ACS 5.4 EAP-TLS Session Resume

Rogelio Mercado · ‎09-11-2013

Hello,

We are looking to enable the "Enable EAP-TLS Session Resume" option in System Administration->Configuration->Global Systems->EASP-TLS Settings in our Production environment..

We have made the change in Test environment. We do see the Passed Authentication log entry for initial authentication in Monitoring and Reports. But we are not seeing any logs for the quick reauth of client.

In the documentation it states that the Session Resume option allows for a quick reauth with only a SSL handshake.

Does the Session Resume option log the quick reauth in Monitoring and Reports?

Thanks,

Rogelio

aqjaved · ‎09-12-2013

Please check the below link which can helpful:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/admin_config.html

Rogelio Mercado · ‎09-12-2013

Thanks for reply. I have reviewed the ACS 5.4 Management Guide for Session Resume option.

I have made the change in our test environment. I am only able to see the first successful 802.1x (EAP-TLS) authentication request. I am not seeing any quick-reauth logs for the Sesion Resume setting.

Do you know if that is by design?

Should we be seeing logs for the Sesssion Resume quick reauth request?

Rogelio

Muhammad Munir · ‎09-16-2013

Hi

Verify that supplicant is configured properly to conduct a full EAP conversation with ACS. Verify that NAS is configured properly to transfer EAP messages to or from supplicant. Verify that supplicant or network access server (NAS) does not have a short timeout for EAP conversations. Check the network that connects the NAS to ACS. If the external ID store is used for the authentication, it may be not responding fast enough for current timeouts.
Check whether the proper server certificate is installed and configured for EAP by going to the Local Certificates page (Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant.
Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check OpenSSLErrorMessage and OpenSSLErrorStack for more information.
Check the appropriate configuration in Policy > Authentication. This error happens when the identity source is configured for certificate-based authentication and received a password based authentication request.
Check the appropriate configuration in Policy > Authentication. This error happens when the identity source is configured for password-based authentication and received a certificate-based authentication request.
Check whether the subject is present in any one of the chosen identity stores. Note that some identity stores may have been skipped if they do not support the current authentication protocol.
Make sure the authentication policy points to correct identity store.
- The authorization profile with the ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate authorization policy rule-results.
- Check whether the shared secrets on the AAA client and ISE server match. Ensure that the AAA client and the network device have no hardware problems or problems with RADIUS compatibility. Also ensure that the network that connects the device to the ISE has no hardware problems.