8/17/2021 Cisco Identity Services Engine

Steps
Overview
  11001 Received RADIUS Access-Request
Event 5400 Authentication failed
  11017 RADIUS created a new session
Username USERNAME   15049 Evaluating Policy Group

  15008 Evaluating Service Selection Policy

Endpoint Id 2C:8D:B1:A6:BE:2C

  15048 Queried PIP - DEVICE.Device Type

Endpoint Profile   11507 Extracted EAP-Response/Identity

Authentication Policy Default   12500 Prepared EAP-Request proposing EAP-TLS with challenge

  11006 Returned RADIUS Access-Challenge

Authorization Policy Default
  11001 Received RADIUS Access-Request

Authorization Result   11018 RADIUS is re-using an existing session

Extracted EAP-Response containing EAP-TLS challenge-response and

  12502
accepting EAP-TLS as negotiated

  12800 Extracted first TLS record; TLS handshake started

  12545 Client requested EAP-TLS session ticket

The EAP-TLS session ticket received from supplicant while the stateless
  12542
session resume is disabled. Performing full authentication

  12805 Extracted TLS ClientHello message

  12806 Prepared TLS ServerHello message

  12807 Prepared TLS Certificate message

  12809 Prepared TLS CertificateRequest message

  12505 Prepared EAP-Request with another EAP-TLS challenge

  11006 Returned RADIUS Access-Challenge

  11001 Received RADIUS Access-Request

  11018 RADIUS is re-using an existing session

  12504 Extracted EAP-Response containing EAP-TLS challenge-response

  12815 Extracted TLS Alert message

EAP-TLS failed SSL/TLS handshake because the client rejected the ISE
  12520
local-certificate

  12507 EAP-TLS authentication failed

  61025 Open secure connection with TLS peer

  11504 Prepared EAP-Failure
  11003 Returned RADIUS Access-Reject

https://10.41.2.220/admin/liveAuthenticationDetail.do?ID=1629051130792616&sessionID=ce448d0600000ced611b3fac 1/4
8/17/2021 Cisco Identity Services Engine

Authentication Details

Source Timestamp 2021-08-17 08:48:45.04

Received Timestamp 2021-08-17 08:48:45.041

Policy Server DXB1VSYISE001

Event 5400 Authentication failed

12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE
Failure Reason
local-certificate

Check whether the proper server certificate is installed and configured for EAP in
the Local Certificates page ( Administration > System > Certificates > Local
Certificates ). Also ensure that the certificate authority that signed this server
Resolution certificate is correctly installed in client's supplicant. Check the previous steps in
the log for this EAP-TLS conversation for a message indicating why the
handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for
more information.

EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-
Root cause
certificate

Username USERNAME

Endpoint Id 2C:8D:B1:A6:BE:2C

Calling Station Id 2C-8D-B1-A6-BE-2C

Audit Session Id ce448d0600000ced611b3fac

Authentication Method dot1x

Authentication Protocol EAP-TLS

Service Type Framed

Network Device aedxb1-mena-mr42-wap302

Device Type All Device Types

Location All Locations

NAS IPv4 Address 10.41.15.55

NAS Port Type Wireless - IEEE 802.11

Response Time 6 milliseconds

https://10.41.2.220/admin/liveAuthenticationDetail.do?ID=1629051130792616&sessionID=ce448d0600000ced611b3fac 2/4
8/17/2021 Cisco Identity Services Engine

Other Attributes

ConfigVersionId 622

Device Port 34248

DestinationPort 1812

RadiusPacketType AccessRequest

Protocol Radius

NAS-Port 1

Framed-MTU 1400

37CPMSessionID=ce448d0600000ced611b3fac;40SessionID=DXB1VSYISE0
State
01/418425663/208182;

Acct-Session-Id AD24A11798CB47D5

Connect-Info CONNECT 54.00 Mbps, 802.11ac, RSSI: 46, Channel: 60

undefined-186 00:0f:ac:04

undefined-187 00:0f:ac:04

undefined-188 00:0f:ac:01

NetworkDeviceProfileId b0699505-3150-4215-a80e-6753d45bf56c

IsThirdPartyDeviceFlow false

AcsSessionID DXB1VSYISE001/418425663/208182

SSL alert: code=0x230=560 ; source=remote ; type=fatal ; message="unknown

OpenSSLErrorMessage
CA"

11295:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown

OpenSSLErrorStack
ca:s3_pkt.c:1494:SSL alert number 48

CPMSessionID ce448d0600000ced611b3fac

EndPointMACAddress 2C-8D-B1-A6-BE-2C

ISEPolicySetName Default

DTLSSupport Unknown

IPSEC IPSEC#Is IPSEC Device#No

https://10.41.2.220/admin/liveAuthenticationDetail.do?ID=1629051130792616&sessionID=ce448d0600000ced611b3fac 3/4
8/17/2021 Cisco Identity Services Engine

Model Name Unknown

Software Version Unknown

Network Device Profile Cisco

Location Location#All Locations

Device Type Device Type#All Device Types

RADIUS Username USERNAME

NAS-Identifier E0-CB-BC-8D-44-CE:vap0

Device IP Address 10.41.15.55

Called-Station-ID E2-CB-AC-8D-44-CE:IntlSOS-Business-Wi-Fi

CiscoAVPair audit-session-id=ce448d0600000ced611b3fac

Result

RadiusPacketType AccessReject

Session Events

2021-08-17 08:54:01.152 Authentication failed

2021-08-17 08:48:45.041 Authentication failed

https://10.41.2.220/admin/liveAuthenticationDetail.do?ID=1629051130792616&sessionID=ce448d0600000ced611b3fac 4/4