cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

16860
Views
0
Helpful
3
Replies
Highlighted
Beginner

12934 Supplicant stopped responding to ISE during PEAP tunnel establishment

Authentication Details

Source Timestamp2017-11-09 16:44:07.285
Received Timestamp2017-11-09 16:44:07.285
Policy ServerISE-A
Event5411 Supplicant stopped responding to ISE
Failure Reason12934 Supplicant stopped responding to ISE during PEAP tunnel establishment
ResolutionVerify that supplicant is configured properly to conduct a full EAP conversation with ISE. Verify that NAS is configured properly to transfer EAP messages to/from supplicant. Verify that supplicant or NAS does not have a short timeout for EAP conversation. Check the network that connects the Network Access Server to ISE. Verify that ISE local server certificate is trusted on supplicant.
Root causeSupplicant stopped responding to ISE during PEAP tunnel establishment

Steps

11001Received RADIUS Access-Request
11017RADIUS created a new session
15049Evaluating Policy Group
15008Evaluating Service Selection Policy
15048Queried PIP
15048Queried PIP 15048Queried PIP
15048Queried PIP
15004Matched rule
11507Extracted EAP-Response/Identity
12300Prepared EAP-Request proposing PEAP with challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12302Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12319Successfully negotiated PEAP version 1
12800Extracted first TLS record; TLS handshake started
12805Extracted TLS ClientHello message
12806Prepared TLS ServerHello message
12807Prepared TLS Certificate message
12810Prepared TLS ServerDone message
12305Prepared EAP-Request with another PEAP challenge
11006Returned RADIUS Access-Challenge( Step latency=120003 ms)
12934Supplicant stopped responding to ISE during PEAP tunnel establishment
5411Supplicant stopped responding to ISE

iPhone通过ise认证一直掉线或认证不过,输入用户名密码无效。

3 REPLIES 3
Highlighted
VIP Advocate

Re: 12934 Supplicant stopped responding to ISE during PEAP tunnel establishment

Not sure what the question is, but Supplicant Stopped responding, Misconfigured Supplicant etc. messages happen all the time in ISE.  I shut those alarms off as they are mostly false positives.  In your case I would guess your phone is complaining about trusting the ISE cert.  Given the fact it looks to be an iPhone and iPhones complain about every cert unless MDM controlled it probably is normal. 

If you are being prompted to accept the cert on the iPhone then accept it and see if you can authenticate correctly.

Highlighted
Beginner

Re: 12934 Supplicant stopped responding to ISE during PEAP tunnel establishment

Thank you for your answer。

I'm debugging on WLC,

*apfMsConnTask_1: Nov 11 15:02:32.448: d0:a6:37:98:ba:55 Processing RSN IE type 48, length 20 for mobile d0:a6:37:98:ba:55

*apfMsConnTask_1: Nov 11 15:02:32.448: d0:a6:37:98:ba:55 Received 802.11i 802.1X key management suite, enabling dot1x Authentication

*apfMsConnTask_1: Nov 11 15:02:32.448: d0:a6:37:98:ba:55 RSN Capabilities:  12

*apfMsConnTask_1: Nov 11 15:02:32.448: d0:a6:37:98:ba:55 Marking Mobile as non-11w Capable

*apfMsConnTask_1: Nov 11 15:02:32.448: d0:a6:37:98:ba:55 Received RSN IE with 0 PMKIDs from mobile d0:a6:37:98:ba:55

*apfMsConnTask_1: Nov 11 15:02:32.448: d0:a6:37:98:ba:55 Setting active key cache index 8 ---> 8

*apfMsConnTask_1: Nov 11 15:02:32.448: d0:a6:37:98:ba:55 unsetting PmkIdValidatedByAp

*apfMsConnTask_1: Nov 11 15:02:32.448: d0:a6:37:98:ba:55 0.0.0.0 8021X_REQD (3) Initializing policy

*apfMsConnTask_1: Nov 11 15:02:32.448: d0:a6:37:98:ba:55 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)

*apfMsConnTask_1: Nov 11 15:02:32.448: d0:a6:37:98:ba:55 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)

*apfMsConnTask_1: Nov 11 15:02:32.449: d0:a6:37:98:ba:55 Encryption policy is set to 0x80000001

*apfMsConnTask_1: Nov 11 15:02:32.449: d0:a6:37:98:ba:55 Not Using WMM Compliance code qosCap 00

*apfMsConnTask_1: Nov 11 15:02:32.449: d0:a6:37:98:ba:55 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 18:8b:9d:b3:14:30 vapId 1 apVapId 1 flex-acl-name:

*apfMsConnTask_1: Nov 11 15:02:32.449: d0:a6:37:98:ba:55 apfPemAddUser2 (apf_policy.c:359) Changing state for mobile d0:a6:37:98:ba:55 on AP 18:8b:9d:b3:14:30 from Associated to Associated

