Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4155
Views
0
Helpful
4
Replies

Users cannot connect due to Supplicant stopped responding to ISE error

Capricorn
Level 1
Level 1

‎01-10-2023 01:23 AM

Hello!

I am seeing error for users when they sometime cannot connect to WIFI

Supplicant stopped responding to ISE during PEAP tunnel establishment (step latency=120000 ms Step latency=120000 ms)
Open secure connection with TLS peer
Supplicant stopped responding to ISE

We are using Unifi U6-Pro. I can see that its not that one specific AP is doing this. User can connect via the same AP sometime and then I can see that they are getting the stopped responding error. 

When the user connects fine then its PEAP (EAP-MSCHAPv2) authentication protocol.

Any suggestion how to fix this -> Supplicant stopped responding to ISE during PEAP tunnel establishment (step latency=120000 ms Step latency=120000 ms) issue.?

Thanks.

1 person had this problem
0 Helpful
4 Replies 4

marce1000
VIP
VIP

‎01-10-2023 01:41 AM

 

                    - Here are some general info's (and or guidance) that could be looked into :

  1. Check that the client device's clock is set correctly. If the clock is set too far in the future or the past, it can cause issues with certificate-based authentication methods like PEAP.

  2. Verify that the client device has the correct certificate installed. PEAP uses a server certificate to authenticate the network to the client, and a client certificate to authenticate the client to the network. Make sure that the client has the correct certificate installed and that it is trusted by the device.

  3. Ensure that the client device is using the correct username and password. If the client is not able to authenticate, it will stop responding to ISE during PEAP tunnel establishment.

  4. Check the ISE configuration to verify that PEAP is enabled and configured correctly. Also check the EAP settings on the device and make sure that the proper EAP type is selected.

  5. Check the network connectivity. Verify that the client device is able to reach the ISE server and that there are no network issues that are preventing the client from establishing a PEAP tunnel.

  6. Check the ISE and client logs for any additional information. These logs may provide more information about why the supplicant is not responding during PEAP tunnel establishment.

    M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Capricorn
Level 1
Level 1
In response to marce1000

‎01-10-2023 02:21 AM

Thanks for your answer. I am commenting my answer below the questions. 

 

  1. Check that the client device's clock is set correctly. If the clock is set too far in the future or the past, it can cause issues with certificate-based authentication methods like PEAP. 

  2. Verify that the client device has the correct certificate installed. PEAP uses a server certificate to authenticate the network to the client, and a client certificate to authenticate the client to the network. Make sure that the client has the correct certificate installed and that it is trusted by the device. (The client can connect to Cisco ISE so that means the certifcates are working fine. This happens some times and not all the time which means the certifcate is not the issue.)

  3. Ensure that the client device is using the correct username and password. If the client is not able to authenticate, it will stop responding to ISE during PEAP tunnel establishment. (The user is logged in with his AD username/password so this means that the username/password is correct)

  4. Check the ISE configuration to verify that PEAP is enabled and configured correctly. Also check the EAP settings on the device and make sure that the proper EAP type is selected. (PEAP works fine from ISE side because all other users can connect. I can double check on the device but as I mentioned this happened to the users few times and not all the time and we push the settings via the GPO)

  5. Check the network connectivity. Verify that the client device is able to reach the ISE server and that there are no network issues that are preventing the client from establishing a PEAP tunnel. (From connectivity side there is not firewall in between and user can connect fine sometime. Not sure why the delay happens when the user cannot connect as you can see the log says that client didnt response so looks like client response doesnt reach the ISE. May be the Wifi AP also creating some issue.)

  6. Check the ISE and client logs for any additional information. These logs may provide more information about why the supplicant is not responding during PEAP tunnel establishment. (I have gone through with the Live logs and I mentioned the last 3 lines that are shown in the logs. Is there any more logs somewhere on ISE that I can check?)

0 Helpful

Marcelo Morais
VIP
VIP

‎01-10-2023 09:58 PM

Hi @Capricorn 

 after sending out an Access Challenge for the Session, ISE will wait for an Access Request, this time is known as EAP SESSION TIME. The default is 120 sec and it is non-configurable. (you probably have a 11006 Returned RADIUS Access-Challenge).

 Double check if the Authenticator & Supplicant receive this RADIUS Access-Challenge from ISE.

Hope this helps !!!

 

 

0 Helpful

Meksoh
Level 1
Level 1

‎04-22-2024 07:44 AM

I have this problem right now. some endpoints are connected. While some can not, So I am wondering why? What can I do to fix this?

0 Helpful
Customers Also Viewed These Support Documents