09-10-2021 07:24 AM - edited 09-10-2021 07:43 AM
I m working on deploying a wired SDA solution that requires 802.1x authentication . I have successfully tested on the POC environment ( 1 Fusion Router, 1 x Border , 1 x Edge ) .
I m now deploying stacks of 9300 switches on production switches ( 2 Fusion , 2 x Border , Multiple Edges ) with "similar" switch config to the POC devices only to find out that the desktops and laptops endpoints devices are failing to authenticate . I m using certificate authentication with EAP-TLS . Not suspecting any certificate or supplicant misconfiguration as the endpoints are working fine on the POC .
MTU settings are the same across both POC and PROD
What is it that I m missing on the switch config that could explain such behavior ?
Any help will be much appreciated
Please find below log from ISE
Not sure on how to verify some of the options proposed in the Resolution box
Event | 5411 Supplicant stopped responding to ISE |
Failure Reason | 12935 Supplicant stopped responding to ISE during EAP-TLS certificate exchange |
Resolution | Verify that supplicant is configured properly to conduct a full EAP conversation with ISE. Verify that NAS is configured properly to transfer EAP messages to/from supplicant. Verify that supplicant or NAS does not have a short timeout for EAP conversation. Check the network that connects the Network Access Server to ISE. Verify that ISE local server certificate is trusted on supplicant. Verify that supplicant has a properly configured user/machine certificate. |
Root cause | Supplicant stopped responding to ISE during EAP-TLS certificate exchange |
Solved! Go to Solution.
09-10-2021 10:11 AM
If you have switch spare for testing - Load IOS XE - Version17.03.01.0.351 - Install in production and test it.
Looks for me Bug, not sure until we do this test. 17.3.4 is suggested code i guess.
09-10-2021 08:18 AM
I am sure you clarifed that on the path all MTU setup as per SD-Access requirement ?
what is the version of Code Cat 9300 PoC and Prod ?
what kind of Certificate, is this Locally signed ? is this wild card ?
09-10-2021 09:33 AM - edited 09-10-2021 09:42 AM
Hi BB
Thanks for the feedback . Yes the MTU setup is the default as per the SD-Access requirement .
system mtu 9100
interface Loopback0
945 | description Fabric Node Router ID
946 | ip address XX.XXX.XXX.XXX 255.255.255.255
947 | ip router isis
948 | clns mtu 1400
I m using the below versions
POC : Version17.03.01.0.351
PROD : Version17.03.03.0.4762
We are using self signed certificate ( issued by the company)
It s interesting because the phones I have tested work on both PROD and POC , they are not using certificates though .
However the Desktops and laptops only authenticate on the POC
Some logs are displaying the below
Event | 5440 Endpoint abandoned EAP session and started new |
Failure Reason | 5440 Endpoint abandoned EAP session and started new |
Resolution | Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration. |
Root cause | Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication. |
Looking forward to hearing from you
Thanks
09-10-2021 10:11 AM
If you have switch spare for testing - Load IOS XE - Version17.03.01.0.351 - Install in production and test it.
Looks for me Bug, not sure until we do this test. 17.3.4 is suggested code i guess.
09-13-2021 02:54 AM
Good Morning BB,
I will explore that option. Can I precise that the production switch is a stack ( x 3 switches ) as opposed to the POC that s standalone .
Thanks
09-13-2021 06:33 AM
Hi BB,
I did try what you suggested and it worked . So there must a bug with the version currently installed on the Prod switches .
Thanks for your help
09-10-2021 08:27 AM
- Check ISE version and or correlate with :
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr70581
M.
09-10-2021 09:37 AM - edited 09-10-2021 09:43 AM
Hi marce1000
Thanks for the link . Using version 2.7.0.356 . Looking like one the recommended fix releases
It s interesting because the phones I have tested work on both PROD and POC , they are not using certificates though .
However the Desktops and laptops only authenticate on the POC
Some logs for the same device are displaying the below
Event | 5440 Endpoint abandoned EAP session and started new |
Failure Reason | 5440 Endpoint abandoned EAP session and started new |
Resolution | Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration. |
Root cause | Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication. |
09-10-2021 11:26 AM
Hello,
can you post the switch configs ?
09-13-2021 06:34 AM
Hi Georg,
It turns out this was version related bug.
Thanks for your input
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide