EAP Errors

[nts]

Hello,

We've got EAP on our ESP8266 design working just fine on our in-house testbeds. However, we've got a potential user having difficulty related to the authentication process. Since we're not on-site, the debugging is proving difficult, and I'm hoping someone has a suggestion. Right now it appears to me that the ESP is not completing the negotiation as expected by the user's Cisco AP, so I'm filing this under bug reports. They say they are using EAP-TLS.

I'm certainly not an EAP expert, but it appears the negotiation failed because the ESP8266 did not suggest the desired EAP method. If that is part of the standard, then I would think this counts as a bug. If not, then what should I suggest to the user? I can gather more information regarding AP models and firmware if Cisco has had some kind of compatibility issues.

Any help is much appreciated!

Thanks!

Authentication Details
Source Timestamp 2018-01-25 10:43:48.973
Received Timestamp 2018-01-25 10:43:48.971
Policy Server sdcise03
Event 5400 Authentication failed
Failure Reason 11510 Supplicant declined EAP method selected by Authentication Policy but did not propose another one; EAP negotiation failed
Resolution Ensure that the supplicant is correctly configured. Verify that supplicant has at least one EAP method cofigured.
Root cause In previous EAP message ISE started an EAP method selected by Authentication Policy. Supplicant declined this EAP method by sending EAP NAK message but did not propose another EAP method that it is ready to conduct. Owing to this, EAP-negotiation failed.

Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - Radius.Service-Type
15048 Queried PIP - Radius.NAS-Port-Type
15048 Queried PIP - Radius.Called-Station-ID
15004 Matched rule - TWAVE
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11510 Supplicant declined EAP method selected by Authentication Policy but did not propose another one; EAP negotiation failed
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject

[Her Mary]

Which kind of certificates are you using?

[nts]

Hello,

Thank you for your response. From my understanding the customer is using just a user name and password to authenticate, and not using a certificate. However, their SSID also has the ability to use a certificate.

Could it be getting confused due to both methods being allowed?

I apologize for having incomplete information; this is an end user who is running into this problem; so far our units work fine with our own building's EAP setup. I was hoping perhaps there was someone else who ran into this or that the error log would tell you something.

Thanks again.

[andreysnug]

Maybe they used that cds year after year at Jamboree, and someone "fiddled" with year wheel at some point?