Solved: “5411 Supplicant stopped responding to ISE". Use EAP-TLS for authentication method and the root CA ...

TerryLaw86466 · ‎05-12-2020

The background is the end devices PC would like to use EAP-TLS for authentication method and the root CA is window CA.

However the ISE live log show “5411 Supplicant stopped responding to ISE”.

Below as the ISE live log.

Switch config:

aaa group server radius gp-ISE
server name ISE
!
aaa group server tacacs+ group-ts-ISE
server name ts-ISE
!
aaa authentication login default group group-ts-ISE local
aaa authentication enable default group group-ts-ISE enable
aaa authentication dot1x default group gp-ISE
aaa authorization exec default group group-ts-ISE local
aaa authorization commands 0 default group group-ts-ISE local
aaa authorization commands 1 default group group-ts-ISE local
aaa authorization network default group gp-ISE
aaa accounting auth-proxy default start-stop group gp-ISE
aaa accounting dot1x default start-stop group gp-ISE
aaa accounting exec default start-stop group group-ts-ISE
aaa accounting commands 0 default stop-only group group-ts-ISE
aaa accounting commands 1 default stop-only group group-ts-ISE
aaa accounting commands 15 default start-stop group group-ts-ISE
!

aaa server radius dynamic-author
client 192.168.100.240 server-key 7 xxxxxxxxxxxxxxxxxxx

server-key 7 xxxxxxxxxxxxxxxxx
!
aaa session-id common

!

dot1x system-auth-control
dot1x critical eapol
errdisable recovery cause bpduguard
errdisable recovery cause loopback
errdisable recovery interval 180
license boot level ipservicesk9
diagnostic bootup level minimal
!

interface GigabitEthernet1/0/1
switchport access vlan 100
switchport mode access
ip arp inspection limit rate 100
authentication event fail action next-method
authentication open
authentication order dot1x
authentication priority dot1x
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
!

ip radius source-interface Vlan100
ip sla enable reaction-alerts
logging history size 50
logging history debugging
logging origin-id ip
logging facility local2
logging source-interface Vlan100
logging host 192.168.100.240

!

!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
!
radius server ISE
address ipv4 192.168.100.240 auth-port 1645 acct-port 1646
key 7 xxxxxxxxxxxxxxxx
!
!

Any hits for this issues?

Greg Gibbs · ‎05-12-2020

See a similar community post here

This is typically an issue with the client supplicant and/or certificate trust chain.

I've also seen this issue caused by fragmentation due to an MTU mismatch somewhere between the switch and PSN. If your switch MTU is set to jumbo, try setting it to 1500 and testing again. See the document EAP Fragmentation Implementations and Behavior for more info.

You might also want to do a packet capture on the client to see the full EAP conversation and open a TAC case if all else fails.

View solution in original post

Arne Bier · ‎05-12-2020

Basic checks

It appears that your supplicant is performing Machine Authentication - is it configured for certificate authentication (or user authentication), and does your machine have a machine certificate?

if the above is all good (i.e. you r supplicant is configured for Machine Auth and you have a machine cert) then:

In your ISE Wired 802.1X Policy Set Overall Condition, did you include "Allow Protocols EAP-TLS"?

If your Windows Clients are using TLS 1.0 or TLS 1.1, did you allow this under Admin > System > Settings Security Settings?

View solution in original post

pnowikow · ‎03-10-2021

ISE teammates,

Ok, so after months of working on this issue with "Supplicant Stopped Responding..." errors, I've determined that by updating the Wired AutoConfig GPO we use to include these settings, we got the endpoints connected and authorized as expected. Out of the box Windows 10 tries once to connect to a Cisco switch via PEAP before giving up and waiting 20 minutes. Here's the GPO settings we're using. We opted for public CA certs because I was tired of fooling around with our internal CA.

Hope it helps someone,

View solution in original post

Greg Gibbs · ‎05-12-2020

See a similar community post here

This is typically an issue with the client supplicant and/or certificate trust chain.

I've also seen this issue caused by fragmentation due to an MTU mismatch somewhere between the switch and PSN. If your switch MTU is set to jumbo, try setting it to 1500 and testing again. See the document EAP Fragmentation Implementations and Behavior for more info.

You might also want to do a packet capture on the client to see the full EAP conversation and open a TAC case if all else fails.

Arne Bier · ‎05-12-2020

Basic checks

It appears that your supplicant is performing Machine Authentication - is it configured for certificate authentication (or user authentication), and does your machine have a machine certificate?

if the above is all good (i.e. you r supplicant is configured for Machine Auth and you have a machine cert) then:

In your ISE Wired 802.1X Policy Set Overall Condition, did you include "Allow Protocols EAP-TLS"?

If your Windows Clients are using TLS 1.0 or TLS 1.1, did you allow this under Admin > System > Settings Security Settings?

TerryLaw86466 · ‎05-17-2020

"Allow Protocols EAP-TLS" already enabled in Policy Set in ISE.

And the client cert. and root cert. already imported to client PC.

"certificate authentication (or user authentication)"already configure at network adapter of client PC.

Added partial config. of the switch relayed to authenticate configuration. is it possible it caused by switch configuration issues?

Switch config:

aaa group server radius gp-ISE
server name ISE
!
aaa group server tacacs+ group-ts-ISE
server name ts-ISE
!
aaa authentication login default group group-ts-ISE local
aaa authentication enable default group group-ts-ISE enable
aaa authentication dot1x default group gp-ISE
aaa authorization exec default group group-ts-ISE local
aaa authorization commands 0 default group group-ts-ISE local
aaa authorization commands 1 default group group-ts-ISE local
aaa authorization network default group gp-ISE
aaa accounting auth-proxy default start-stop group gp-ISE
aaa accounting dot1x default start-stop group gp-ISE
aaa accounting exec default start-stop group group-ts-ISE
aaa accounting commands 0 default stop-only group group-ts-ISE
aaa accounting commands 1 default stop-only group group-ts-ISE
aaa accounting commands 15 default start-stop group group-ts-ISE
!

aaa server radius dynamic-author
client 192.168.100.240 server-key 7 xxxxxxxxxxxxxxxxxxx

server-key 7 xxxxxxxxxxxxxxxxx
!
aaa session-id common

!

dot1x system-auth-control
dot1x critical eapol
errdisable recovery cause bpduguard
errdisable recovery cause loopback
errdisable recovery interval 180
license boot level ipservicesk9
diagnostic bootup level minimal
!

interface GigabitEthernet1/0/1
switchport access vlan 100
switchport mode access
ip arp inspection limit rate 100
authentication event fail action next-method
authentication open
authentication order dot1x
authentication priority dot1x
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
!

ip radius source-interface Vlan100
ip sla enable reaction-alerts
logging history size 50
logging history debugging
logging origin-id ip
logging facility local2
logging source-interface Vlan100
logging host 192.168.100.240

!

!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
!
radius server ISE
address ipv4 192.168.100.240 auth-port 1645 acct-port 1646
key 7 xxxxxxxxxxxxxxxx
!

sumanrai1980 · ‎09-03-2022

Is it possible that if the clinet MAC address deleted from WLC and user faces this issue "5411 Supplication issue"? or because of DHCP leases overlapping ?

TerryLaw86466 · ‎06-02-2020

Hi All,

Finally, it is working fine with the cert. signed by window Standalone CA, but it is not working for windows enterprise ca.

Any requirement or specific setting needed in ISE to compatible to windows enterprise ca.

pnowikow · ‎03-10-2021

ISE teammates,

Ok, so after months of working on this issue with "Supplicant Stopped Responding..." errors, I've determined that by updating the Wired AutoConfig GPO we use to include these settings, we got the endpoints connected and authorized as expected. Out of the box Windows 10 tries once to connect to a Cisco switch via PEAP before giving up and waiting 20 minutes. Here's the GPO settings we're using. We opted for public CA certs because I was tired of fooling around with our internal CA.

Hope it helps someone,

Omid Almasieh · ‎04-15-2021

It indeed helped me. Thank you for sharing. Appreciate it.

Regards,

Omid

pnowikow · ‎04-16-2021

I'm glad it worked out for you. I spent a long time beating my head
against the wall

“5411 Supplicant stopped responding to ISE". Use EAP-TLS for authentication method and the root CA is window CA