Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4743
Views
1
Helpful
3
Replies

ISE 2.7 dot1x Failure Reason 12308

Go to solution
YanivCohen
Level 1
Level 1

‎01-03-2021 03:27 AM

HEY

i have a strange problem when implementing dot1x in my lab environment

my supplicant successfully authenticate against active directory but still ISE consider the authentication as a failure because the supplicant send resualt TLV message.

 

Event5400 Authentication failed
Failure Reason12308 Client sent Result TLV indicating failure
ResolutionIf ISE is configured to request Crypto-Binding TLV, ( i.e. "Require cryptobinding TLV??? is checked on the Allowed Protocols screen); and the client is not configured to use Crypto-Binding TLV then the client may react on this situation by sending "Result TLV" indicating failure. There will also be a communication failure if ISE is not configured to send Crypto-Binding TLV and the client is configured to use it. Both ISE and the client must be identically configured regarding using of Crypto-Binding TLV to result in successful communication.If failure still occurs - contact TAC.
Root causeInternal error, possibly in the supplicant: PEAP v0 authentication failed because client sent Result TLV indicating failure. Client indicates that it does not support Crypto-Binding TLV

 

i tried playing with the allowed protocols in my policy set

checked and unchecked - Require cryptobinding TLV

but still i no change appears

here is the steps in the report:

1001Received RADIUS Access-Request
 11017RADIUS created a new session
 15049Evaluating Policy Group
 15008Evaluating Service Selection Policy
 15048Queried PIP - Normalised Radius.RadiusFlowType
 15048Queried PIP - Radius.Service-Type
 11507Extracted EAP-Response/Identity
 12300Prepared EAP-Request proposing PEAP with challenge
 12625Valid EAP-Key-Name attribute received
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12302Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
 12318Successfully negotiated PEAP version 0
 12800Extracted first TLS record; TLS handshake started
 12805Extracted TLS ClientHello message
 12806Prepared TLS ServerHello message
 12807Prepared TLS Certificate message
 12808Prepared TLS ServerKeyExchange message
 12810Prepared TLS ServerDone message
 12811Extracted TLS Certificate message containing client certificate
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 12318Successfully negotiated PEAP version 0
 12812Extracted TLS ClientKeyExchange message
 12813Extracted TLS CertificateVerify message
 12804Extracted TLS Finished message
 12801Prepared TLS ChangeCipherSpec message
 12802Prepared TLS Finished message
 12816TLS handshake succeeded
 12310PEAP full handshake finished successfully
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 12313PEAP inner method started
 11521Prepared EAP-Request/Identity for inner EAP method
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 11522Extracted EAP-Response/Identity for inner EAP method
 11806Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 11808Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
 15041Evaluating Identity Policy
 22072Selected identity source sequence - AD_Identity_store
 15013Selected Identity Source - AD_INT
 24430Authenticating user against Active Directory - AD_INT
 24325Resolving identity - user10
 24313Search for matching accounts at join point - xxxx-domain
 24319Single matching account found in forest - xxxx-domain
 24323Identity resolution detected single matching account
 24343RPC Logon request succeeded - user10@xxxx-domain
 24355LDAP fetch succeeded - xxxx-domain
 24458Not all Active Directory attributes are retrieved successfully - AD_INT
 24100Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes - AD_INT
 24402User authentication against Active Directory succeeded - AD_INT
 22037Authentication Passed
 11824EAP-MSCHAP authentication attempt passed
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 11810Extracted EAP-Response for inner method containing MSCHAP challenge-response
 11814Inner EAP-MSCHAP authentication succeeded
 11519Prepared EAP-Success for inner EAP method
 12314PEAP inner method finished successfully
 12305Prepared EAP-Request with another PEAP challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request (
 

 

Step latency=2086 ms)
 11018RADIUS is re-using an existing session
 12304Extracted EAP-Response containing PEAP challenge-response
 12308Client sent Result TLV indicating failure
 61025Open secure connection with TLS peer
 12307PEAP authentication failed
 11504Prepared EAP-Failure
 11003Returned RADIUS Access-Reject

is their any suggestions ?

thanks !

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Manny - Fresh
Level 1
Level 1

‎08-14-2023 02:11 PM

Uncheck this setting in Policy Elements > Results > Authentication > Allowed Protocols

MannyFresh_0-1692047491426.png

 

Hope that helps.

View solution in original post

3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-03-2021 03:41 AM

You need to tell us more about your environment - what is the end device? how it configured to authenticate?

 

post the complete logs from ISE when the user starts authenticating to the end process.

 

 

as per the message, this may be a bug :

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu73387/?rfs=iqvred

 

Also have a look at this thread may help to resolve the issue :

https://community.cisco.com/t5/network-access-control/unable-to-use-eap-fast-with-windows10/m-p/3828879

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
YanivCohen
Level 1
Level 1
In response to balaji.bandi

‎01-03-2021 07:50 AM

hey BB first of all thanks for your respone

the authentications fails in first place because windows 10 sends the result TLV (maybe their is a way to disable it? PS - i didnt found one)

radius log.PNG

dsadsadasdsa.PNG

Capture.PNG

 

the device is a windows 10 host in EVE-NG VM.

the ISE sits on the same ESXI where the EVE-NG sits, also as a VM

i uploaded the windows host configuration and the topology

topology.PNG

cisco problem.PNG

cisco problem 01.PNG

cisco problem 02.PNG

all computers are in the domain.

after doing some configuration changes their are still no updates... 

0 Helpful

Go to solution
Manny - Fresh
Level 1
Level 1

‎08-14-2023 02:11 PM

Uncheck this setting in Policy Elements > Results > Authentication > Allowed Protocols

MannyFresh_0-1692047491426.png

 

Hope that helps.

Customers Also Viewed These Support Documents