*apfMsConnTask_1: Nov 11 15:02:32.449: d0:a6:37:98:ba:55 apfPemAddUser2:session timeout forstation d0:a6:37:98:ba:55 - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is  0

*apfMsConnTask_1: Nov 11 15:02:32.449: d0:a6:37:98:ba:55 Stopping deletion of Mobile Station: (callerId: 48)

*apfMsConnTask_1: Nov 11 15:02:32.449: d0:a6:37:98:ba:55 Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0

*apfMsConnTask_1: Nov 11 15:02:32.449: d0:a6:37:98:ba:55 Sending assoc-resp with status 0 station:d0:a6:37:98:ba:55 AP:18:8b:9d:b3:14:30-01 on apVapId 1

*apfMsConnTask_1: Nov 11 15:02:32.449: d0:a6:37:98:ba:55 Sending Assoc Response to station on BSSID 18:8b:9d:b3:14:3f (status 0) ApVapId 1 Slot 1

*apfMsConnTask_1: Nov 11 15:02:32.449: d0:a6:37:98:ba:55 apfProcessAssocReq (apf_80211.c:10187) Changing state for mobile d0:a6:37:98:ba:55 on AP 18:8b:9d:b3:14:30 from Associated to Associated

*spamApTask5: Nov 11 15:02:32.451: d0:a6:37:98:ba:55 Sent dot1x auth initiate message for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.451: d0:a6:37:98:ba:55 reauth_sm state transition 0 ---> 0 for mobile d0:a6:37:98:ba:55 at 1x_reauth_sm.c:53

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.451: d0:a6:37:98:ba:55 EAP-PARAM Debug - eap-params for Wlan-Id :1 is disabled - applying Global eap timers and retries

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.451: d0:a6:37:98:ba:55 Disable re-auth, use PMK lifetime.

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.451: d0:a6:37:98:ba:55 dot1x - moving mobile d0:a6:37:98:ba:55 into Connecting state

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.451: d0:a6:37:98:ba:55 Sending EAP-Request/Identity to mobile d0:a6:37:98:ba:55 (EAP Id 1)

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.472: d0:a6:37:98:ba:55 Received EAPOL EAPPKT from mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.472: d0:a6:37:98:ba:55 Received Identity Response (count=1) from mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.472: d0:a6:37:98:ba:55 Resetting reauth count 1 to 0 for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.472: d0:a6:37:98:ba:55 EAP State update from Connecting to Authenticating for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.472: d0:a6:37:98:ba:55 dot1x - moving mobile d0:a6:37:98:ba:55 into Authenticating state

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.472: d0:a6:37:98:ba:55 Entering Backend Auth Response state for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.476: d0:a6:37:98:ba:55 Processing Access-Challenge for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.476: d0:a6:37:98:ba:55 Entering Backend Auth Req state (id=182) for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.476: d0:a6:37:98:ba:55 WARNING: updated EAP-Identifier 1 ===> 182 for STA d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.476: d0:a6:37:98:ba:55 Sending EAP Request from AAA to mobile d0:a6:37:98:ba:55 (EAP Id 182)

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.476: d0:a6:37:98:ba:55 Reusing allocated memory for  EAP Pkt for retransmission to mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.483: d0:a6:37:98:ba:55 Received EAPOL EAPPKT from mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.483: d0:a6:37:98:ba:55 Received EAP Response from mobile d0:a6:37:98:ba:55 (EAP Id 182, EAP Type 3)

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.483: d0:a6:37:98:ba:55 Resetting reauth count 0 to 0 for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.483: d0:a6:37:98:ba:55 Entering Backend Auth Response state for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.484: d0:a6:37:98:ba:55 Processing Access-Challenge for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.484: d0:a6:37:98:ba:55 Entering Backend Auth Req state (id=183) for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.484: d0:a6:37:98:ba:55 Sending EAP Request from AAA to mobile d0:a6:37:98:ba:55 (EAP Id 183)

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.484: d0:a6:37:98:ba:55 Reusing allocated memory for  EAP Pkt for retransmission to mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.506: d0:a6:37:98:ba:55 Received EAPOL EAPPKT from mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.506: d0:a6:37:98:ba:55 Received EAP Response from mobile d0:a6:37:98:ba:55 (EAP Id 183, EAP Type 25)

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.506: d0:a6:37:98:ba:55 Resetting reauth count 0 to 0 for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.506: d0:a6:37:98:ba:55 Entering Backend Auth Response state for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.508: d0:a6:37:98:ba:55 Processing Access-Challenge for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.508: d0:a6:37:98:ba:55 Entering Backend Auth Req state (id=184) for mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.508: d0:a6:37:98:ba:55 Sending EAP Request from AAA to mobile d0:a6:37:98:ba:55 (EAP Id 184)

*Dot1x_NW_MsgTask_5: Nov 11 15:02:32.508: d0:a6:37:98:ba:55 Reusing allocated memory for  EAP Pkt for retransmission to mobile d0:a6:37:98:ba:55

*osapiBsnTimer: Nov 11 15:03:02.506: d0:a6:37:98:ba:55 802.1x 'timeoutEvt' Timer expired for station d0:a6:37:98:ba:55 and for message = M0

*Dot1x_NW_MsgTask_5: Nov 11 15:03:02.506: d0:a6:37:98:ba:55 Retransmit 1 of EAP-Request (length 660) for mobile d0:a6:37:98:ba:55

*osapiBsnTimer: Nov 11 15:03:32.506: d0:a6:37:98:ba:55 802.1x 'timeoutEvt' Timer expired for station d0:a6:37:98:ba:55 and for message = M0

*Dot1x_NW_MsgTask_5: Nov 11 15:03:32.506: d0:a6:37:98:ba:55 Retransmit 2 of EAP-Request (length 660) for mobile d0:a6:37:98:ba:55

*osapiBsnTimer: Nov 11 15:04:02.506: d0:a6:37:98:ba:55 802.1x 'timeoutEvt' Timer expired for station d0:a6:37:98:ba:55 and for message = M0

*Dot1x_NW_MsgTask_5: Nov 11 15:04:02.506: d0:a6:37:98:ba:55 Retransmit failure for EAP-Request to mobile d0:a6:37:98:ba:55

*Dot1x_NW_MsgTask_5: Nov 11 15:04:02.506: d0:a6:37:98:ba:55 Sent Deauthenticate to mobile on BSSID 18:8b:9d:b3:14:3f slot 1(caller 1x_ptsm.c:602)

*Dot1x_NW_MsgTask_5: Nov 11 15:04:02.506: d0:a6:37:98:ba:55 Setting active key cache index 8 ---> 8

*Dot1x_NW_MsgTask_5: Nov 11 15:04:02.506: d0:a6:37:98:ba:55 Deleting the PMK cache when de-authenticating the client.

*Dot1x_NW_MsgTask_5: Nov 11 15:04:02.506: d0:a6:37:98:ba:55 Global PMK Cache deletion failed.

*Dot1x_NW_MsgTask_5: Nov 11 15:04:02.506: d0:a6:37:98:ba:55 Scheduling deletion of Mobile Station:  (callerId: 57) in 10 seconds

*Dot1x_NW_MsgTask_5: Nov 11 15:04:02.506: d0:a6:37:98:ba:55 Freeing EAP Retransmit Bufer for mobile d0:a6:37:98:ba:55

*osapiBsnTimer: Nov 11 15:04:12.506: d0:a6:37:98:ba:55 apfMsExpireCallback (apf_ms.c:637) Expiring Mobile!

*apfReceiveTask: Nov 11 15:04:12.506: d0:a6:37:98:ba:55 apfMsExpireMobileStation (apf_ms.c:7209) Changing state for mobile d0:a6:37:98:ba:55 on AP 18:8b:9d:b3:14:30 from Associated to Disassociated

*apfReceiveTask: Nov 11 15:04:12.506: d0:a6:37:98:ba:55 Scheduling deletion of Mobile Station:  (callerId: 45) in 10 seconds

*osapiBsnTimer: Nov 11 15:04:22.506: d0:a6:37:98:ba:55 apfMsExpireCallback (apf_ms.c:637) Expiring Mobile!

*apfReceiveTask: Nov 11 15:04:22.506: d0:a6:37:98:ba:55 apfMsAssoStateDec

*apfReceiveTask: Nov 11 15:04:22.506: d0:a6:37:98:ba:55 apfMsExpireMobileStation (apf_ms.c:7344) Changing state for mobile d0:a6:37:98:ba:55 on AP 18:8b:9d:b3:14:30 from Disassociated to Idle

*apfReceiveTask: Nov 11 15:04:22.506: d0:a6:37:98:ba:55 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.

*apfReceiveTask: Nov 11 15:04:22.506: d0:a6:37:98:ba:55 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [18:8b:9d:b3:14:30]

*apfReceiveTask: Nov 11 15:04:22.506: d0:a6:37:98:ba:55 Deleting mobile on AP 18:8b:9d:b3:14:30(1)

Highlighted
Cisco Employee

Re: 12934 Supplicant stopped responding to ISE during PEAP tunnel establishment

From your screenshot, it seems about CSCua97013, which is actually how Apple iOS works and provides a warning to the end users that it sees the certificate of the ISE EAP certificate for the first time.

If that is not what you asking, please engage Cisco TAC for help.