cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

7135
Views
1
Helpful
7
Replies
Highlighted
Beginner

Windows 7 machine fails to complete EAP-TLS authentication with ISE

Hi All

We're having a bit of a problem with machine authentication to ISE 2.2

The initial RADIUS request and challenge is done without problem where the server hello has been completed but for some reason the client certificate exchange does not seem to be taking place.

This is the trace captured from the windows machine.

[3456] 09-27 12:04:25:094: EapTlsInitialize2

[3456] 09-27 12:04:25:094: EAP-TLS using All-purpose cert

[3456] 09-27 12:04:25:094:  Self Signed Certificates will not be selected.

[3456] 09-27 12:04:25:094: EAP-TLS will accept the  All-purpose cert

[3456] 09-27 12:04:25:094: EapTlsInitialize2: PEAP using All-purpose cert

[3456] 09-27 12:04:25:094: PEAP will accept the  All-purpose cert

[3456] 09-27 12:04:25:094: Createing connection properties for type: 13 ...

[3456] 09-27 12:04:25:094: CopyXmlDoc returned: 0x0

[3456] 09-27 12:04:25:125: Could not select node for eaptlsconnectionpropertiesv1:SmartCard[1]

[3456] 09-27 12:04:25:125: Enable Prompt for Server Validation

[3456] 09-27 12:04:25:125: There is no attribute with this name so returning default value as TRUE with an error code 1

[3456] 09-27 12:04:25:125: Either TLS or PeapExtension tags are present.

[3456] 09-27 12:04:25:125: Successfully generated blob for Connection Properties in EAPTLS(13)

[3456] 09-27 12:04:25:125: EapTls[Un]Initialize2

[3456] 09-27 12:04:25:125: ClearCachedCredList.

[8076] 09-27 12:08:11:599: EapTlsInitialize2

[8076] 09-27 12:08:11:599: EAP-TLS using All-purpose cert

[8076] 09-27 12:08:11:599:  Self Signed Certificates will not be selected.

[8076] 09-27 12:08:11:599: EAP-TLS will accept the  All-purpose cert

[8076] 09-27 12:08:11:599: EapTlsInitialize2: PEAP using All-purpose cert

[8076] 09-27 12:08:11:599: PEAP will accept the  All-purpose cert

[8076] 09-27 12:08:11:599: Createing connection properties for type: 13 ...

[8076] 09-27 12:08:11:599: CopyXmlDoc returned: 0x0

[8076] 09-27 12:08:11:646: Could not select node for eaptlsconnectionpropertiesv1:SmartCard[1]

[8076] 09-27 12:08:11:646: Enable Prompt for Server Validation

[8076] 09-27 12:08:11:646: There is no attribute with this name so returning default value as TRUE with an error code 1

[8076] 09-27 12:08:11:646: Either TLS or PeapExtension tags are present.

[8076] 09-27 12:08:11:646: Successfully generated blob for Connection Properties in EAPTLS(13)

[8076] 09-27 12:08:11:646: EapTls[Un]Initialize2

[8076] 09-27 12:08:11:646: ClearCachedCredList.

[6188] 09-27 12:09:30:053: EapTlsInitialize2

[6188] 09-27 12:09:30:053: EAP-TLS using All-purpose cert

[6188] 09-27 12:09:30:053:  Self Signed Certificates will not be selected.

[6188] 09-27 12:09:30:053: EAP-TLS will accept the  All-purpose cert

[6188] 09-27 12:09:30:053: EapTlsInitialize2: PEAP using All-purpose cert

[6188] 09-27 12:09:30:053: PEAP will accept the  All-purpose cert

[6188] 09-27 12:09:30:053: Createing connection properties for type: 13 ...

[6188] 09-27 12:09:30:053: CopyXmlDoc returned: 0x0

[6188] 09-27 12:09:30:084: Could not select node for eaptlsconnectionpropertiesv1:SmartCard[1]

[6188] 09-27 12:09:30:084: Enable Prompt for Server Validation

[6188] 09-27 12:09:30:084: There is no attribute with this name so returning default value as TRUE with an error code 1

[6188] 09-27 12:09:30:084: Either TLS or PeapExtension tags are present.

[6188] 09-27 12:09:30:084: Successfully generated blob for Connection Properties in EAPTLS(13)

[6188] 09-27 12:09:30:084: EapTls[Un]Initialize2

[6188] 09-27 12:09:30:084: ClearCachedCredList.

[2664] 09-27 12:11:44:380: EapTlsInitialize2

[2664] 09-27 12:11:44:380: EAP-TLS using All-purpose cert

[2664] 09-27 12:11:44:380:  Self Signed Certificates will not be selected.

