07-08-2013 07:38 AM - edited 03-10-2019 08:37 PM
Hi all,
we've been running Cisco ACS version 4.x half a year ago, but decided to upgrade to Cisco ISE. So we've made a fresh installation with our cisco partner. At the moment we're live with this equipment, but running in a lot of troubles, as we're receiving a lot of those errors each day. Once the users restart their PCs a few times the problem is solved, but at the moment its pretty annoying:
No response received during 120 seconds on last EAP message sent to the client
Steps from the detailed view:
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
5411 No response received during 120 seconds on last EAP message sent to the client
Allowed Protocol: EAP-TLS and PEAP
Authentication Protocol : EAP-TLS
Actually I don't know which version we're running. Where can I check the proper release once on the webinterface?
Switches are 3750x with the following switchport configs (some things has been xxx-out), Firmware is Version 12.2(55)SE1:
interface GigabitEthernet1/0/1
description xxx
switchport access vlan xxx
switchport mode access
switchport voice vlan xxx
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize vlan xxx
authentication event no-response action authorize vlan xxx
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 28800
mab
mls qos trust device cisco-phone
mls qos trust cos
macro description cisco-phone | cisco-phone
dot1x pae authenticator
dot1x timeout tx-period 15
dot1x timeout supp-timeout 15
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQoS-Police-CiscoPhone
Can someone introduce anything to solve the problem, maybe some misconfiguration or improvements before starting a TAC-Case.
Thanks in advance
regards
Marc
07-08-2013 08:01 AM
Actually, it's annoying...No response received during 120 seconds on last EAP message sent to the client
Are you facing issue with all the machines/OS? If there is a specific OS, What OS and supplicant are you using on that machine?
What eap method do we have configured PEAP or EAP-TLS?
Status of "validate server certificate" on the client machines?
When exactly you see this message while booting up or anytime?
Does this message prevent users to authenticate?
~BR
Jatin Katyal
**Do rate helpful posts**
07-08-2013 08:38 AM
The OS Version is Microsoft Windows 7 Professional 32 Bit
EAP method is EAP-TLS normally
The Client Machines have "Validate Server Certificate" enabled
When exactly you see this message while booting up or anytime / Does this message prevent users to authenticate?
- I've just checked todays ISE log for this error. There are about 82 errors on different clients today which I've called right now and asked if they had any problems with the PC. Most of them had for example: no network drives, no printers and about 5 people no connection until they've restarted their machin.
The PCs are connected to an CISCO 7965G telephone, which are also running with Certificates.
The proper version we're running is: 1.1.2.145
regards Marc
Marc
07-08-2013 08:05 AM
The Global Help icon is located in the bottom left corner of the Global Toolbar in the Cisco ISE window. You may check the ISE version there.
To launch Global Help, complete the following steps:
Step 1 On the global toolbar, move your cursor over the Help icon.
Step 2 Choose Online Help from the pop-up menu.
A new browser window appears displaying the Cisco ISE Online Help.
~BR
Jatin Katyal
**Do rate helpful posts**
07-12-2013 12:48 AM
Any more Ideas?
07-14-2013 07:10 PM
Verify that supplicant is configured properly to conduct a full EAP conversation with ISE. Verify that NAS is configured properly to transfer EAP messages to or from supplicant. Verify that supplicant or network access server (NAS) does not have a short timeout for EAP conversations. Check the network that connects the NAS to ISE. If the external ID store is used for the authentication, it may be not responding fast enough for current timeouts. For more information you can see the below link.
01-18-2016 05:57 AM
HI.
i am in similar suitation how did you reslove the issue?
01-18-2016 07:43 AM
Hi,
we found out that our Windows Clients respond too slow to the dot1x requests. Setting the policy to have 3 tries for authentication instead of 1 solved almost all of those problems for us.
Regards
Marc
09-25-2017 03:42 PM
Hi,
where exactly did you go? where is the specific setting that you mentioned? we are facing the same issue, but havent found where to set the retries that you stated,
thanks so much for your help
12-15-2017 06:31 AM
I know this is late, but this task is performed via a GPO or Group Policy in Windows domain. You would have to get with your Active Directory Team or if you are the network administrator you could follow these steps.
01-05-2018 06:26 AM
Hi,
Quick one. We are having similar issues to what is described here. What was the group policy option you edited, because I cannot see if in the Wired Network (802.3 Policies) in GPO.
Thanks,
Phil
01-05-2018 08:50 AM
Hi,
Quick one. We are having similar issues to what is described here. What was the group policy option you edited, because I cannot see if in the Wired Network (802.3 Policies) in GPO.
Thanks,
Phil
12-17-2018 06:50 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide