Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
981
Views
15
Helpful
8
Replies

New Laptop ISE dot1x 11634 Client requested TLS of unknown version

Go to solution
joeharb
Level 5
Level 5

‎11-01-2022 02:30 PM

We have a new laptop that will not authenticate with the network via Wired or Wireless.  I am trying to determine if there was some wrong with the build for this machine and have never had this issue in the past.  No changes have been made to ISE or switch config and authentications are working for other users.  Within ISE I see the following:  

Event 5400 Authentication failed
Failure Reason 11634 Client requested TLS of unknown version

I have tried to capture on the PSN but didn't see much and ran wireshark on the machine but don't see any indication of the issue.  Any suggestions on how to troubleshoot this further?

Thanks,

Joe

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
joeharb
Level 5
Level 5

‎11-02-2022 09:08 AM

Appreciate everyone's assistance, going to open a TAC case on this, not able to locate in any of the logs what the client is actually presenting to ISE.

Thanks,

Joe

View solution in original post

8 Replies 8

Go to solution
Marcelo Morais
VIP
VIP

‎11-01-2022 02:51 PM

Hi @joeharb  

 if you are using Cisco AnyConnect, please generate a DART Bundle and please check for more information.

Hope this helps !!!

Go to solution
ahollifield
VIP
VIP

‎11-01-2022 08:00 PM

ISE Version? Patch level?  Do you have FIPS mode enabled?  AnyConnect or Windows Native supplicant?  What versions of TLS do you have enabled within ISE? 

https://community.cisco.com/t5/security-documents/how-to-ask-the-community-for-help/ta-p/3704356

Go to solution
joeharb
Level 5
Level 5

‎11-02-2022 06:53 AM

ISE Version 2.7.0.356 Patch 3

FIPS Mode disabled.

Windows 10 Native suplicant.

TLS 1.0/1.1/1.2 are allowed.

Thanks,

Joe

 

 

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to joeharb

‎11-02-2022 07:00 AM

This does indeed sound like an issue with that particular laptop.  However you are running a very old patch of 2.7.  I would recommend updating to Patch 7 as a best practice but I don't expect that to make a difference if other endpoints are working as expected.  

Also: https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2943876.html

0 Helpful

Go to solution
ammahend
VIP
VIP

‎11-02-2022 07:11 AM

Good place to capture would be Authenticator so you have both eap (client side) and radius (server side) visibility, also capture endpoint debug from ise and share. I agree keeping patch up to date is always a good idea. 

-hope this helps-
0 Helpful

Go to solution
joeharb
Level 5
Level 5

‎11-02-2022 07:37 AM

 

The following snippet is from the client side capture filtering for eap traffic:

LTFailure.JPG

I have attached the endpoint debug as well.  Will work on getting a fresh trace from ISE.

LTFailurelog.zip
0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to joeharb

‎11-02-2022 07:52 AM - edited ‎11-02-2022 07:55 AM

Just FYI but you may want to obfuscate those debugs before posting on a public forum.  It has some personally identifiable information in it like email address.

From what I see in the debugs they show ISE returning a reject and the switch suppressing the client.  

0 Helpful

Go to solution
joeharb
Level 5
Level 5

‎11-02-2022 09:08 AM

Appreciate everyone's assistance, going to open a TAC case on this, not able to locate in any of the logs what the client is actually presenting to ISE.

Thanks,

Joe

Customers Also Viewed These Support Documents