Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1735
Views
2
Helpful
10
Replies

Some Laptop Failure connect ISE 3.2 using EAP-TLS

User32234
Level 1
Level 1

‎02-02-2024 06:25 AM

Hi, 

I have migration from Cisco ISE 2.3 to ISE 3.2

We create a new VM to deploy ISE 3.2, and manually config the ISE 3.2 same with ISE 2.3. 

After test, some laptop are success to authentication, but some laptop is failure to. 

The error message is "5440 Endpoint abandoned EAP Session and started new"

When the endpoint try to connect ISE 2.3, there is no problem with that.

We already check the windows version, network driver is same. 

Any bugs or different service so we facing this issue? 

0 Helpful
10 Replies 10

Aref Alsouqi
VIP
VIP

‎02-02-2024 07:06 AM

I think that error code is more related to the endpoints rather than ISE. Is there any major difference between the endpoints that can and can't connect? also, the ones that can connect, can they connect all the time?

User32234
Level 1
Level 1
In response to Aref Alsouqi

‎02-02-2024 07:35 AM

Thanks for your reply @Aref Alsouqi

Q :  Is there any major difference between the endpoints that can and can't connect?

A : that no difference. The endpoints use windows 10 version 22H2

Q : the ones that can connect, can they connect all the time?

A : ya, they can connect all the time

 

For the endpoints can't connect, I try to pointing to ISE 2.3 (existing) as radius server and it connected. 

0 Helpful

Aref Alsouqi
VIP
VIP
In response to User32234

‎02-02-2024 07:47 AM

Could you please share a whole failure log as a screenshot for review?

0 Helpful

User32234
Level 1
Level 1
In response to Aref Alsouqi

‎02-02-2024 08:21 AM

Hi @Aref Alsouqi ,

 

I have attached the error live logs, and take PCAP.
Here for failed authentication.

User32234_1-1706890649333.png

Here for success authentication.

User32234_2-1706890813682.png



Preview file
328 KB
0 Helpful

Arne Bier
VIP
VIP
In response to User32234

‎02-04-2024 01:26 PM

In the failed case, the process breaks down after the server hello. That seems to indicate that the supplicant doesn't like the ISE EAP certificate. It feels very much like there is a certificate issue on those laptops - their CA cert chain might not be 100% correct to trust the new ISE.

Aref Alsouqi
VIP
VIP

‎02-02-2024 08:36 AM - edited ‎02-02-2024 08:36 AM

Thanks for that. It does seem to go in a loop with the RADIUS requests and responses. Could you please try this with one of those laptops that can't connect:

1) Disable WiFi NIC

2) Remove the endpoint MAC address from the WLC in the client page

3) Remove the endpoint MAC address from ISE

4) Re-enable the WiFi NIC

If you have same issue with wired, please do same as above obv with the exception for step 2.

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎02-08-2024 11:25 PM - edited ‎02-08-2024 11:26 PM

This is a certificate or timer problem on your endpoints. They do not like the new ISE certificate or they did not receive a response fast enough from your new ISE server, timed out, and started a new session. Probably a certificate issue. This is never a driver issue - it is a Windows endpoint supplicant configuration issue.

0 Helpful

MHM Cisco World
VIP
VIP

‎02-09-2024 02:02 AM

it can that the Laptop timeout is shorter than new ISE response (for delay in response you need to check resource of VM for ISE)
so in laptop if you use win go to advanced secuirty and adjust the timeout of hold and auth to more slightly longer 
do this in one laptop if it OK then apply to all other non-work laptop
MHM 

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎02-12-2024 05:53 PM

@User32234 Take a look at CSCwb77915 Toggle to enable/disable RSA PSS cipher based on policy under Allowed Protocols

If your ISE is 3.2 Patch 1 or later, the new option is part of CLI command "application configure ise" and select the option Enable/Disable/Current_status of RSA_PSS signature for EAP-TLS

0 Helpful

H3li0X
Level 1
Level 1

‎04-16-2025 12:29 PM - edited ‎04-17-2025 03:56 PM

Hello @User32234, @hslai 

I'm having exactly the same issue with ISE 3.3 regarding some wireless end-devices (Windows PCs) connected through a dot1x SSID on an AIRE-OS WLC.

I'm currently running ISE 2.7 patch 10 and trying to test migration to ISE 3.3 patch 4

When auth/acct server configured on SSID in WLC is set to 2.7 PSN, no issues at all.

Upon changing the auth/acct server to 3.3 PSN, all end-devices get de-associated (normal, as this modification briefly impacts/interrupts the whole SSID) and quickly re-associate to SSID. Then, a part of them authenticates correctly BUT a part of them gets into a loop patern with "5440 - Endpoint abandoned EAP session and started new" error message. These devices all get to the point where client certificate is sent to ISE (as I can see client cert in each live log, along with TLS1.2 version and cipher ECDHE-RSA-AES256-GCM-SHA384), then they systematically abandon session :

12802 Prepared TLS Finished message 0
12816 TLS handshake succeeded 0
12509 EAP-TLS full handshake finished successfully 0
12505 Prepared EAP-Request with another EAP-TLS challenge 0
11006 Returned RADIUS Access-Challenge 0
5440 Endpoint abandoned EAP session and started new 90075

When reconfiguring auth/acct server to 2.7 PSN, all devices re-authenticate correctly.

On PSN, I disabled RSA_PSS signature using "application configure ise" CLI command / option 37 but that did not fix the issue.

Both 2.7 and 3.3 PSNs present an EAP-TLS certificate signed by the same issuing CA and all chain (root + issuing) is well present in all PCs' certificate store.

@User32234: Could you please provide any help about how you resolved the issue on your side, if so ?

Thanks in advance!
Best regards

0 Helpful
Customers Also Viewed These Support Documents