cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1254
Views
2
Helpful
5
Replies

ISE- ISE received malformed EAP Payload TLV from the supplicant

joandwifi
Level 1
Level 1

We do not have Any Connect in our environment, and the solution found to validate both the user and machine access credentials was to change the protocol and rule from ISE to TEAP.

We validated the solution, but directly changing the endpoint settings for TEAP.
The machines worked, however, now I'm getting the TLV error: "Failure Reason 12963 Received malformed EAP Payload TLV"

The ISE side settings are standardized.

joandwifi_0-1704985989814.pngjoandwifi_1-1704986712594.png

The only configuration that the customer was unable to select was to save machine information automatically.

 

1 Accepted Solution

Accepted Solutions

joandwifi
Level 1
Level 1

Hi, @Arne Bier  Thank you very much for your support.
I performed the test on a machine, and it worked perfectly.
The problem was in the device configuration, it had to accept the "save user information - login and password".
After checking this field, the connection worked;

View solution in original post

5 Replies 5

Arne Bier
VIP
VIP

You might have to reproduce this again, but at the same time run a tcpdump on the ISE PSN - you can use a filter like   

udp port 1812

Because then you can spot whether or not the EAP payload is "malformed" - e.g. you should see that UDP packet fragmentation is being used.

Thanks for the feedback, I'll reproduce it, but if it's fragmented, what could I do?

As it is tunneled information, I wanted to know if I could somehow discard it.

 

You should expect to see a few of the UDP packets containing the certificates from the client ("client hello") as well as the ones from the server ("server hello") as larger than 1500 bytes. I typically see these hellos at around 2 to 3 KB. Since ISE uses an MTU of 1500 bytes max, you should expect to see that these larger payloads are split into multiple datagrams - Wireshark will show the fragments (i.e. the packets that were sent over the wire, but hard to decode because they are fragments of something larger) but then also represent the entire thing as one large logical packet. Wireshark is your friend

Here's one I captured recently of a health EAP-TLS transaction - the reason there is a second Access-Accept at the bottom is because that is the switch requesting and getting the dACL from ISE (packets 17 and 18).

ArneBier_0-1705094113425.png

 

 

 

What! It's not possible to reproduce the canary with the client, but I'll do it next week.
Thanks for the level of detail.
It worried me, as it was on a few endpoints

joandwifi_0-1705101171127.png

***I removed the IP and Mac address information, but I debugged my client's device...***

6738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,TeapProtocol::createErrorSetState fatal error received. Sending ResultTLV.,TeapProtocol.cpp:2478
2024-01-08 14:58:03,420 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Eap,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,Writing ResultTlv with status=Failure,TeapTlv.cpp:354
2024-01-08 14:58:03,420 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Eap,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,Writing TeapErrorTlv with error code=Unexpected_TLVs_Exchanged,TeapTlv.cpp:2408
2024-01-08 14:58:03,420 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Eap,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,TeapProtocol::createErrorSetState create error and set error state,TeapProtocol.cpp:2501
2024-01-08 14:58:03,420 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- AcsLogs,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,Formatter got 621 attributes,MessageFormatter.cpp:163
2024-01-08 14:58:03,421 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- AcsLogs,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,Duplicate pair: attr = Called-Station-ID value = 14-84-73-f9-9e-c0:GlobalCorpnetWireless,MessageFormatter.cpp:600
2024-01-08 14:58:03,421 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- AcsLogs,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,Log_Message=[2024-01-08 14:58:03.420 -03:00 0450205805 11588 WARN EAP: Supplicant failed to adhere to protocol, ConfigVersionId=963, Device IP Address=, Device Port=56549, DestinationIPAddress=1, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=207, User-Name=anonymous, NAS-IP-Address=, NAS-Port=12416, ServiType=Framed, Framed-MTU=1485, State=37CPMSessionID=3204460A000C85FCEA392987\;43SessionID=-ise-01/476738681/6955631\;, Called-Station-ID=14-84-73-f9-9e-c0:GlobalCorpnetWireless, Calling-Station-ID=9c-29, NAS-Identifier=SD-SUD-WLC, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=servitype=Framed, cisco-av-pair=audit-session-id=3204460A000C85FCEA392987, cisco-av-pair=method=dot1x, cisco-av-pair=client-iif-id=3842050126, cisco-av-pair=vlan-id=1666, cisco-av-pair=cisco-wlan-ssid=GlobalCorpnetWireless, cisco-av-pair=wlan-profile-name=GlobalCorpnetWireless, AirespaWlan-Id=2, AcsSessionID=-ise-01/476738681/6955631, SelectedAccessService=EAP-TLS-TEAP, DetailedInfo=Authentication succeed, EapTunnel=TEAP, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=3204460A000C85FCEA392987, ],MessageFormatter.cpp:107
2024-01-08 14:58:03,421 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- SecureConnectionNotification,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,SecureConnectionNotification::logSecureConnectionOpen: started with status = 1,SecureConnectionNotification.cpp:43
2024-01-08 14:58:03,421 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- SecureConnectionNotification,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,SecureConnectionNotification::getPeerCertificateAttributes started ,SecureConnectionNotification.cpp:292
2024-01-08 14:58:03,421 WARN [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- SecureConnectionNotification,WARN ,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,CallingStationID=9c-29,SecureConnectionNotification::getPeerCertificateAttributes Error getting peer certificate from SSL Connection,SecureConnectionNotification.cpp:305
2024-01-08 14:58:03,421 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- SecureConnectionNotification,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,SecureConnectionNotification::logSecureConnectionOpen: is Peer Client certificate false,SecureConnectionNotification.cpp:57
2024-01-08 14:58:03,421 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- AcsLogs,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,Formatter got 886 attributes,MessageFormatter.cpp:163
2024-01-08 14:58:03,421 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- AcsLogs,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,Log_Message=[2024-01-08 14:58:03.421 -03:00 0450205806 61025 NOTICE EAP-TLS: Open secure connection with TLS peer, ConfigVersionId=963, UserName=host/0478..global, ISELocalAddress=1:1812, ISEModuleName=EAP_SERVER, ISEServiceName=TEAP Server, PeerAddress=9c-29, PeerName=host/0478..global, ConnectionStatus=Failed, UniqueConnectionIdentifier =a0231151-3fa9-4673-a161-af828b3a41ea, FailureReason=12963 Received malformed EAP Payload TLV, IdentityAccessRestricted=false, ],MessageFormatter.cpp:107
2024-01-08 14:58:03,421 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- SecureConnectionNotification,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,SecureConnectionNotification::logSecureConnectionOpen: finished,SecureConnectionNotification.cpp:117
2024-01-08 14:58:03,422 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Eap,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,TeapProtocol::onTunnelValidationFailed,TeapProtocol.cpp:3480
2024-01-08 14:58:03,422 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Eap,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,EapTlsProtocol::sendResult,EapTlsProtocol.cpp:541
2024-01-08 14:58:03,422 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Eap,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,EapTlsProtocol::sendResult calling freeIfReady,EapTlsProtocol.cpp:555
2024-01-08 14:58:03,422 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Eap,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,TeapFlow: protocol process finished, state 0,TeapFlow.cpp:107
2024-01-08 14:58:03,422 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Eap,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,Conversation summary: PAC-less. Authenticated. Inner method succeeded. ,TeapProtocol.cpp:3172
2024-01-08 14:58:03,422 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Eap,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,TeapProtocol::setupEapChainingResults EAP chaining result=0,TeapProtocol.cpp:3180
2024-01-08 14:58:03,422 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Eap,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,Teap::getEapChainingResult: Calculate final result,TeapProtocol.cpp:392
2024-01-08 14:58:03,422 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Eap,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,TeapProtocol::getEapChainingResult: i=0, used=1, succeeded=1, type=1,TeapProtocol.cpp:403
2024-01-08 14:58:03,422 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Eap,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,TeapProtocol::runInnerMethod User Succeeded,TeapProtocol.cpp:412
2024-01-08 14:58:03,422 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Eap,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,TeapProtocol::getEapChainingResult: i=1, used=1, succeeded=0, type=2,TeapProtocol.cpp:403
2024-01-08 14:58:03,422 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Eap,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,TeapProtocol::getEapChainingResult: Final chaining result 2,TeapProtocol.cpp:439
2024-01-08 14:58:03,422 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Eap,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,TeapFlow: remove Teap protocol object from stack, level 1,TeapFlow.cpp:334
2024-01-08 14:58:03,422 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Eap,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,TeapFlow: finished removing Teap protocol object from stack, level 1,TeapFlow.cpp:345
2024-01-08 14:58:03,423 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Eap,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,TeapFlow: onEapEvent finished,TeapFlow.cpp:225
2024-01-08 14:58:03,423 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Eap,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,EapFlow::onResponseEapEvent,EapFlow.cpp:167
2024-01-08 14:58:03,423 DEBUG [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Eap,DEBUG,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,user=host/0478..global,CallingStationID=9c-29,EapProtocol - about to compose outgoing EAP packet; EAP stack level = 0,EapProtocol.cpp:600
2024-01-08 14:58:03,423 INFO [Thread-6400][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Eap,INFO ,0x7f7a23eed700,cntx=0241797781,sesn=-ise-01/476738681/6955631,CPMSessionID=3204460A000C85FCEA392987,CallingStationID=9c-29,EAP: Send EAP packet, code=Failure, identifier=206, length=4
,EapParser.cpp:232
,EapParser.cpp:232

 

joandwifi
Level 1
Level 1

Hi, @Arne Bier  Thank you very much for your support.
I performed the test on a machine, and it worked perfectly.
The problem was in the device configuration, it had to accept the "save user information - login and password".
After checking this field, the connection worked;