Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15784
Views
0
Helpful
3
Replies

12934 Supplicant stopped responding to ISE during PEAP tunnel establishment, after an successful session

Go to solution
rayyaanfayker0006
Level 1
Level 1

‎11-17-2020 05:46 AM

Hi 

I have my clients connecting via Peap sessions, but a few weeks ago my clients started to fail authentication randomly during to day. If i look at the logs i see the client authenticate successfully via PEAP (EAP-MSCHAPv2) but then a few hours later the client gets locked out with "12934 Supplicant stopped responding to ISE during PEAP tunnel establishment" error and only when the client disconnects from wired the reconnects does the client authenticate successfully.  this happens to all my wired clients. note that i have a firewall between the client to ISE and i only allow the Cisco switch to talk to ISE that i believe is correct. Is there something wrong with the IBNS 2 configure or can it be the clients that is causing this issue. 

 

12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 12934Supplicant stopped responding to ISE during PEAP tunnel establishment (
 

 

 Step latency=120000 ms)
 61025Open secure connection with TLS peer
 5411Supplicant stopped responding to ISE

 

6 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Panos Bouras
Level 1
Level 1

‎01-15-2021 02:28 AM

Hi,

 

You're correct regarding how authentication works, Switch acts as a "proxy" between supplicant and ISE. Review your firewall logs for any indication of blocked communication between the switch and ISE.
The best way to troubleshoot this, is to look at client logs either Anyconnect DART or Windows Logs.
You can always try to get a packet capture and review, if the issue affects specific clients you can SPAN their port and capture 802.1x traffic, then check ISE certificate at server hello and any responses from the client.

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

View solution in original post

0 Helpful
3 Replies 3

Go to solution
pnowikow
Level 1
Level 1

‎01-12-2021 12:21 PM - edited ‎01-12-2021 12:22 PM

I have this same issue with some of my clients but its intermittent.  Would you mind sharing the switch model, IOS version and ISE versions (include patch levels) with me?  Are you using IP device tracking?  Also what does your port level config look like?  What is the latency from the PC/endpoint and your ISE nodes?

 

Thanks,

Pete

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎01-12-2021 10:40 PM

Hi,

This is a problem at client side. You can use DART tool to generate NAM
logs, if you use AnyConnect NAM. Otherwise, look at windows event viewer.

Most of these issues gets fixed with network driver upgrade from my
experience.

**** please remember to rate useful posts
0 Helpful

Go to solution
Panos Bouras
Level 1
Level 1

‎01-15-2021 02:28 AM

Hi,

 

You're correct regarding how authentication works, Switch acts as a "proxy" between supplicant and ISE. Review your firewall logs for any indication of blocked communication between the switch and ISE.
The best way to troubleshoot this, is to look at client logs either Anyconnect DART or Windows Logs.
You can always try to get a packet capture and review, if the issue affects specific clients you can SPAN their port and capture 802.1x traffic, then check ISE certificate at server hello and any responses from the client.

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents