Hi Rich

-5520 WLC version 8.10.183.0

- We have a mixed deployment at that particular location (large vehicle manufacturing hall) consisting mostly of 9115, 2700, 9130 and some 2800 APs (all together 190 in that physical location - production hall)

- OS and network drivers are sensitive topic, since the clients are mostly some proprietary manufacturing devices used to flash software to cars. End devices are based on some version of linux and using a linux supplicant software (wpa_supplicant), but since the end devices are not managed by us, it is hard to get any relevant info about drivers or basically anything.

i used the config analyzer couple of times, but nothing significant popped up, but i'll try to run it again and see.

Now i'm trying to run some client debugs on the WLC to see what is happening, cause form ISE's perspective it seems like it sends out the server cert chain in access-request radius messages but the last fragment of the cert is acked by the supplicant (or perhaps authenticator, hard to say without proper debugs) via radius access-challenge after 30sec and most likely it contains the empty TLS. So at least from this perspective it seems like it could be an issue with the supplicant on the client, but i want to see exactly what is happening at the authenticator (WLC) side.

But it is really hard to capture, since these problems are intermittent, and are happening only from time to time.

I was also thinking that this could be a problem of not using 802.11r and  slow roaming (mostly because the one AAA override SSID we're using is being used by many proprietary / and some old / clients that do not support 802.11r, hence we have it disabled).

So when the cars are moving around the facility and they do not finish the EAP-TLS auth in time (cause they're roaming too fast) their supplicant might just gets stuck/confused.

So my other line of thought was to try to create a new 802.11r enabled SSID and test it out on that (but i need to run a wlan profiler to see if those clients even support 802.11r)

> since the end devices are not managed by us, it is hard to get any relevant info about drivers or basically anything

So maybe it would be better to have individual SSIDs with PSK and static VLAN assignment to keep it as simple as possible?

No harm experimenting with features like 11r but that can also cause problems for some clients.

What model of controller and what version of software @omehmetoglu  ?

We are running the 5520 on code 8.10.183.0, we did also trial it on 8.10.190.0 and still the same issue.

We never had this kind of instability when we were on ISE 3.2, we upgraded to 3.3 in July and about 1.5 weeks later we have seen a major increase in EAP-Key exchange timeout issues. We are seeing this across multiple devices, where previously it was working fine. We have had this wireless environment for about 5-6 years now and has been stable.

Well TAC will be reluctant to offer any support if you are not running 8.10.196.0 for a start ...

> we upgraded to 3.3 in July and about 1.5 weeks later we have seen a major increase in EAP-Key exchange timeout issues
Hmmm that doesn't stack up as a simple software issue unless it's a creeping death situation.  If it is caused by ISE and time related you might need to be restarting ISE regularly.  Either way you probably need to work it through with TAC but look for other possible causes that match that time line better.  What else happened at that time - OS updates, certificate update etc?

We are actually upgrading the WLC to 8.10.196.0 tonight, but we have also been on 8.10.190.0 (since March) and have seen the problem on this code as well once we went to ISE 3.3 starting in July. I know for a fact that when we were on code 8.10.190.0 we never had this problem, so I know its not a WLC version issue.

We have not had any other changes other than that of ISE going to version 3.3 and more recently we are now on Patch 4 as we have seen performance issues with ISE since upgrading to 3.2 Patch 6 and have since moved to 3.3 Patch 4 as a bug was identified related to heap dump space issues.

This was only applied 1 weeks ago so we need to see if this has resolved the EAP timeout issues but at this stage we cannot confirm it.

We are at a point that we may even rebuild ISE in AWS back on 3.2 just to test the theory, we have also had an ongoing ticket with Cisco TAC for both items (ISE since March) and (WLC wifi drop outs since July), many TAC resources have investigated to this date and no one can figure it out just yet.