cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1276
Views
5
Helpful
4
Replies

ISE 2.7 client authentication WLAN ok, LAN not ok

chrismes
Level 1
Level 1

We've installed virtual ISE 2.7 with backup from physical ISE 2.3.
Now the windows clients authentication works for WLAN but not for LAN.
For the same clients.

Event 5411 Supplicant stopped responding to ISE
Failure Reason 12934 Supplicant stopped responding to ISE during PEAP tunnel establishment

I can not imagine, that windows clients have different settings for authentication in WLAN or LAN.
But I am not a client expert.
Any ideas?
Thanks.

4 Replies 4

marce1000
VIP
VIP

 

 - FYI : https://community.cisco.com/t5/network-access-control/12934-supplicant-stopped-responding-to-ise-during-peap-tunnel/m-p/4273144#M564801

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

The accepted solution is to capture packets.
Ok, this is the way for troubleshooting, but not the solution
I've already captured packets on the client itself, with netsh trace while client was rebootet.
That is the output.
For me it looks like the client stops responding, that is also what the ISE says. But why is the same client working on ISE 2.3?

21 15:47:56,310178100 Cisco_ea:8c:a2 Dell_30:05:c1 EAP 60 Request, Identity
30 15:47:59,492330100 Dell_30:05:c1 Nearest-non-TPMR-bridge EAPOL 19 Start
31 15:47:59,492338900 Dell_30:05:c1 Nearest-non-TPMR-bridge EAPOL 19 Start
32 15:47:59,504773900 Cisco_ea:8c:a2 Dell_30:05:c1 EAP 60 Request, Identity
33 15:47:59,558183200 Dell_30:05:c1 Nearest-non-TPMR-bridge EAP 57 Response, Identity
34 15:47:59,558191600 Dell_30:05:c1 Nearest-non-TPMR-bridge EAP 57 Response, Identity
35 15:47:59,581972400 Cisco_ea:8c:a2 Dell_30:05:c1 EAP 60 Request, TLS EAP (EAP-TLS)
36 15:47:59,584977900 Dell_30:05:c1 Nearest-non-TPMR-bridge EAP 24 Response, Legacy Nak (Response Only)
37 15:47:59,584986900 Dell_30:05:c1 Nearest-non-TPMR-bridge EAP 24 Response, Legacy Nak (Response Only)
38 15:47:59,610583700 Cisco_ea:8c:a2 Dell_30:05:c1 EAP 60 Request, Protected EAP (EAP-PEAP)
39 15:47:59,645894100 Dell_30:05:c1 Nearest-non-TPMR-bridge TLSv1.2 190 Client Hello
40 15:47:59,645902300 Dell_30:05:c1 Nearest-non-TPMR-bridge EAP 190 Response, Protected EAP (EAP-PEAP)
41 15:47:59,725964200 Cisco_ea:8c:a2 Dell_30:05:c1 EAP 1030 Request, Protected EAP (EAP-PEAP)
42 15:47:59,726484000 Dell_30:05:c1 Nearest-non-TPMR-bridge EAP 24 Response, Protected EAP (EAP-PEAP)
43 15:47:59,726491100 Dell_30:05:c1 Nearest-non-TPMR-bridge EAP 24 Response, Protected EAP (EAP-PEAP)
44 15:47:59,788233900 Cisco_ea:8c:a2 Dell_30:05:c1 EAP 1026 Request, Protected EAP (EAP-PEAP)
45 15:47:59,790638200 Dell_30:05:c1 Nearest-non-TPMR-bridge EAP 24 Response, Protected EAP (EAP-PEAP)
46 15:47:59,790660300 Dell_30:05:c1 Nearest-non-TPMR-bridge EAP 24 Response, Protected EAP (EAP-PEAP)
49 15:48:00,378209200 Cisco_ea:8c:a2 Dell_30:05:c1 EAP 1026 Request, Protected EAP (EAP-PEAP)
50 15:48:00,378630000 Dell_30:05:c1 Nearest-non-TPMR-bridge EAP 24 Response, Protected EAP (EAP-PEAP)
51 15:48:00,378634100 Dell_30:05:c1 Nearest-non-TPMR-bridge EAP 24 Response, Protected EAP (EAP-PEAP)
54 15:48:00,496210400 Cisco_ea:8c:a2 Dell_30:05:c1 EAP 1026 Request, Protected EAP (EAP-PEAP)
55 15:48:00,498502400 Dell_30:05:c1 Nearest-non-TPMR-bridge EAP 24 Response, Protected EAP (EAP-PEAP)
56 15:48:00,498510500 Dell_30:05:c1 Nearest-non-TPMR-bridge EAP 24 Response, Protected EAP (EAP-PEAP)
59 15:48:00,956274700 Cisco_ea:8c:a2 Dell_30:05:c1 TLSv1.2 501 Server Hello, Certificate, Server Key Exchange, Server Hello Done
74 15:48:01,369988100 Dell_30:05:c1 Nearest-non-TPMR-bridge TLSv1.2 154 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
75 15:48:01,369995300 Dell_30:05:c1 Nearest-non-TPMR-bridge EAP 154 Response, Protected EAP (EAP-PEAP)
76 15:48:02,192635000 Cisco_ea:8c:a2 Dell_30:05:c1 TLSv1.2 75 Change Cipher Spec, Encrypted Handshake Message
276 15:48:32,998595800 Cisco_ea:8c:a2 Dell_30:05:c1 EAP 75 Request, Protected EAP (EAP-PEAP)
367 15:49:03,800276000 Cisco_ea:8c:a2 Dell_30:05:c1 EAP 75 Request, Protected EAP (EAP-PEAP)
417 15:49:34,634369600 Cisco_ea:8c:a2 Dell_30:05:c1 EAP 60 Failure

Have you checked whether the Layer 3 IP interface that the ISE PSN is connected to is set with MTU of 1500 bytes?  I have come across situations where the large PDU's used (long certificate chain exchanges) were causing this. The solution was to set the MTU to 1500 bytes on the VLAN on which ISE is connected.

thomas
Cisco Employee
Cisco Employee

Restore from Backup restores the configuration but not the certificates.

Did you re-install your digital certificates into your ISE nodes? Or are they running self-signed certificates?

What is your wired supplicant configuration?