cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2903
Views
10
Helpful
13
Replies

EAP-TLS Authentication failure over WiFi

HAT
Level 1
Level 1

Hi All

I have been trying to deploy a wireless solution but been stuck with appears to be an authentication failure with the Radius Server . The device is an  Intune laptop   attempting to connect  to a Meraki managed SSID  but  every attempt has  been unsuccessful so far   .  I m using Meraki APs connected over a trunk to a Meraki switch that eventually traverses the Wan to the target radius server . All the required routing is in place to ensure the 802.1x messages can reach ISE , can also confirm  the device and CA root  certificates on the test device have been properly configured and that the correct policy is being hit on ISE

EAP-TLS is being used as the  authentication method in this scenario 

Any help will be greatly appreciated 

Please find below the ISE logs for the failed authentication 

 

Steps

 11001Received RADIUS Access-Request
 11017RADIUS created a new session
 11117Generated a new session ID
 15049Evaluating Policy Group
 15008Evaluating Service Selection Policy
 15048Queried PIP - Network Access.UserName
 15048Queried PIP - Radius.Called-Station-ID
 11507Extracted EAP-Response/Identity
 12500Prepared EAP-Request proposing EAP-TLS with challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12502Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
 12800Extracted first TLS record; TLS handshake started
 12545Client requested EAP-TLS session ticket
 12805Extracted TLS ClientHello message
 12806Prepared TLS ServerHello message
 12807Prepared TLS Certificate message
 12808Prepared TLS ServerKeyExchange message
 12809Prepared TLS CertificateRequest message
 12810Prepared TLS ServerDone message
 12505Prepared EAP-Request with another EAP-TLS challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12504Extracted EAP-Response containing EAP-TLS challenge-response
 12505Prepared EAP-Request with another EAP-TLS challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request (
 

 

 Step latency=2588 ms)
 11018RADIUS is re-using an existing session
 12504Extracted EAP-Response containing EAP-TLS challenge-response
 12505Prepared EAP-Request with another EAP-TLS challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12504Extracted EAP-Response containing EAP-TLS challenge-response
 12505Prepared EAP-Request with another EAP-TLS challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12504Extracted EAP-Response containing EAP-TLS challenge-response
 12505Prepared EAP-Request with another EAP-TLS challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12504Extracted EAP-Response containing EAP-TLS challenge-response
 12505Prepared EAP-Request with another EAP-TLS challenge
 11006Returned RADIUS Access-Challenge
 12935Supplicant stopped responding to ISE during EAP-TLS certificate exchange (
 

 

 Step latency=120000 ms)
 61025Open secure connection with TLS peer
 5411Supplicant stopped responding to ISE
13 Replies 13

marce1000
VIP
VIP

 

           - Check the logs on the radius server for this particular authentication (too).

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Hi .

Thanks for the reply , not sure what you mean , ISE is the radius server and the above is the 802.1x sequence  for the failed authentication . Also attaching additional information .

Thanks in advance 

 

 - Ok  , check these threads for hints : https://community.cisco.com/t5/network-access-control/some-win-10-clients-get-quot-12935-supplicant-stopped-responding/td-p/4031608
   https://community.cisco.com/t5/network-access-control/12935-supplicant-stopped-responding-to-ise-during-eap-tls/td-p/4577834
   https://community.cisco.com/t5/network-access-control/5411-supplicant-stopped-responding-to-ise-quot-use-eap-tls-for/td-p/4084578

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

HAT
Level 1
Level 1

Thanks . I will check the links 

 

Wes Schochet
Level 3
Level 3

My guess is that the client is not trusting the cert from ISE so it stops responding.

Thanks for the feedback , I did  suspect a certificate trust issue but the certificate chain between the client and server appears to be correct since similar devices can connect fine on the same SSID Onprem. 

I m now looking some timeout or MTU  related issues  as traffic traverses the Wan for the client to authenticate on the OnPrem radius server ( ISE)

Any further help will be greatly appreciated 

Hi All . 

I have lowered  the MTU onto the switch the APs are connected to but that hasn't made  a difference .However, I just noticed that   that the APs Radius requests are experiencing some packet drops as they hit our Onprem firewall ( yes there s a firewall indeed ).

Any idea why ? 

The packet capture in attachment has been obtained from the firewall.

2022-12-19 11_25_34-drop (3).pcap.pngThanks in advance for all you input 

 

I have similar issues with EAP-TLS, but its only to our ISE 3.2 PSN's in Azure.  Our issue is a mtu mismatch between our tunnel from our DC to Azure which I think is the issue.  Folks suggested to look at all the mtu configurations on the path and see if you have a mismatch.  Typically some FW's will drop fragmented packets which I think you are seeing.  Also ISE 3.1, you can define the mtu on Gig 0, but before that, look at the mtu configuration on all devices along the path to ISE.

-Scott
*** Please rate helpful posts ***

HAT
Level 1
Level 1

Thanks for the feedback . The devices MTU along the path are configured as follow  

Client MTU : 1500

Meraki Switch ( Remote site ) : 9578

Wan Router MTU ( Remote site) : 1500

Wan Router MTU ( Head Office) : 1500

Firewall ( Head Office ) : 1500 ( this s where we are seeing some packet drops) 

 

 

 

What you have to look at is the overhead that might be added between the Wan and the FW.  If you are seeing the FW dro the packets, its most likely because of fragmentation, so you might have to drop the mtu more that what you have.  I'm no expert in mtu, but since I have similar issues, folks are guiding me to change the mtu or make sure it isn't fragmenting EAP packets.  Have you tried to set the mtu on the client or the Meraki Switch lower than 1500?

-Scott
*** Please rate helpful posts ***

Hi Scott

Thanks for advising , 1500 is the lowest the Meraki switch  can be lowered to . Tried that but no luck . Will test locally so I can determine whether this is Wan related or not .

In my case, any ISE instance that is not going over our tunnel to Azure Virtual Gateway works fine.  for us, it is a possible mtu mismatch.  I think if you have an ISE node locally that doesn't hit your Fw, you will be fine as switches and routers will reassemble the packets.

Search online, "firewall droping eap-tls"

-Scott
*** Please rate helpful posts ***

HAT
Level 1
Level 1

Hi All

Just to let you know  the matter is now solved . Our on Prem Firewall had a Zone protection profile  with a setting instructing  the firewall to drop fragmented traffic .

Once  that setting was updated it worked .

Thanks all for your contributions

Review Cisco Networking for a $25 gift card