupport Unknown
Network Device Profile Cisco
Location Location#All Locations#TCRA-HQ
Device Type Device Type#All Device Types#Wired
IPSEC IPSEC#Is IPSEC Device#No
Called-Station-ID 3C:41:0E:F2:25:0A
CiscoAVPair service-type=Framed
audit-session-id 0AC8D06400000027155F8377
method dot1x

Result
RadiusPacketType Drop
AuthenticationResult Error

Session Events

Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12101 Extracted EAP-Response/NAK requesting to use EAP-FAST instead
12100 Prepared EAP-Request proposing EAP-FAST with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12102 Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12808 Prepared TLS ServerKeyExchange message
12810 Prepared TLS ServerDone message
12811 Extracted TLS Certificate message containing client certificate
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12149 EAP-FAST built authenticated tunnel for purpose of PAC provisioning
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12125 EAP-FAST inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
15041 Evaluating Identity Policy
15013 Selected Identity Source - Guest Users
24631 Looking up User in Internal Guests IDStore
22059 The advanced option that is configured for process failure is used
22062 The 'Drop' advanced option is configured in case of a failed authentication request
12117 EAP-FAST inner method finished with failure
5434 Endpoint conducted several failed authentications of the same scenario

 

 

0 Helpful
5 Comments
CarlCarlson1234
Level 1
Level 1
‎10-07-2020 11:54 AM
‎10-07-2020 11:54 AM

Tutu,

To break down what you're seeing in a couple steps.

 

1. Event 5434 Endpoint conducted several failed authentications of the same scenario

Answer:  This happens when a device triggers ISE's Anomalous Client Suppression function.  I think by default it triggers when a device (mac address) with an identity, fail for the same reason 5 times within 15 minutes.  Instead of spending cycles processing the request, ISE just applies the last result that was applied to the device.  What that means is if there is an issue, even if you fix, the device won't authenticate differently for 1 hour.  To get around this in Radius Live Logs, find the device, and click the "Star" next to the device id, then click "Bypass suppression filtering for 1 hour".

 

2. Failure Reason 12117 EAP-FAST inner method finished with failure
Resolution Verify that the client supplied the correct credentials, such as username and password. Verify that the client's supplicant is properly configured to use an inner method protocol that is supported by ISE. Check the previous 'Steps' in the Log for this EAP-MD5 conversation for any message that might hint why the inner method failed.
Root cause EAP-FAST inner method finished with failure.
Username anonymous

Answer:  I haven't used EAP-FAST in a while, but I think the inner method is PEAP authentication or Username and Password.  ISE is telling us that the username is anonymous.  Which I believe means that no username is being provided.  ISE even tells us a resolution, Verify that the client supplied the correct credentials, such as username and password.

 

3.15041 Evaluating Identity Policy
15013 Selected Identity Source - Guest Users
24631 Looking up User in Internal Guests IDStore
22059 The advanced option that is configured for process failure is used
22062 The 'Drop' advanced option is configured in case of a failed authentication request

 

Answer: Looks like you're trying to do guest authentication from a wired connection?  Generally for Guest authentication, a username won't be supplied.  By default the AuthC policy of your policy set will "Drop" the authentication on a failed authentication request, or if the identity isn't found in the selected identity store, which we can see is "Guest Users".  For guest authentication, you need to set the AuthC condition for user not found to "Continue".

 

Hope this helps!

 

Tutu
Level 1
Level 1
‎10-08-2020 01:34 AM
‎10-08-2020 01:34 AM

Hello Carl,

 

Thanks for your response. Can you please help me i am trying to add a non cisco phone that is grandstream ip phone to ISE but when i connect it to the switch i get that its authenticated but it still can not make calls.

 

Overview
Event 5200 Authentication succeeded
Username C0:74:AD:17:59:6B
Endpoint Id C0:74:AD:17:59:6B
Endpoint Profile Unknown
Authentication Policy Wired >> MAB
Authorization Policy Wired >> Default
Authorization Result PermitAccess

Authentication Details
Source Timestamp 2020-10-07 07:56:00.593
Received Timestamp 2020-10-07 07:56:00.593
Policy Server -ISE-PAN
Event 5200 Authentication succeeded
Username C0:74:AD:17:59:6B
User Type Host
Endpoint Id C0:74:AD:17:59:6B
Calling Station Id C0-74-AD-17-59-6B
Endpoint Profile Unknown
Authentication Identity Store Internal Endpoints
Identity Group Unknown
Audit Session Id 0AC8D064000000220862544F
Authentication Method mab
Authentication Protocol Lookup
Service Type Call Check
Network Device Test
Device Type All Device Types#Wired
Location All Locations#HQ
NAS IPv4 Address 10.200.208.100
NAS Port Id GigabitEthernet1/0/10
NAS Port Type Ethernet
Authorization Profile PermitAccess
Response Time 24 milliseconds

Other Attributes
ConfigVersionId 75
DestinationPort 1812
Protocol Radius
NAS-Port 50110
Framed-MTU 1500
OriginalUserName c074ad17596b
NetworkDeviceProfileId b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow false
AcsSessionID ISE-PAN/391431119/95
UseCase Host Lookup
SelectedAuthenticationIdentityStores Internal Endpoints
AuthenticationStatus AuthenticationPassed
IdentityPolicyMatchedRule MAB
AuthorizationPolicyMatchedRule Default
EndPointMACAddress C0-74-AD-17-59-6B
ISEPolicySetName Wired
IdentitySelectionMatchedRule MAB
DTLSSupport Unknown
HostIdentityGroup Endpoint Identity Groups:Unknown
Network Device Profile Cisco
Location Location#All Locations#HQ
Device Type Device Type#All Device Types#Wired
IPSEC IPSEC#Is IPSEC Device#No
BYODRegistration Unknown
RADIUS Username C0:74:AD:17:59:6B
Device IP Address 10.200.208.100
CPMSessionID 0AC8D064000000220862544F
Called-Station-ID 3C:41:0E:F2:25:0A
CiscoAVPair service-type=Call Check,
audit-session-id=0AC8D064000000220862544F,
method=mab

Result
UserName C0:74:AD:17:59:6B
User-Name C0-74-AD-17-59-6B
Class CACS:0AC8D064000000220862544F:ISE-PAN/391431119/95
cisco-av-pair profile-name=Unknown
LicenseTypes Base license consumed


Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11027 Detected Host Lookup UseCase (Service-Type = Call Check (10))
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - Normalised Radius.RadiusFlowType
15048 Queried PIP - DEVICE.Device Type
15041 Evaluating Identity Policy
15048 Queried PIP - Network Access.EapAuthentication
15013 Selected Identity Source - Internal Endpoints
24209 Looking up Endpoint in Internal Endpoints IDStore - C0:74:AD:17:59:6B
24211 Found Endpoint in Internal Endpoints IDStore
22037 Authentication Passed
24715 ISE has not confirmed locally previous successful machine authentication for user in Active Directory
15036 Evaluating Authorization Policy
15048 Queried PIP - EndPoints.BYODRegistration
15016 Selected Authorization Profile - PermitAccess
24209 Looking up Endpoint in Internal Endpoints IDStore - C0:74:AD:17:59:6B
24211 Found Endpoint in Internal Endpoints IDStore
11002 Returned RADIUS Access-Accept

0 Helpful
Arne Bier
VIP
VIP
‎10-12-2020 07:54 PM
‎10-12-2020 07:54 PM

This is beyond what most people here on these forums can assist with. If this were a Cisco IP phone, then you'd be having an issue because you didn't reply with a Cisco AVPair that puts that device into the Voice VLAN.  

Does you switch port have only one VLAN, or do you have a Data VLAN and a Voice VLAN? (I didn't think Voice VLAN tagging works on non-Cisco devices - but perhaps that;s your issue). If so, then you need to edit your Authorization Profile and tick the box called 'Voice Domain Permission.

0 Helpful
Tutu
Level 1
Level 1
‎10-12-2020 11:05 PM
‎10-12-2020 11:05 PM

I have edited the Authorization profile and have checked the box for Voice Domain permission,

I do not know where it is getting the ip from. as that is not the ip range for voice vlan. its .32

 

Interface: GigabitEthernet1/0/10MAC Address: c074.ad17.596b
IPv6 Address: Unknown
IPv4 Address: 192.168.0.160
User-Name: C0-74-AD-17-59-6B
Status: Authorized
Domain: VOICE
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Session Uptime: 103s
Common Session ID: 0AC8D0640000001B14184E8C
Acct Session ID: 0x0000000F
Handle: 0x3E000008
Current Policy: POLICY_Gi1/0/10

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
ACS ACL: xACSACLx-IP-PERMIT_ALL_IPV4_TRAFFIC-57f6b0d3


Method status list:
Method State

dot1x Stopped
mab Authc Success


 

 
0 Helpful
Tutu
Level 1
Level 1
‎10-13-2020 12:10 AM
‎10-13-2020 12:10 AM

Hello Arne,

 

My i forgot to mention above,

The switch has a vlan for voice and data

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents