ISE Incident Response Prep: 802.1X Auth Failures
Executive Summary
Current Status: ISE is operating normally. TAC case remains open at S2 for monitoring.
What Happened: - RabbitMQ messaging service on Primary MNT reached 100%+ CPU - Caused session logging backlog ("No data available" in Live Logs) - Primary MNT rebooted 2026-03-12 16:19 per TAC recommendation - All services restored, replication normalized
What Did NOT Happen: - Authentication services (PSNs) were NEVER impacted - Network access was NEVER denied due to this issue - The ~500 endpoint failures are a separate investigation (auth protocol/certificate issues)
Key Stakeholders
| Name | Title | Interest | Likely Questions |
|---|---|---|---|
Sarah Clizer |
CISO |
Security posture, risk |
"Is ISE stable? What’s our exposure?" |
Jonathan Carr |
Assoc. Dir. Field Support Services |
End-user impact |
"Are users still having issues connecting?" |
Albert Rodriguez |
Manager, Collaboration Services |
Network stability |
"Is ISE causing network problems?" |
Timeline (For Reference)
| Date | Event |
|---|---|
~2026-03-05 |
Logging anomalies noticed (hindsight - MNT queue building) |
2026-03-11 |
Authentication failures reported (~500 endpoints) |
2026-03-12 |
TAC case opened (S1 - medical facility) |
2026-03-12 15:08 |
TAC identified RabbitMQ CPU spike, recommended reboot |
2026-03-12 16:19 |
Primary MNT rebooted per TAC |
2026-03-12 16:29 |
All services confirmed running |
2026-03-13+ |
Monitoring, case downgraded to S2 |