Fix 5411 Supplicant Stopped Responding to ISE Error

Introduction

In most cases a simple reboot or reauthentication does the trick, but what if the same problem occurs more often? Well there is no single solution that works for every scenario, but there are a few options that you can try.


Error Message

Let’s have a look at the actual error message first. Depending on your authentication settings the message will look similar to one of the following error messages.

EAP-TLS

Event    5411 Supplicant stopped responding to ISE
Failure Reason    Supplicant stopped responding to ISE after sending it the first EAP-TLS message

EAP-MSCHAPv2

Event    5411 Supplicant stopped responding to ISE
Failure Reason    Supplicant stopped responding to ISE after sending it the first inner EAP-MSCHAPv2 message


Troubleshooting Options

Reauthenticate Endpoint

As already mentioned the error can occur on individual endpoints from time to time. The fasted fix is to reauthenticate/restart the endpoint. If the error occurs more often the following steps are for you.

Check Allowed Protocols

Some clients may require TLS 1.0 or similar which is not enabled by default. To check these settings navigate to Administration -> System -> Settings -> Security Settings.

Client Firewall and Antivirus

Your clients firewall or antivirus could be the problem, especially if you are using authentication timeouts in your ISE policies. For testing purposes you can temporarily disable your firewall or antivirus and check if the problem persists.

MTU Mismatch

The issue could also be caused by an MTU mismatch between your switch and ISE. Try setting it to 1500 and check again.
For more information check the following guide provides by Cisco: EAP Fragmentation Implementations and Behavior

Certificate Trust Chain

Make sure to provide the full certificate chain to your clients including root CA and subordinate CA’s.

Windows GPO

Your windows GPO for wireless and wired network is also important. Open your 802.1x GPO and navigate to Security Settings -> Wired Network (802.3) Policies -> Network Profile -> IEEE 802.1X Settings.

Check the following settings and set them accordingly:

Setting Value
Maximum Authentication Failures 5
Maximum EAPOL-Start Messages Sent 5
Held Period (seconds) 1
Start Period (seconds) 5
Authentication Period (seconds) 30

The values are suggestions to start with. They may need to be adjusted to fit your environment.


Conclusion

I hope you found this helpful and were able to fix your problem. For further troubleshooting you can create a port mirror and analyze the network traffic using Wireshark to determine what causes the problem.