12934 Supplicant stopped responding to ISE during PEAP tunnel establishment

houxiaobo · ‎11-09-2017

Authentication Details

Source Timestamp	2017-11-09 16:44:07.285
Received Timestamp	2017-11-09 16:44:07.285
Policy Server	ISE-A
Event	5411 Supplicant stopped responding to ISE
Failure Reason	12934 Supplicant stopped responding to ISE during PEAP tunnel establishment
Resolution	Verify that supplicant is configured properly to conduct a full EAP conversation with ISE. Verify that NAS is configured properly to transfer EAP messages to/from supplicant. Verify that supplicant or NAS does not have a short timeout for EAP conversation. Check the network that connects the Network Access Server to ISE. Verify that ISE local server certificate is trusted on supplicant.
Root cause	Supplicant stopped responding to ISE during PEAP tunnel establishment

Steps

	11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP
	15048	Queried PIP 15048Queried PIP
	15048	Queried PIP
	15004	Matched rule
	11507	Extracted EAP-Response/Identity
	12300	Prepared EAP-Request proposing PEAP with challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12302	Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
	12319	Successfully negotiated PEAP version 1
	12800	Extracted first TLS record; TLS handshake started
	12805	Extracted TLS ClientHello message
	12806	Prepared TLS ServerHello message
	12807	Prepared TLS Certificate message
	12810	Prepared TLS ServerDone message
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge( Step latency=120003 ms)
	12934	Supplicant stopped responding to ISE during PEAP tunnel establishment
	5411	Supplicant stopped responding to ISE

iPhone通过ise认证一直掉线或认证不过，输入用户名密码无效。

paul · ‎11-09-2017

Not sure what the question is, but Supplicant Stopped responding, Misconfigured Supplicant etc. messages happen all the time in ISE. I shut those alarms off as they are mostly false positives. In your case I would guess your phone is complaining about trusting the ISE cert. Given the fact it looks to be an iPhone and iPhones complain about every cert unless MDM controlled it probably is normal.

If you are being prompted to accept the cert on the iPhone then accept it and see if you can authenticate correctly.

houxiaobo · ‎11-10-2017

Thank you for your answer。

I'm debugging on WLC，

*apfMsConnTask_1: Nov 11 15:02:32.448: d0:a6:37:98:ba:55 Processing RSN IE type 48, length 20 for mobile d0:a6:37:98:ba:55

*apfMsConnTask_1: Nov 11 15:02:32.448: d0:a6:37:98:ba:55 Received 802.11i 802.1X key management suite, enabling dot1x Authentication

*apfMsConnTask_1: Nov 11 15:02:32.448: d0:a6:37:98:ba:55 RSN Capabilities: 12

*apfMsConnTask_1: Nov 11 15:02:32.448: d0:a6:37:98:ba:55 Marking Mobile as non-11w Capable

*apfMsConnTask_1: Nov 11 15:02:32.448: d0:a6:37:98:ba:55 Received RSN IE with 0 PMKIDs from mobile d0:a6:37:98:ba:55

*apfMsConnTask_1: Nov 11 15:02:32.448: d0:a6:37:98:ba:55 Setting active key cache index 8 ---> 8

*apfMsConnTask_1: Nov 11 15:02:32.448: d0:a6:37:98:ba:55 unsetting PmkIdValidatedByAp

*apfMsConnTask_1: Nov 11 15:02:32.448: d0:a6:37:98:ba:55 0.0.0.0 8021X_REQD (3) Initializing policy

*apfMsConnTask_1: Nov 11 15:02:32.448: d0:a6:37:98:ba:55 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)

*apfMsConnTask_1: Nov 11 15:02:32.448: d0:a6:37:98:ba:55 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)

*apfMsConnTask_1: Nov 11 15:02:32.449: d0:a6:37:98:ba:55 Encryption policy is set to 0x80000001

*apfMsConnTask_1: Nov 11 15:02:32.449: d0:a6:37:98:ba:55 Not Using WMM Compliance code qosCap 00

*apfMsConnTask_1: Nov 11 15:02:32.449: d0:a6:37:98:ba:55 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 18:8b:9d:b3:14:30 vapId 1 apVapId 1 flex-acl-name:

*apfMsConnTask_1: Nov 11 15:02:32.449: d0:a6:37:98:ba:55 apfPemAddUser2 (apf_policy.c:359) Changing state for mobile d0:a6:37:98:ba:55 on AP 18:8b:9d:b3:14:30 from Associated to Associated

