Solved: What RFC is ISE / IOS-XE 17 using for EAP Re-authentication Protocol?

LuensmannIT · ‎03-01-2024

Good day everyone,

we are currently having a problem with Polycom Studio TC8 devices, which do not re-authenticate after the re-authentication timer has expired and therefore lose the connection to the network. We are using PEAP which these devices.

A case at HP has shown that the EAP re-authentication protocol RFC 6630 is currently not supported on these devices.

I'm wondering whether we even use the methods and extensions described in RFC 6630.

I would have assumed that RFC 6696 or the older RFC 5296 would be used for this.

Can someone tell me which standard is used?

We use switches with IOS-XE version 17.09.03 and the ISE in version 3.1.0.518

thomas · ‎03-04-2024

See https://cs.co/ise-compatibility for your release then look under the section Supported Protocol Standards, RFCs, and IETF Drafts. None of the RFCs you mentioned are there but that should not be necessary for basic re-authentication using RFC2865 Session-Timeout and Termination-Action

View solution in original post

Arne Bier · ‎03-02-2024

I would have to study those RFCs in detail - but never had to in the past, just to make re-authentication work. I have not seen in the ISE docs which RFCs are used in this case.

In my experience, if you disable all the enhancements (Fast Reconnect) then a re-auth means that the device has to go through the same procedure it goes through when you first connect it to the network. Have you tried disabling the ISE EAP enhancements? have you captured a wireshark to see what happens when the session times out? Does the NAD send an EAPOL frame to the device, and does the device respond? Wired or wireless? If wired you can capture the frames directly on the switch.

LuensmannIT · ‎03-04-2024

Hi Arne,

so far we haven't really been involved in the troubleshooting process because the specialist department (video conferencing systems) has and continues to assume that the problem is not to be found on the network side.
These systems can be operated in two different modes: Classic method and native MS Teams integration. As long as the systems were operated using the classic method, there were probably never any problems with reauthentication - at least we were not approached about a problem. Only after changing the mode to native MS Teams integration problems occasionally occur. However, since problems with reauthentication only occur occasionally and not always, and it always works with the classic method, I assume that this system is capable of reauthentication and the RFC used by the system is also the RFC that we use by ISE.

I therefore assume that this is just a stalling tactic from HP as they cannot solve the problem directly.

I have opened a TAC case for this and am waiting for the answer regarding the RFC used.

My colleague is in the process of analyzing the data capture, but this may take some time.

thomas · ‎03-04-2024

See https://cs.co/ise-compatibility for your release then look under the section Supported Protocol Standards, RFCs, and IETF Drafts. None of the RFCs you mentioned are there but that should not be necessary for basic re-authentication using RFC2865 Session-Timeout and Termination-Action

LuensmannIT · ‎03-05-2024

Awesome @thomas !
Thank you so much for this link - bookmarked!