Solved: ISE rejects .1X authentication for Cisco IP 6921

ivan.kuzenkov · ‎05-25-2022

Dear community,

Has anyone faced the issue with 802.1X auth for cisco IP phone 6921? I ran into this problem a few weeks ago, already 3 devices of this model stopped authentication via NAC, and I can't find the reason behind this issue. I know that 6921 is an old device but, we're having quite a few in our environment.

CUCM v. 12.5

ISE v. 3.0

Here are the steps from ISE:

Steps

	11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP - Network Access.Device IP Address
	15048	Queried PIP - DEVICE.Device Type
	11507	Extracted EAP-Response/Identity
	12500	Prepared EAP-Request proposing EAP-TLS with challenge
	12625	Valid EAP-Key-Name attribute received
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12502	Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
	12800	Extracted first TLS record; TLS handshake started
	12545	Client requested EAP-TLS session ticket
	12542	The EAP-TLS session ticket received from supplicant while the stateless session resume is disabled. Performing full authentication
	12805	Extracted TLS ClientHello message
	12806	Prepared TLS ServerHello message
	12807	Prepared TLS Certificate message
	12809	Prepared TLS CertificateRequest message
	12505	Prepared EAP-Request with another EAP-TLS challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12504	Extracted EAP-Response containing EAP-TLS challenge-response
	12505	Prepared EAP-Request with another EAP-TLS challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12504	Extracted EAP-Response containing EAP-TLS challenge-response
	12505	Prepared EAP-Request with another EAP-TLS challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12504	Extracted EAP-Response containing EAP-TLS challenge-response
	12505	Prepared EAP-Request with another EAP-TLS challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request ( Step latency=1533 ms)
	11018	RADIUS is re-using an existing session
	12504	Extracted EAP-Response containing EAP-TLS challenge-response
	12505	Prepared EAP-Request with another EAP-TLS challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12504	Extracted EAP-Response containing EAP-TLS challenge-response
	12571	ISE will continue to CRL verification if it is configured for specific CA - certificate for CP-6921-SEP2c542d6ac3f2
	12571	ISE will continue to CRL verification if it is configured for specific CA - certificate for Cisco Manufacturing CA
	12814	Prepared TLS Alert message
	12817	TLS handshake failed
	12516	EAP-TLS failed SSL/TLS handshake because of an expired certificate in the client certificates chain
	12507	EAP-TLS authentication failed
	12505	Prepared EAP-Request with another EAP-TLS challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12504	Extracted EAP-Response containing EAP-TLS challenge-response
	61025	Open secure connection with TLS peer
	11504	Prepared EAP-Failure
	11003	Returned RADIUS Access-Reject

OpenSSLErrorMessage	SSL alert: code=0x22D=557 ; source=local ; type=fatal ; message="X509 certificate expired.s3_srvr.c:3594 error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed [error=336105606 lib=20 func=137 reason=134]"
OpenSSLErrorStack	19963:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed:s3_srvr.c:3594:

Authentication Details

Source Timestamp	2022-05-25 12:45:18.867
Received Timestamp	2022-05-25 12:45:18.867
Policy Server	Server name
Event	5400 Authentication failed
Failure Reason	12516 EAP-TLS failed SSL/TLS handshake because of an expired certificate in the client certificates chain
Resolution	Check whether the client used an expired certificate. Check whether the one of the trust certificates in the client trust chain has expired. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.
Root cause	EAP-TLS failed SSL/TLS handshake because of an expired certificate in the client certificates chain
Username	USERNAME
Endpoint Id	2C:54:2D:6A:C3:F2
Calling Station Id	2C-54-2D-6A-C3-F2
Audit Session Id	0A23FCA9000000170A0D4A66
Authentication Method	dot1x
Authentication Protocol	EAP-TLS
Service Type	Framed
Network Device	Switch name
Device Type	All Device Types#Switches
Location
NAS IPv4 Address	Switch IP
NAS Port Id	FastEthernet0/7
NAS Port Type	Ethernet
Response Time	2 milliseconds

ahollifield · ‎05-25-2022

I think this should give you your answer:

EAP-TLS failed SSL/TLS handshake because of an expired certificate in the client certificates chain"

Check the trusted CAs in the phone configuration and ensure the one used to validate the ISE Certificate is not expired. Are you attempting to use EAP-TLS with these phones? What is your desired EAP method?

View solution in original post

ahollifield · ‎05-25-2022

I think this should give you your answer:

EAP-TLS failed SSL/TLS handshake because of an expired certificate in the client certificates chain"

Check the trusted CAs in the phone configuration and ensure the one used to validate the ISE Certificate is not expired. Are you attempting to use EAP-TLS with these phones? What is your desired EAP method?