*apfMsConnTask_1: Nov 11 15:02:32.449: d0:a6:37:98:ba:55 apfPemAddUser2:session timeout forstation d0:a6:37:98:ba:55 - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is 0

*apfMsConnTask_1: Nov 11 15:02:32.449: d0:a6:37:98:ba:55 Stopping deletion of Mobile Station: (callerId: 48)

*apfMsConnTask_1: Nov 11 15:02:32.449: d0:a6:37:98:ba:55 Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0

*apfMsConnTask_1: Nov 11 15:02:32.449: d0:a6:37:98:ba:55 Sending assoc-resp with status 0 station:d0:a6:37:98:ba:55 AP:18:8b:9d:b3:14:30-01 on apVapId 1

*apfMsConnTask_1: Nov 11 15:02:32.449: d0:a6:37:98:ba:55 Sending Assoc Response to station on BSSID 18:8b:9d:b3:14:3f (status 0) ApVapId 1 Slot 1

*apfMsConnTask_1: Nov 11 15:02:32.449: d0:a6:37:98:ba:55 apfProcessAssocReq (apf_80211.c:10187) Changing state for mobile d0:a6:37:98:ba:55 on AP 18:8b:9d:b3:14:30 from Associated to Associated

*spamApTask5: Nov 11 15:02:32.451: d0:a6:37:98:ba:55 Sent dot1x auth initiate message for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.451: d0:a6:37:98:ba:55 reauth_sm state transition 0 ---> 0 for mobile d0:a6:37:98:ba:55 at 1x_reauth_sm.c:53

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.451: d0:a6:37:98:ba:55 EAP-PARAM Debug - eap-params for Wlan-Id :1 is disabled - applying Global eap timers and retries

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.451: d0:a6:37:98:ba:55 Disable re-auth, use PMK lifetime.

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.451: d0:a6:37:98:ba:55 dot1x - moving mobile d0:a6:37:98:ba:55 into Connecting state

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.451: d0:a6:37:98:ba:55 Sending EAP-Request/Identity to mobile d0:a6:37:98:ba:55 (EAP Id 1)

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.472: d0:a6:37:98:ba:55 Received EAPOL EAPPKT from mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.472: d0:a6:37:98:ba:55 Received Identity Response (count=1) from mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.472: d0:a6:37:98:ba:55 Resetting reauth count 1 to 0 for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.472: d0:a6:37:98:ba:55 EAP State update from Connecting to Authenticating for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.472: d0:a6:37:98:ba:55 dot1x - moving mobile d0:a6:37:98:ba:55 into Authenticating state

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.472: d0:a6:37:98:ba:55 Entering Backend Auth Response state for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.476: d0:a6:37:98:ba:55 Processing Access-Challenge for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.476: d0:a6:37:98:ba:55 Entering Backend Auth Req state (id=182) for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.476: d0:a6:37:98:ba:55 WARNING: updated EAP-Identifier 1 ===> 182 for STA d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.476: d0:a6:37:98:ba:55 Sending EAP Request from AAA to mobile d0:a6:37:98:ba:55 (EAP Id 182)

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.476: d0:a6:37:98:ba:55 Reusing allocated memory for EAP Pkt for retransmission to mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.483: d0:a6:37:98:ba:55 Received EAPOL EAPPKT from mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.483: d0:a6:37:98:ba:55 Received EAP Response from mobile d0:a6:37:98:ba:55 (EAP Id 182, EAP Type 3)

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.483: d0:a6:37:98:ba:55 Resetting reauth count 0 to 0 for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.483: d0:a6:37:98:ba:55 Entering Backend Auth Response state for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.484: d0:a6:37:98:ba:55 Processing Access-Challenge for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.484: d0:a6:37:98:ba:55 Entering Backend Auth Req state (id=183) for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.484: d0:a6:37:98:ba:55 Sending EAP Request from AAA to mobile d0:a6:37:98:ba:55 (EAP Id 183)

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.484: d0:a6:37:98:ba:55 Reusing allocated memory for EAP Pkt for retransmission to mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.506: d0:a6:37:98:ba:55 Received EAPOL EAPPKT from mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.506: d0:a6:37:98:ba:55 Received EAP Response from mobile d0:a6:37:98:ba:55 (EAP Id 183, EAP Type 25)

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.506: d0:a6:37:98:ba:55 Resetting reauth count 0 to 0 for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.506: d0:a6:37:98:ba:55 Entering Backend Auth Response state for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.508: d0:a6:37:98:ba:55 Processing Access-Challenge for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.508: d0:a6:37:98:ba:55 Entering Backend Auth Req state (id=184) for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.508: d0:a6:37:98:ba:55 Sending EAP Request from AAA to mobile d0:a6:37:98:ba:55 (EAP Id 184)

