Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
383
Views
0
Helpful
1
Replies

EAP-TLS issue in external branches

ened09
Level 1
Level 1

‎12-12-2019 05:12 AM - edited ‎07-05-2021 11:25 AM

Hello guys,
I have some problems with the eap-tls authentication on external locations.
I hope you have a little tip for me.

The Authentication process starts without problems and than the communication between the supplicant and Authentication Server stops. The Authentication Server (ISE 2.3) logged the Event "5440 Endpoint abandoned EAP session and started new".

When i start the debug on the WLC (Wism2), i see the starting conversation and than the communication stops. After a few
seconds i see the new eapol start frame from the supplicant and the authentication process starts again.
That explains the event on the ISE.
When i capture the Authentication process on the supplicant, i see the beginning process and it stops after the client have send the first frame of the client certificate. It seems that this frame never reach the WLC.
Than i started the debug on the AP(AIR-CAP2702I) with commands like "debug capwap client XXX" or "debug lwapp client XXX". But i didn't see anything of this Authentication Process.
Do anyone have a tip for debugging the Authentication on the AP?
Or maybe someone had a similar situation and can give me some hints?

Thanks In Advance!

Labels:
0 Helpful
1 Reply 1

TsvetanVladimirov81607
Level 1
Level 1

‎12-13-2019 01:37 AM

Hi,

 

Do you have local authentication or central authentication if the AP is Flexconnect?

When using EAP-TLS you need fast link between the supplicant and the ISE. If it is slow, the session might be timing out before the next part of the message starts.

Check this:

- Make sure the end device has the latest wi-fi card drivers.

- Extend the EAP timers on the WLC.

- Do an OTA packet capture to verify if the end user is sending anything at all after the first message.

 

Cheers

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card