Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5323
Views
11
Helpful
7
Replies

Cisco ISE - 5411 Supplicant stopped responding to ISE - Again

dal
Level 3
Level 3

‎10-28-2022 08:41 AM

I'm not sure when it happened, but my clients cannot connect to the network anymore.
PEAP with username / password works fine, but not EAP-TLS where certificates only are used.

This goes for both wired and wireless clients.

Initially, I thought that this could have something to do with the upgrade from ISE v3.1 to v3.2, but I installed a new v3.1 OVA and restored an older config, and the problem is still there.

The only things the supplicants (Windows 10 computers) have in common is the ISE server and that they are running the latest version of the Windows 10 OS.

I wouldn't put it past Microsoft that they have done something stupid in their latest patches, though.

I've had this problem before, but I fixed by either adjust MTU or replace the certificate chains on both ISE and computers.
But not this time, so I'm at a loss

Anyone else experienced something similar lately

The errors goes like this:

 

5411 Supplicant stopped responding to ISE

Failure Reason 	
12935 Supplicant stopped responding to ISE during EAP-TLS certificate exchange
Resolution 	 
Verify that supplicant is configured properly to conduct a full EAP conversation with ISE. 
Verify that NAS is configured properly to transfer EAP messages to/from supplicant. 
Verify that supplicant or NAS does not have a short timeout for EAP conversation. 
Check the network that connects the Network Access Server to ISE. 
Verify that ISE local server certificate is trusted on supplicant.
Verify that supplicant has a properly configured user/machine certificate. 

Root cause 	 Supplicant stopped responding to ISE during EAP-TLS certificate exchange

 

The steps goes like this:

 

Steps
  	11001 	Received RADIUS Access-Request
  	11017 	RADIUS created a new session
  	11117 	Generated a new session ID
  	15049 	Evaluating Policy Group
  	15008 	Evaluating Service Selection Policy
  	15048 	Queried PIP - Normalised Radius.RadiusFlowType
  	11507 	Extracted EAP-Response/Identity
  	12500 	Prepared EAP-Request proposing EAP-TLS with challenge
  	11006 	Returned RADIUS Access-Challenge
  	11001 	Received RADIUS Access-Request
  	11018 	RADIUS is re-using an existing session
  	12502 	Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
  	12800 	Extracted first TLS record; TLS handshake started
  	12545 	Client requested EAP-TLS session ticket
  	12542 	The EAP-TLS session ticket received from supplicant while the stateless session resume is disabled. Performing full authentication
  	12805 	Extracted TLS ClientHello message
  	12806 	Prepared TLS ServerHello message
  	12807 	Prepared TLS Certificate message
  	12808 	Prepared TLS ServerKeyExchange message
  	12809 	Prepared TLS CertificateRequest message
  	12810 	Prepared TLS ServerDone message
  	12505 	Prepared EAP-Request with another EAP-TLS challenge
  	11006 	Returned RADIUS Access-Challenge
  	11001 	Received RADIUS Access-Request
  	11018 	RADIUS is re-using an existing session
  	12504 	Extracted EAP-Response containing EAP-TLS challenge-response
  	12505 	Prepared EAP-Request with another EAP-TLS challenge
  	11006 	Returned RADIUS Access-Challenge
  	11001 	Received RADIUS Access-Request
  	11018 	RADIUS is re-using an existing session
  	12504 	Extracted EAP-Response containing EAP-TLS challenge-response
  	12505 	Prepared EAP-Request with another EAP-TLS challenge
  	11006 	Returned RADIUS Access-Challenge
  	11001 	Received RADIUS Access-Request
  	11018 	RADIUS is re-using an existing session
  	12504 	Extracted EAP-Response containing EAP-TLS challenge-response
  	12505 	Prepared EAP-Request with another EAP-TLS challenge
  	11006 	Returned RADIUS Access-Challenge
  	12935 	Supplicant stopped responding to ISE during EAP-TLS certificate exchange ( [step latency=120001 ms] Step latency=120001 ms)
  	61025 	Open secure connection with TLS peer
  	5411 	Supplicant stopped responding to ISE

 

Thanks.

3 people had this problem
0 Helpful
7 Replies 7

ahollifield
VIP
VIP

‎10-28-2022 10:18 AM

Did your certificates expire?  On ISE or on the endpoint?  What about the CA?  Do you have the latest patch of your version of ISE?  I've also seen these issues caused by bad RF environments.

dal
Level 3
Level 3
In response to ahollifield

‎10-28-2022 01:15 PM

No expiry. As I mentioned, I replaced all certificates on both client and ISE from the same (Windows) CA.
v3.2 has no patch, but the v3.1 VM runs the latest (patch 4)

0 Helpful

Arne Bier
VIP
VIP

‎10-30-2022 01:34 PM

If you have already checked the MTU (which used to bite us in the past) and you are 100% sure that the client certs are generated by a CA that is installed in the ISE Trusted Certs, then perhaps also check that the certs in the trust store are ticked to perform client auth. Sometimes one can forget to tick that checkbox?

Other things like Session Resume - perhaps disable all those advanced features (Settings > Protocols > EAP-TLS) ?

And under the Allowed Protocols, you could also check if the Stateless Session Resume is enabled, and then toggle that.

If PEAP is working, and if the PEAP supplicants check the server cert (easily done in Windows) then you can rule out the ISE EAP cert as being the culprit. From the logs it looks like the client cert negotiation is not working. 

Mateen Ahmad
Level 1
Level 1
In response to Arne Bier

‎09-09-2024 11:25 PM

I am also facing the same problem,  i have disabled "verify the server's identity by validating the certificate"  and i don't have CA signed certificate on ISE but using only self sign. 

MateenAhmad_0-1725949103876.png

MateenAhmad_1-1725949343626.png

 

 

0 Helpful

Arne Bier
VIP
VIP

‎09-10-2024 12:02 AM

Oh, the gift that keeps on giving!  Is the client wireless?  if so, then it's quite common for EAP communications to break down when clients roam far enough from the last possible AP, so that the supplicant stops sending a reply to ISE. You can try verify that by checking on the WLC when this happens (which, I know can be very tricky).  But if the last message in the ISE Details Log says that the Supplicant stopped responding to ISE, then that is definitely the case.  

Does it happen all the time, or only sometimes?  If sometimes, then my roaming theory makes sense.

0 Helpful

Mateen Ahmad
Level 1
Level 1
In response to Arne Bier

‎09-11-2024 11:00 AM

Exactly "Supplicant stopped responding to ISE", same but I am also getting error 5411.  If any machine doesn't connect it's connecting anymore..it's not after roaming it's happening..but I would during authentication/associate process client keep jumping from one AP to another and some are good room some are bad roam(Meraki).

Some machines are working on same network without any problem.

0 Helpful

MHM Cisco World
VIP
VIP
In response to Mateen Ahmad

‎09-11-2024 11:09 AM

Make new post 

MHM

Customers Also Viewed These Support Documents