12-29-2021 08:08 AM
We have phones that are getting rejected with 802.1z eap-tls after renewing the device's certificate. the old one expired and we replace it with a new one from the same internal CA that is trusted by our ISE.
All phones are not working and ISE logs showing 5440 Endpoint abandoned EAP session and started new
I found community discussion for this showing this maybe not trusted certificate or expired in the certificate chain.
but where do I see that and what to do to fix it?
Solved! Go to Solution.
12-29-2021 01:16 PM
If the new client certificate were NOT to be trusted by ISE, then ISE would very clearly report that in the TLS setup error messages. In your case, this should not be happening, since you mentioned that the issuing CA has not changed (and that same CA chain is still installed in the ISE Trusted Certificates list)
In the past, when I have seen this error, it's been a transient condition - meaning - the clients are roaming into areas of bad coverage and they fail to complete the TLS communication (and there are re-transmissions involved). Either that, or the WLC is still hanging on to cached keying material from previous sessions and this is causing confusion (e.g. CCKM, 802.11r or OKC)
I would try deleting the client session on the WLC and watching the ISE Live Logs.
If this condition does not clear, then check whether you have perhaps changed any other settings in ISE (e.g. changed some TLS security settings perhaps?).
You could also check whether the Layer 3 gateway (SVI) of the VLAN that ISE PSN is connected to, has MTU set to 1500 bytes. Any MTU larger than that will cause these errors as well. It can happen that a certificate transfer exceeds the MTU and ISE cannot handle MTU larger than 1500 bytes.
Failing that, run an endpoint debug for the client MAC address and see what ISE captures. It should capture the client certificate that the client is trying to present to ISE. Along with a lot of debug information - it might give you a clue.
12-29-2021 01:16 PM
If the new client certificate were NOT to be trusted by ISE, then ISE would very clearly report that in the TLS setup error messages. In your case, this should not be happening, since you mentioned that the issuing CA has not changed (and that same CA chain is still installed in the ISE Trusted Certificates list)
In the past, when I have seen this error, it's been a transient condition - meaning - the clients are roaming into areas of bad coverage and they fail to complete the TLS communication (and there are re-transmissions involved). Either that, or the WLC is still hanging on to cached keying material from previous sessions and this is causing confusion (e.g. CCKM, 802.11r or OKC)
I would try deleting the client session on the WLC and watching the ISE Live Logs.
If this condition does not clear, then check whether you have perhaps changed any other settings in ISE (e.g. changed some TLS security settings perhaps?).
You could also check whether the Layer 3 gateway (SVI) of the VLAN that ISE PSN is connected to, has MTU set to 1500 bytes. Any MTU larger than that will cause these errors as well. It can happen that a certificate transfer exceeds the MTU and ISE cannot handle MTU larger than 1500 bytes.
Failing that, run an endpoint debug for the client MAC address and see what ISE captures. It should capture the client certificate that the client is trying to present to ISE. Along with a lot of debug information - it might give you a clue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide