Introduction
In most cases a simple reboot or reauthentication does the trick, but what if the same problem occurs more often? Well there is no single solution that works for every scenario, but there are a few options that you can try.
Error Message
Let’s have a look at the actual error message first. Depending on your authentication settings the message will look similar to one of the following error messages.
EAP-TLS
Event 5411 Supplicant stopped responding to ISE
Failure Reason Supplicant stopped responding to ISE after sending it the first EAP-TLS message
EAP-MSCHAPv2
Event 5411 Supplicant stopped responding to ISE
Failure Reason Supplicant stopped responding to ISE after sending it the first inner EAP-MSCHAPv2 message
Troubleshooting Options
Reauthenticate Endpoint
As already mentioned the error can occur on individual endpoints from time to time. The fasted fix is to reauthenticate/restart the endpoint. If the error occurs more often the following steps are for you.
Check Allowed Protocols
Some clients may require TLS 1.0 or similar which is not enabled by default. To check these settings navigate to Administration -> System -> Settings -> Security Settings.
Client Firewall and Antivirus
Your clients firewall or antivirus could be the problem, especially if you are using authentication timeouts in your ISE policies. For testing purposes you can temporarily disable your firewall or antivirus and check if the problem persists.
MTU Mismatch
The issue could also be caused by an MTU mismatch between your switch and ISE. Try setting it to 1500 and check again.
For more information check the following guide provides by Cisco: EAP Fragmentation Implementations and Behavior
Certificate Trust Chain
Make sure to provide the full certificate chain to your clients including root CA and subordinate CA’s.
Windows GPO
Your windows GPO for wireless and wired network is also important. Open your 802.1x GPO and navigate to Security Settings -> Wired Network (802.3) Policies -> Network Profile -> IEEE 802.1X Settings.
Check the following settings and set them accordingly:
| Setting | Value |
|---|---|
| Maximum Authentication Failures | 5 |
| Maximum EAPOL-Start Messages Sent | 5 |
| Held Period (seconds) | 1 |
| Start Period (seconds) | 5 |
| Authentication Period (seconds) | 30 |
The values are suggestions to start with. They may need to be adjusted to fit your environment.
Conclusion
I hope you found this helpful and were able to fix your problem. For further troubleshooting you can create a port mirror and analyze the network traffic using Wireshark to determine what causes the problem.