Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1120
Views
10
Helpful
2
Replies

ISE 2.4 doesn't send Access-Reject after EAP-TLS authentication failure

biswajit.pradhan
Level 1
Level 1

‎10-15-2020 03:19 AM

We are using EAP-TLS with MIC certificate for IP phones to be authenticated on wired dot1x. And have configured MAB as a fail back mechanism with dot1x having higher priority/order. Below is a snip from interface config

 

int config.png

 

However, we have encountered a peculiar scenario where old IP Phones are getting stuck in dot1x authentication; not failing over to MAB if they have a expired MIC. What is see from ISE that it is not sending "Access-Reject" after EAP-TLS authentication failure because of MIC expiry, rather it is sending an "Access-Challenge".

 

ISE: v2.4 patch11

Switch: 3750 with 15.2.4.E8

Phone: Cisco 7962, 7965

 

0 Helpful
2 Replies 2

andy!doesnt!like!uucp
Spotlight
Spotlight

‎10-15-2020 04:08 AM

Hello

if u have continuous Running state for dot1x in output of "sho authe sess int N d" i'd advice to call TAC

 

Aref Alsouqi
VIP
VIP

‎10-15-2020 04:20 AM

I think what is happening here is that ISE sends the access-challenge messages and wait for the responses, but it looks like the old phones do not support them. In this case, the access-challenge messages will be treated as access-reject, hence, the phones will be denied access to the network, and will not try to failover to the next authc method.

0 Helpful
Customers Also Viewed These Support Documents