Solved: New Wireless location EAP-TLS wireless doesn't work but PEAP does.

joeharb · ‎09-06-2022

We have deployed a new site and are having issues with the EAP-TLS. We use the same profiles for each of our locations and there is no difference between this location and others. PEAP authentications are working without issue but EAP-TLS (profile that works at other locations) ISE shows the Supplicant abandoned the session and started a new one. I have a TAC case started but we have not made any progress. Wired EAP-TLS works as well. The setup and WLAN's are the same across all locations, I have a good capture and a bad capture and it appears the difference is the supplicant never provides the certificate for authentication.

Any suggestions would be appreciated.

See attached screenshots:

Thanks,

Joe

joeharb · ‎10-11-2022

We were able to resolved this issue by enabling tunnel path-mtu-discovery on the GRE tunnel and "enabling" ip unreachables.

Thanks,

Joe

View solution in original post

Haydn Andrews · ‎09-06-2022

Few questions:

Same WLC at each location or new WLC?
PEAP from same SSID is working?
Has a working device from one location been tested at the non working location?
Which supplicant are you using? The OS one, or a 3rd party.

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

joeharb · ‎09-06-2022

Yes to all your questions and using native windows 10 supplicant.

Haydn Andrews · ‎09-06-2022

Ensure that the WLAN AutoConfig service is started on the client

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

joeharb · ‎09-07-2022

WLAN Autoconfig is set to Automatic and is in a Running state.

ammahend · ‎09-06-2022

Your print shot points to supplicant issue, client cert is sent once the server cert is validated, in failed case it’s not being sent, make sure the CA that signed server cert is in trusted certificate store of client, Try disabling server cert check in supplicant config, Try reprovisioning client with eap-tls again … to start with.

-hope this helps-

joeharb · ‎09-13-2022

Any suggestions, TAC can't figure it out and we are still struggling.

Thanks,

Joe

ammahend · ‎09-13-2022

EAP-TLS is a standard protocol, based on your printshot last I saw was client was not sending certificate, is it still stuck at the same stage or any additional progress is made, if you are stuck at the same stage and all configuration is correctly verified by TAC then upgrade adapter firmware, try anyconnect supplicant, try different wireless adapter...

-hope this helps-

MHM Cisco World · ‎09-13-2022

Client Cert. is not available in Host when connect to WLC/AP

joeharb · ‎09-14-2022

We are still in the same state, same user can plug directly into the switch located at the site and they authenticate successfully. TAC has said it is a fragmentation issue. Would that fragmentation not occur on the LAN side as well?

Thanks,

Joe

MHM Cisco World · ‎09-14-2022

Yes one reason is the fragment of Server Cert., and hence the client can not defragment the Cert.
can you check the MTU between AP and WLC?

Rich R · ‎09-14-2022

Yep that's what I was about to suggest. CAPWAP encapsulation imposes additional limits on the packet size so my bet is also on fragmentation somewhere. There must be something different in your transport between the AP and WLC at this site (what is between them?). Have you configured the recommended TCP MSS adjust value of 1250? For that matter what model of WLC are you using and what version of software?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

joeharb · ‎09-19-2022

Update:

We have sent a 3802 to the location and EAP-TLS is working as expected. I have sent this information to Cisco but not sure if anyone else has noticed anything similiar.

Thanks,

Joe

Rich R · ‎09-19-2022

> We have sent a 3802 to the location and EAP-TLS is working as expected

Implying that where it's not working is on a different model of AP? So which model does not work? And you're sure the config of both APs is identical? What version of software are you using?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

joeharb · ‎09-19-2022

The original AP's are 9120's. We are using Tags for the AP's via a Regex Filter, so if the AP name starts with "Alpha" it inherits the same policy. WLC is running 17.06.01. I might have spoke to soon as it appears that when the client needed to reauthenticate (1800 seconds) they are now unable to authenticate again. From ISE I see the authentication coming from the switch not the WLC, which is different than the previous passed authentications. I am not sure I have noticed this in the past.

Please see attached screenshot.

This shows the end user attempting to connect but the failed ones are coming from 10.64.0.2 (switch) and the interface that the AP is connected to gi1/0/14. The ones that show 10.31.6.131 work find and that is the address of the WLC.

Thanks,

Joe