Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5601
Views
14
Helpful
6
Replies

Cisco ISE authentication problem

Go to solution
Amen
Level 1
Level 1

‎06-05-2023 01:41 AM - edited ‎06-05-2023 02:03 AM

Version: 3.1.0.518 Patch 6 and 7

The client can register once on the ISE via EAP-TLS with a certificate - after that problems arise.
If you restart the notebook, it works again once.
At patch 6
Approx. 250 users affected:
The ISE log shows that an EKU that we use for authentication is not passed or recognized when authenticating again.
This is not a problem with the initial authentication.
Only some Windows clients are affected.
At patch 7
Approx. 1300 users affected
The ISE log shows that the ISE cannot read the SAN of the certificate correctly. "33047 User name attribute is missing in client certificate" as an error message from the ISE
This is not a problem with the initial authentication.
All Windows clients are affected.

The certificate-based authentication of our iPhones, on the other hand, works perfectly; we also check for the EKU here.
Both problems occur over both LAN and WLAN authentication.

 

in other words:- 

 

we are having client authentication issues with Cisco ISE version 3.1.0.518 patch 6 or 7 (both issues).
With the update to version 6, parts of the certificate EKU were no longer displayed - the authentication therefore no longer works.
Since the update to version 7 we get the error 22047 User name attribute is missing in client certificate.
Although the certificate has not changed and all settings match when looking at the client certificate.

The client can initially log on to the LAN/WLAN once after booting, but no longer after that.

 

can this fix the issue? 

 

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/release_notes/b_ise_31_RN.html#concept_lvg_kw1_xsb:~:text=AAA%20Servers.-,EAP%2DTLS%20Authentication%20Might%20Fail%20for%20Certificates%20Using%20TPM%20Module,%5B33%5DEnable/Disable/Current_stat... 

 

.

9 people had this problem
1 Accepted Solution

Accepted Solutions
6 Replies 6

Go to solution
joth
Level 1
Level 1

‎06-07-2023 08:05 AM

Hi Amen,

we see the same issue in our environment.

ISE 3.1 P7

Windows 10 with EAP-TLS

It started after upgrading from ISE 3.1 P6 to P7. Did you find a solution/workaround for that?

Did you open a TAC case for that?

KR
joth

Go to solution
oliver seiwert
Level 1
Level 1
In response to joth

‎06-28-2023 07:51 AM

Hi, me too. Same issue. "22047 User name attribute is missing in client certificate"

It looks like that the issues happens for the repeated authentications, initial authentication works (non windows clients have no problems)

We patched our Cisco ISE 3.1 from Patch 6 to 7 and problems starts..In Patch 6 there are no issues. So im going to do a Rollback for now.

..waitung for a fix

Go to solution
Yordan1
Level 1
Level 1

‎06-13-2023 05:23 AM - edited ‎06-15-2023 01:51 AM

Hi Amen,

any solution found? 

 br

Go to solution
CCISDNETWORKTEAMDL
Level 1
Level 1

‎07-19-2023 11:57 AM

Has anyone moved to ISE 3.2 Patch 2 to see if this issue is resolved there? We started hitting this bug when we swapped out eap certificate in ISE 3.1 patch 7. The workaround laid out seems to work but I want to know if its outright fixed in 3.2.

Go to solution
oliver seiwert
Level 1
Level 1

‎09-26-2024 03:44 AM

ISE 3.1 Patch 9 fixed this Bug.

0 Helpful
Customers Also Viewed These Support Documents