Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2669
Views
5
Helpful
3
Replies

EAP TLS- SHA 2 certificate , Thin client not working

Go to solution
anilkumar.cisco
Level 4
Level 4

‎11-03-2021 08:00 AM

Hello Team,

my authentication and authorization policy are correct, as SHA1 certificate is working fine.

 

But when importing SHA2 client site certificate, I am getting Below error.

 

Event 5434 Endpoint conducted several failed authentications of the same scenario
Failure Reason 11510 Supplicant declined EAP method selected by Authentication Policy but did not propose another one; EAP negotiation failed

 

In new SHA2 root certificate, I am seeing use only for Infrastructure but old SHA1 root ceritificate in Cisco ISE showing , it is for both Infra and endpoints..

 

Pls advise.

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions
3 Replies 3

Go to solution
anilkumar.cisco
Level 4
Level 4

‎11-03-2021 08:10 AM

Authentication Details
Source Timestamp 2021-11-03 14:41:48.303
Received Timestamp 2021-11-03 14:41:48.303
Policy Server 
Event 5434 Endpoint conducted several failed authentications of the same scenario
Failure Reason 11510 Supplicant declined EAP method selected by Authentication Policy but did not propose another one; EAP negotiation failed
Resolution Ensure that the supplicant is correctly configured. Verify that supplicant has at least one EAP method cofigured.
Root cause In previous EAP message ISE started an EAP method selected by Authentication Policy. Supplicant declined this EAP method by sending EAP NAK message but did not propose another EAP method that it is ready to conduct. Owing to this, EAP-negotiation failed.
Username USERNAME
Endpoint Id F4:39:09:
IPv4 Address 10.1
Audit Session Id 0A407D100000093885F13954
Authentication Method dot1x
Service Type Framed
Network Device ASQ-
Device Type All Device Types#Switch
Location All Locations#1 Angel Square
NAS IPv4 Address 10.163.
NAS Port Id GigabitEthernet8/5
NAS Port Type Ethernet

0 Helpful

Go to solution
anilkumar.cisco
Level 4
Level 4

‎12-07-2021 05:49 PM

There was issue at the client site.. they were not presenting certificate properly.. and because of that.. ISE were not able to identify and validate the certificate match in AD as binary comparison..

 

after that correction issue resolved..

0 Helpful
Customers Also Viewed These Support Documents