cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

293
Views
10
Helpful
3
Replies
Beginner

Some Win 10 clients get "12935 Supplicant stopped responding to ISE during EAP-TLS certificate exchange" errors

Hello,

I'm working with our networking team to get 802.1x EAP-TLS authentication working. It has been successful so far with many of the machines that we've been testing. However, I received a message stating that one of the networking laptops was trying to authenticate and in Cisco's ISE logs it was showing this error: "12935 Supplicant stopped responding to ISE during EAP-TLS certificate exchange".

I've checked all the 802.1x settings, and I have also deleted the computer certificate, and let our Group Policy autoenroll the computer with another certificate to see if that was the issue. I'm still getting the same error on this specific Windows 10 machine, and I'm not sure what else would be different compared to the other clients. When we enroll the entire company into 802.1x, I'd like to say that everything will just work, but I would most likely be wrong.

Is there any further troubleshooting I can do, or things I can check? I noticed my laptop is on Windows 10 1909, but the Windows 10 that was failing was on Windows 10 1807. The version shouldn't matter, but right now I'm not quite sure what I can do with this machine.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Some Win 10 clients get "12935 Supplicant stopped responding to ISE during EAP-TLS certificate exchange" errors

In addition to the suggestions provided by @Damien Miller, I have also seen some client software (like an old Citrix VPN client) use a packet driver that intercepted the EAPOL frame from the switch and did not pass it to the supplicant.

If you have Win10 PCs that do work, in addition to checking driver versions, you should check for any difference in the installed applications, patches, etc. compared to the non-working PC.

Typically, these issues require taking packet captures on the switch, client PC, and potentially ISE to compare what's happening with the EAP and RADIUS handshakes. You might need to engage TAC to assist in troubleshooting at that level.

 

Cheers,

Greg

View solution in original post

3 REPLIES 3
Highlighted
VIP Advocate

Re: Some Win 10 clients get "12935 Supplicant stopped responding to ISE during EAP-TLS certificate exchange" errors

Versions are very important, whether it is the version of windows, or the version of the drivers on the NIC. Versions don't just get released for new features, but to fix bugs. Are you hitting a bug here? impossible to say right now.

It's a long list, here are some of the most common issues.
Are you using the same certificate for EAP on all your ISE nodes? Are they CA signed certs for EAP? Does the client machine having the issue have the trust chain installed in their certificate store? Does ISE have the trust chain installed for the client's enrolled certs? Does the supplicant configuration have any differences? On the supplicant configuration, are there any server names specified to trust?

Highlighted
Cisco Employee

Re: Some Win 10 clients get "12935 Supplicant stopped responding to ISE during EAP-TLS certificate exchange" errors

In addition to the suggestions provided by @Damien Miller, I have also seen some client software (like an old Citrix VPN client) use a packet driver that intercepted the EAPOL frame from the switch and did not pass it to the supplicant.

If you have Win10 PCs that do work, in addition to checking driver versions, you should check for any difference in the installed applications, patches, etc. compared to the non-working PC.

Typically, these issues require taking packet captures on the switch, client PC, and potentially ISE to compare what's happening with the EAP and RADIUS handshakes. You might need to engage TAC to assist in troubleshooting at that level.

 

Cheers,

Greg

View solution in original post

Highlighted
Beginner

Re: Some Win 10 clients get "12935 Supplicant stopped responding to ISE during EAP-TLS certificate exchange" errors

Thank you, Greg! I did not see your response until today; however, this is very helpful to know. Very much appreciated!