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.508: d0:a6:37:98:ba:55 Reusing allocated memory for EAP Pkt for retransmission to mobile d0:a6:37:98:ba:55

*osapiBsnTimer: Nov 11 15:03:02.506: d0:a6:37:98:ba:55 802.1x 'timeoutEvt' Timer expired for station d0:a6:37:98:ba:55 and for message = M0

*Dot1x_NW_MsgTask_5: Nov 11 15:03:02.506: d0:a6:37:98:ba:55 Retransmit 1 of EAP-Request (length 660) for mobile d0:a6:37:98:ba:55

*osapiBsnTimer: Nov 11 15:03:32.506: d0:a6:37:98:ba:55 802.1x 'timeoutEvt' Timer expired for station d0:a6:37:98:ba:55 and for message = M0

*Dot1x_NW_MsgTask_5: Nov 11 15:03:32.506: d0:a6:37:98:ba:55 Retransmit 2 of EAP-Request (length 660) for mobile d0:a6:37:98:ba:55

*osapiBsnTimer: Nov 11 15:04:02.506: d0:a6:37:98:ba:55 802.1x 'timeoutEvt' Timer expired for station d0:a6:37:98:ba:55 and for message = M0

*Dot1x_NW_MsgTask_5: Nov 11 15:04:02.506: d0:a6:37:98:ba:55 Retransmit failure for EAP-Request to mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:04:02.506: d0:a6:37:98:ba:55 Sent Deauthenticate to mobile on BSSID 18:8b:9d:b3:14:3f slot 1(caller 1x_ptsm.c:602)

*Dot1x_NW_MsgTask_5: Nov 11 15:04:02.506: d0:a6:37:98:ba:55 Setting active key cache index 8 ---> 8

*Dot1x_NW_MsgTask_5: Nov 11 15:04:02.506: d0:a6:37:98:ba:55 Deleting the PMK cache when de-authenticating the client.

*Dot1x_NW_MsgTask_5: Nov 11 15:04:02.506: d0:a6:37:98:ba:55 Global PMK Cache deletion failed.

*Dot1x_NW_MsgTask_5: Nov 11 15:04:02.506: d0:a6:37:98:ba:55 Scheduling deletion of Mobile Station: (callerId: 57) in 10 seconds

*Dot1x_NW_MsgTask_5: Nov 11 15:04:02.506: d0:a6:37:98:ba:55 Freeing EAP Retransmit Bufer for mobile d0:a6:37:98:ba:55

*osapiBsnTimer: Nov 11 15:04:12.506: d0:a6:37:98:ba:55 apfMsExpireCallback (apf_ms.c:637) Expiring Mobile!

*apfReceiveTask: Nov 11 15:04:12.506: d0:a6:37:98:ba:55 apfMsExpireMobileStation (apf_ms.c:7209) Changing state for mobile d0:a6:37:98:ba:55 on AP 18:8b:9d:b3:14:30 from Associated to Disassociated

*apfReceiveTask: Nov 11 15:04:12.506: d0:a6:37:98:ba:55 Scheduling deletion of Mobile Station: (callerId: 45) in 10 seconds

*osapiBsnTimer: Nov 11 15:04:22.506: d0:a6:37:98:ba:55 apfMsExpireCallback (apf_ms.c:637) Expiring Mobile!

*apfReceiveTask: Nov 11 15:04:22.506: d0:a6:37:98:ba:55 apfMsAssoStateDec

*apfReceiveTask: Nov 11 15:04:22.506: d0:a6:37:98:ba:55 apfMsExpireMobileStation (apf_ms.c:7344) Changing state for mobile d0:a6:37:98:ba:55 on AP 18:8b:9d:b3:14:30 from Disassociated to Idle

*apfReceiveTask: Nov 11 15:04:22.506: d0:a6:37:98:ba:55 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.

*apfReceiveTask: Nov 11 15:04:22.506: d0:a6:37:98:ba:55 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [18:8b:9d:b3:14:30]

*apfReceiveTask: Nov 11 15:04:22.506: d0:a6:37:98:ba:55 Deleting mobile on AP 18:8b:9d:b3:14:30(1)

hslai · ‎11-11-2017

From your screenshot, it seems about CSCua97013, which is actually how Apple iOS works and provides a warning to the end users that it sees the certificate of the ISE EAP certificate for the first time.

If that is not what you asking, please engage Cisco TAC for help.