we've been running Cisco ACS version 4.x half a year ago, but decided to upgrade to Cisco ISE. So we've made a fresh installation with our cisco partner. At the moment we're live with this equipment, but running in a lot of troubles, as we're receiving a lot of those errors each day. Once the users restart their PCs a few times the problem is solved, but at the moment its pretty annoying:
No response received during 120 seconds on last EAP message sent to the client
Steps from the detailed view:
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
5411 No response received during 120 seconds on last EAP message sent to the client
Allowed Protocol: EAP-TLS and PEAP
Authentication Protocol : EAP-TLS
Actually I don't know which version we're running. Where can I check the proper release once on the webinterface?
Switches are 3750x with the following switchport configs (some things has been xxx-out), Firmware is Version 12.2(55)SE1:
switchport access vlan xxx
switchport mode access
switchport voice vlan xxx
srr-queue bandwidth share 10 10 60 20
authentication event fail action next-method
authentication event server dead action authorize vlan xxx
The OS Version is Microsoft Windows 7 Professional 32 Bit
EAP method is EAP-TLS normally
The Client Machines have "Validate Server Certificate" enabled
When exactly you see this message while booting up or anytime / Does this message prevent users to authenticate?
- I've just checked todays ISE log for this error. There are about 82 errors on different clients today which I've called right now and asked if they had any problems with the PC. Most of them had for example: no network drives, no printers and about 5 people no connection until they've restarted their machin.
The PCs are connected to an CISCO 7965G telephone, which are also running with Certificates.
Verify that supplicant is configured properly to conduct a full EAP conversation with ISE. Verify that NAS is configured properly to transfer EAP messages to or from supplicant. Verify that supplicant or network access server (NAS) does not have a short timeout for EAP conversations. Check the network that connects the NAS to ISE. If the external ID store is used for the authentication, it may be not responding fast enough for current timeouts. For more information you can see the below link.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...