Some Laptop Failure connect ISE 3.2 using EAP-TLS

User32234 · ‎02-02-2024

Hi,

I have migration from Cisco ISE 2.3 to ISE 3.2

We create a new VM to deploy ISE 3.2, and manually config the ISE 3.2 same with ISE 2.3.

After test, some laptop are success to authentication, but some laptop is failure to.

The error message is "5440 Endpoint abandoned EAP Session and started new"

When the endpoint try to connect ISE 2.3, there is no problem with that.

We already check the windows version, network driver is same.

Any bugs or different service so we facing this issue?

Aref Alsouqi · ‎02-02-2024

I think that error code is more related to the endpoints rather than ISE. Is there any major difference between the endpoints that can and can't connect? also, the ones that can connect, can they connect all the time?

User32234 · ‎02-02-2024

Thanks for your reply @Aref Alsouqi

Q : Is there any major difference between the endpoints that can and can't connect?

A : that no difference. The endpoints use windows 10 version 22H2

Q : the ones that can connect, can they connect all the time?

A : ya, they can connect all the time

For the endpoints can't connect, I try to pointing to ISE 2.3 (existing) as radius server and it connected.

Aref Alsouqi · ‎02-02-2024

Could you please share a whole failure log as a screenshot for review?

User32234 · ‎02-02-2024

Hi @Aref Alsouqi ,

I have attached the error live logs, and take PCAP.
Here for failed authentication.

Here for success authentication.

Arne Bier · ‎02-04-2024

In the failed case, the process breaks down after the server hello. That seems to indicate that the supplicant doesn't like the ISE EAP certificate. It feels very much like there is a certificate issue on those laptops - their CA cert chain might not be 100% correct to trust the new ISE.

Aref Alsouqi · ‎02-02-2024

Thanks for that. It does seem to go in a loop with the RADIUS requests and responses. Could you please try this with one of those laptops that can't connect:

1) Disable WiFi NIC

2) Remove the endpoint MAC address from the WLC in the client page

3) Remove the endpoint MAC address from ISE

4) Re-enable the WiFi NIC

If you have same issue with wired, please do same as above obv with the exception for step 2.

thomas · ‎02-08-2024

This is a certificate or timer problem on your endpoints. They do not like the new ISE certificate or they did not receive a response fast enough from your new ISE server, timed out, and started a new session. Probably a certificate issue. This is never a driver issue - it is a Windows endpoint supplicant configuration issue.

MHM Cisco World · ‎02-09-2024

it can that the Laptop timeout is shorter than new ISE response (for delay in response you need to check resource of VM for ISE)
so in laptop if you use win go to advanced secuirty and adjust the timeout of hold and auth to more slightly longer
do this in one laptop if it OK then apply to all other non-work laptop
MHM

hslai · ‎02-12-2024

@User32234 Take a look at CSCwb77915 Toggle to enable/disable RSA PSS cipher based on policy under Allowed Protocols

If your ISE is 3.2 Patch 1 or later, the new option is part of CLI command "application configure ise" and select the option Enable/Disable/Current_status of RSA_PSS signature for EAP-TLS