[2664] 09-27 12:11:44:380: EAP-TLS will accept the  All-purpose cert

[2664] 09-27 12:11:44:380: EapTlsInitialize2: PEAP using All-purpose cert

[2664] 09-27 12:11:44:380: PEAP will accept the  All-purpose cert

[2664] 09-27 12:11:44:380: Createing connection properties for type: 13 ...

[2664] 09-27 12:11:44:381: CopyXmlDoc returned: 0x0

[2664] 09-27 12:11:44:400: Could not select node for eaptlsconnectionpropertiesv1:SmartCard[1]

[2664] 09-27 12:11:44:400: Enable Prompt for Server Validation

[2664] 09-27 12:11:44:400: There is no attribute with this name so returning default value as TRUE with an error code 1

[2664] 09-27 12:11:44:400: Either TLS or PeapExtension tags are present.

[2664] 09-27 12:11:44:400: Successfully generated blob for Connection Properties in EAPTLS(13)

[2664] 09-27 12:11:44:400: EapTls[Un]Initialize2

[2664] 09-27 12:11:44:400: ClearCachedCredList.

Any advice on why the client machine is not sending it's certificate to the ISE PSN?

Thanks for the help.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

EAP-TLS is particularly sensitive to fragmentation. If you haven't already, you might want to verify there are no MTU mismatches between the switch and ISE.

I worked with a customer that had jumbo frames enabled on their access switches (for no apparent reason) and insisted that there were no MTU mismatches between the switches and ISE.

As soon as I configured the access switch to use system mtu 1500, EAP-TLS worked perfectly.

View solution in original post

7 REPLIES 7
Highlighted
Cisco Employee

svchost_RASTLS.LOG seems to have more entries, like this:

...

[3700] 09-27 12:04:25:704: Server name: psn1p

[3700] 09-27 12:04:25:704: Server name specified:

[3700] 09-27 12:04:25:704: Server name validation is disabled

[3700] 09-27 12:04:25:704: CreateMPPEKeyAttributes

[3700] 09-27 12:04:25:704: State change to RecdFinished

[3700] 09-27 12:04:25:704: BuildPacket

[3700] 09-27 12:04:25:704: << Sending Response (Code: 2) packet: Id: 124, Length: 6, Type: 13, TLS blob length: 0. Flags:

[3700] 09-27 12:04:25:751:

[3700] 09-27 12:04:25:751: EapTlsMakeMessage(host/testmachine)

[3700] 09-27 12:04:25:751: >> Received Success (Code: 3) packet: Id: 124, Length: 4, Type: 0, TLS blob length: 0. Flags:

[3700] 09-27 12:04:25:751: EapTlsCMakeMessage, state(4) flags (0x3408)

[3700] 09-27 12:04:25:751: Negotiation result according to peer: success

[3700] 09-27 12:04:25:751: Negotiation successful

[3700] 09-27 12:04:25:751: EapTlsEnd

[3700] 09-27 12:04:25:751: EapTlsEnd(host/testmachine)

...

What are you seeing at ISE PSN side?

Anything special about this EAP-TLS? If smart-card, then you might want to ensure it working with non-smart-card, etc.

Highlighted

Hi hslai

This is what we see on ISE.

Capture1.PNG

11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - Radius.User-Name
15048 Queried PIP - Network Access.Device IP Address
15048 Queried PIP - DEVICE.Stage
15048 Queried PIP - Normalised Radius.RadiusFlowType
15004 Matched rule - 8021X
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12808 Prepared TLS ServerKeyExchange message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
12935 Supplicant stopped responding to ISE during EAP-TLS certificate exchange (  Step latency=120001 ms)
5411 Supplicant stopped responding to ISE

Thanks again for your assistance.

Highlighted

If not already done, I suggest to engage Cisco TAC.

The ISE steps basically said it sent out some challenges and did not received either enough challenge responses or what it expected in the response. The next steps would be

(1) to take a wire capture between ISE and the endpoint of the exchange and

(2) to enable DEBUG on AAA runtime, to check the ISE debug logs and those on the endpoint, and compare the timings, and

(3) to provide your ISE system certificate(s) and key-and-cert pair of a similar endpoint EAP-TLS certificate to try a recreate in another lab setup

Below shows a sample of successful EAP-TLS auth:

Steps

  11001 Received RADIUS Access-Request

  11017 RADIUS created a new session

  15049 Evaluating Policy Group

  15008 Evaluating Service Selection Policy

  11507 Extracted EAP-Response/Identity

  12500 Prepared EAP-Request proposing EAP-TLS with challenge

  12625 Valid EAP-Key-Name attribute received

  11006 Returned RADIUS Access-Challenge

  11001 Received RADIUS Access-Request

  11018 RADIUS is re-using an existing session

  12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated

  12800 Extracted first TLS record; TLS handshake started

  12805 Extracted TLS ClientHello message

  12806 Prepared TLS ServerHello message

  12807 Prepared TLS Certificate message

  12808 Prepared TLS ServerKeyExchange message

  12809 Prepared TLS CertificateRequest message

  12505 Prepared EAP-Request with another EAP-TLS challenge

  11006 Returned RADIUS Access-Challenge

  11001 Received RADIUS Access-Request

  11018 RADIUS is re-using an existing session

  12504 Extracted EAP-Response containing EAP-TLS challenge-response

  12505 Prepared EAP-Request with another EAP-TLS challenge

  11006 Returned RADIUS Access-Challenge

  11001 Received RADIUS Access-Request

  11018 RADIUS is re-using an existing session

  12504 Extracted EAP-Response containing EAP-TLS challenge-response

  12505 Prepared EAP-Request with another EAP-TLS challenge

  11006 Returned RADIUS Access-Challenge

  11001 Received RADIUS Access-Request

  11018 RADIUS is re-using an existing session

  12504 Extracted EAP-Response containing EAP-TLS challenge-response

  12811 Extracted TLS Certificate message containing client certificate

  12812 Extracted TLS ClientKeyExchange message

  12813 Extracted TLS CertificateVerify message

  12804 Extracted TLS Finished message

  12801 Prepared TLS ChangeCipherSpec message

  12802 Prepared TLS Finished message

  12816 TLS handshake succeeded

  12509 EAP-TLS full handshake finished successfully

  12505 Prepared EAP-Request with another EAP-TLS challenge

  11006 Returned RADIUS Access-Challenge

  11001 Received RADIUS Access-Request

  11018 RADIUS is re-using an existing session

  12504 Extracted EAP-Response containing EAP-TLS challenge-response

  61025 Open secure connection with TLS peer

  15041 Evaluating Identity Policy

  22072 Selected identity source sequence - All_User_ID_Stores

  22070 Identity name is taken from certificate attribute

  22037 Authentication Passed

  12506 EAP-TLS authentication succeeded

  24423 ISE has not been able to confirm previous successful machine authentication

  15036 Evaluating Authorization Policy

  11055 User name change detected for the session. Attributes for the session will be removed from the cache

  15048 Queried PIP - Radius.NAS-Port-Type

  15048 Queried PIP - EndPoints.LogicalProfile

  15048 Queried PIP - Network Access.AuthenticationStatus

  15016 Selected Authorization Profile - PermitAccess

  22081 Max sessions policy passed

  22080 New accounting session created in Session cache

  11503 Prepared EAP-Success

  11002 Returned RADIUS Access-Accept

Highlighted
Cisco Employee

EAP-TLS is particularly sensitive to fragmentation. If you haven't already, you might want to verify there are no MTU mismatches between the switch and ISE.

I worked with a customer that had jumbo frames enabled on their access switches (for no apparent reason) and insisted that there were no MTU mismatches between the switches and ISE.

As soon as I configured the access switch to use system mtu 1500, EAP-TLS worked perfectly.

View solution in original post

Highlighted

Hi Mr Gibbs,

I am so pleased that I found your post, as I was starting to pull the last remaining strains of hair from my head.

In our situation we have an ASR sitting between the ISE/Prime and WLC's and one interface had an MTU size of 1500 and the other interface had it set to 9000. Resetting it to 1500 resolved my EAP-TLS authentication.

In addition it also fixed up the WLC sync problem that I was having on the Prime Infrastructure. I logged a TAC case last year but couldn't get to the bottom of it - so it's a two for one win today

 

Many thanks for your post - brilliant

 

Cheers,

John

Highlighted

Hi Greg

I am having the similar Issue. I verified MTU size which is set to 1500 on the access switch where my local Aruba controller is connected. However, I just noticed that my ISE TACACS is broken for that access switch. Do you think that would cause the Issue ?

The issue is when users are connecting to my SSID they are not able to connect and ISE is giving the following error message. 

 

Event 5411 Supplicant stopped responding to ISE

Failure Reason 12942 Supplicant stopped responding to ISE during conducting inner EAP-TLS method. 

I see the username on the ISE is shows up with "host" infront of the machine name. for instance Username  host/FREXXXL4234.my example.com

 

Highlighted
Cisco Employee

Greg has a very good point. Additionally, I would also suggest to check the certificates. Below are two MS articles on that topic: