Solved: Re: 801.X Failed authentication

HAT · ‎09-10-2021

I m working on deploying a wired SDA solution that requires 802.1x authentication . I have successfully tested on the POC environment ( 1 Fusion Router, 1 x Border , 1 x Edge ) .

I m now deploying stacks of 9300 switches on production switches ( 2 Fusion , 2 x Border , Multiple Edges ) with "similar" switch config to the POC devices only to find out that the desktops and laptops endpoints devices are failing to authenticate . I m using certificate authentication with EAP-TLS . Not suspecting any certificate or supplicant misconfiguration as the endpoints are working fine on the POC .

MTU settings are the same across both POC and PROD

What is it that I m missing on the switch config that could explain such behavior ?

Any help will be much appreciated

Please find below log from ISE

Not sure on how to verify some of the options proposed in the Resolution box

Event	5411 Supplicant stopped responding to ISE
Failure Reason	12935 Supplicant stopped responding to ISE during EAP-TLS certificate exchange
Resolution	Verify that supplicant is configured properly to conduct a full EAP conversation with ISE. Verify that NAS is configured properly to transfer EAP messages to/from supplicant. Verify that supplicant or NAS does not have a short timeout for EAP conversation. Check the network that connects the Network Access Server to ISE. Verify that ISE local server certificate is trusted on supplicant. Verify that supplicant has a properly configured user/machine certificate.
Root cause	Supplicant stopped responding to ISE during EAP-TLS certificate exchange

balaji.bandi · ‎09-10-2021

If you have switch spare for testing - Load IOS XE - Version17.03.01.0.351 - Install in production and test it.

Looks for me Bug, not sure until we do this test. 17.3.4 is suggested code i guess.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎09-10-2021

I am sure you clarifed that on the path all MTU setup as per SD-Access requirement ?

what is the version of Code Cat 9300 PoC and Prod ?

what kind of Certificate, is this Locally signed ? is this wild card ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

HAT · ‎09-10-2021

Hi BB

Thanks for the feedback . Yes the MTU setup is the default as per the SD-Access requirement .

system mtu 9100

interface Loopback0
945 | description Fabric Node Router ID
946 | ip address XX.XXX.XXX.XXX 255.255.255.255
947 | ip router isis
948 | clns mtu 1400

I m using the below versions

POC : Version17.03.01.0.351

PROD : Version17.03.03.0.4762

We are using self signed certificate ( issued by the company)

It s interesting because the phones I have tested work on both PROD and POC , they are not using certificates though .

However the Desktops and laptops only authenticate on the POC

Some logs are displaying the below

Event	5440 Endpoint abandoned EAP session and started new
Failure Reason	5440 Endpoint abandoned EAP session and started new
Resolution	Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root cause	Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.

Looking forward to hearing from you

Thanks

balaji.bandi · ‎09-10-2021

If you have switch spare for testing - Load IOS XE - Version17.03.01.0.351 - Install in production and test it.

Looks for me Bug, not sure until we do this test. 17.3.4 is suggested code i guess.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

HAT · ‎09-13-2021

Good Morning BB,

I will explore that option. Can I precise that the production switch is a stack ( x 3 switches ) as opposed to the POC that s standalone .

Thanks

HAT · ‎09-13-2021

Hi BB,

I did try what you suggested and it worked . So there must a bug with the version currently installed on the Prod switches .

Thanks for your help

marce1000 · ‎09-10-2021

- Check ISE version and or correlate with :

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr70581

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

HAT · ‎09-10-2021

Hi marce1000

Thanks for the link . Using version 2.7.0.356 . Looking like one the recommended fix releases

It s interesting because the phones I have tested work on both PROD and POC , they are not using certificates though .

However the Desktops and laptops only authenticate on the POC

Some logs for the same device are displaying the below

Event	5440 Endpoint abandoned EAP session and started new
Failure Reason	5440 Endpoint abandoned EAP session and started new
Resolution	Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root cause	Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.

Georg Pauwen · ‎09-10-2021

Hello,

can you post the switch configs ?

HAT · ‎09-13-2021

Hi Georg,

It turns out this was version related bug.

Thanks for your input