We are looking to enable the "Enable EAP-TLS Session Resume" option in System Administration->Configuration->Global Systems->EASP-TLS Settings in our Production environment..
We have made the change in Test environment. We do see the Passed Authentication log entry for initial authentication in Monitoring and Reports. But we are not seeing any logs for the quick reauth of client.
In the documentation it states that the Session Resume option allows for a quick reauth with only a SSL handshake.
Does the Session Resume option log the quick reauth in Monitoring and Reports?
Verify that supplicant is configured properly to conduct a full EAP conversation with ACS. Verify that NAS is configured properly to transfer EAP messages to or from supplicant. Verify that supplicant or network access server (NAS) does not have a short timeout for EAP conversations. Check the network that connects the NAS to ACS. If the external ID store is used for the authentication, it may be not responding fast enough for current timeouts.
Check whether the proper server certificate is installed and configured for EAP by going to the Local Certificates page (Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant.
Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check OpenSSLErrorMessage and OpenSSLErrorStack for more information.
Check the appropriate configuration in Policy > Authentication. This error happens when the identity source is configured for certificate-based authentication and received a password based authentication request.
Check the appropriate configuration in Policy > Authentication. This error happens when the identity source is configured for password-based authentication and received a certificate-based authentication request.
Check whether the subject is present in any one of the chosen identity stores. Note that some identity stores may have been skipped if they do not support the current authentication protocol.
Make sure the authentication policy points to correct identity store.
The authorization profile with the ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate authorization policy rule-results.
Check whether the shared secrets on the AAA client and ISE server match. Ensure that the AAA client and the network device have no hardware problems or problems with RADIUS compatibility. Also ensure that the network that connects the device to the ISE has no hardware problems.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :