cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4274
Views
25
Helpful
8
Replies

ISE 12852 Cryptographic processing of received buffer failed - caused by what?

Arne Bier
VIP
VIP

Hello

 

ISE 2.2 patch 8

 

 

Anyone seen this before? It's happening for EAP-PEAP Wireless authentications (Cisco 8510 Flex 8.3.143.0).

 

The majority of the time the clients are working and then other times the same client reports failed auth.  The wireless client is still running the same code and with the same config. Not sure what triggers this.

 

It would be nice to know WHAT EXACTLY (and at what stage of the processing) is causing ISE to report this exact error - e.g. is it bad code in the client?? We see a lot of this with a particular wireless device:

 

 

buffer.PNG

 

 

 

In my experience we see other errors when wireless clients "drop off the wifi" during an EAP negotiation - we then usually see re-tries and this error - this would tell me that the client was interrupted during an EAP negotiation.

12916 Expected TLS acknowledge for TLS fragment but received another message

 

 

 

8 Replies 8

hslai
Cisco Employee
Cisco Employee

I believe this a generic failure.

For example, I found logs like below and that indicated a problem in extracting the challenge-response.

...

12104 Extracted EAP-Response containing EAP-FAST challenge-response

12814 Prepared TLS Alert message
12852 Cryptographic processing of received buffer failed
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject

 

Thanks @hslai  - to put this in perspective, when you say "generic failure", does that mean that this type of "error" is reported when there is some Layer1 issue on the wireless (e.g. frames that got lost and not re-transmitted, or client goes out of range, or AP has some bug, etc. ) ?  It seems that the ISE errors seen are a result of something that is a bit harder to track down.  It requires a wireless sniffer trace, logs from WLC and logs from ISE - and then someone to make sense of it all ... :-) 

Maxim Risman
Level 1
Level 1

We are experiencing the same issues with Android devices that stoped supporting self-sign certificates in the latest version. 

Hi @Arne Bier ,

 when you generate a Report of Top N Authentication by Failure Reason, this 12852 failure is something that happens in a specific Time Range or Group?

 

Regards.

Hi Marcelo - the issue was reported too long ago - I don't recall what the final outcome was - probably an ISE upgrade.

poongarg
Cisco Employee
Cisco Employee

The issue described is usually seen when a protocol version is proposed by a client and not supported by the server.

- Validate if any TLS version is unchecked on ISE.
- Verify the allowed protocols and try to enable the option "Allow weak ciphers for EAP", in case the endpoints are trying to use legacy ciphers.

rene_braun
Level 1
Level 1

Annoying thing, I am dealing with it now, Android running devices - Zebra Scanner.

It looks also reproducible if a CoA reauth and session terminate has been triggered.

 

Following events are logged for the same deivce:

 

Failure Reason: 12916 Expected TLS acknowledge for TLS fragment but received another message
Resolution: Verify that the client's supplicant does not have any known compatibility issues and that it is properly configured.
Root cause: ISE recently has sent another TLS fragment to the supplicant and expected TLS acknowledge from supplicant to confirm the fragment before sending it the next one but received another message. This could be due to improper supplicant configuration or a possible incomformity in the implementation of the protocol between ISE and the supplicant.

 

Event 5400 Authentication failed
Failure Reason 12852 Cryptographic processing of received buffer failed
Resolution Verify that the client's supplicant does not have any known compatibility issues and that it is properly configured. Contact TAC.
Root cause: ISE received invalid encrypted buffer from client. Cryptographic processing of this buffer failed.

 

 

Event: 5440 Endpoint abandoned EAP session and started new
Failure Reason: 5440 Endpoint abandoned EAP session and started new
Resolution: Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root cause: Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.

 

 

 

Example log for

5440 Endpoint abandoned EAP session and started new

 

11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - DEVICE.Device Type
15048 Queried PIP - Radius.Called-Station-ID
15048 Queried PIP - Normalised Radius.RadiusFlowType
15048 Queried PIP - Radius.NAS-Identifier
11507 Extracted EAP-Response/Identity
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12319 Successfully negotiated PEAP version 1
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12808 Prepared TLS ServerKeyExchange message
12810 Prepared TLS ServerDone message
12811 Extracted TLS Certificate message containing client certificate
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12319 Successfully negotiated PEAP version 1
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
5440 Endpoint abandoned EAP session and started new ( [step latency=4781 ms] Step latency=4781 ms)

have u been able to win?