Field Notice: FN74084 - Identity Services Engine: ISE Cannot Retrieve Peer Certificates During EAP-TLS Authentication - Software Upgrade Recommended

Available Languages

Updated:December 21, 2023

Document ID:FN74084

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Products Affected

Affected Software Product	Affected Release	Affected Release Number	Comments
Identity Services Engine System Software	3	3.1.0 p7

Defect Information

Defect ID	Headline
CSCwf80292	ISE cannot retrieve a peer certificate during EAP-TLS authentication

Problem Description

Cisco Identity Services Engine (ISE) cannot retrieve peer certificates and will fail Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentications if EAP-TLS Session Resume is enabled.

Background

Cisco ISE Release 3.1 Patch 7 might experience issues with EAP-TLS authentication if the following settings are enabled:

EAP-TLS Session Resume is enabled from Administration > System > Settings > Protocols > EAP-TLS.
Enable Stateless Session Resume is enabled from Policy > Results > Authentication > Allowed Protocols > Allow EAP-TLS.

Problem Symptom

During EAP-TLS authentication, the following error will be displayed in the Detailed Authentication Report, which can be found in Operations > RADIUS Livelogs. To access the report, click on the magnifying glass icon of a failed endpoint.

An error similar to the following example will also be displayed in prrt-server.log:

show logging application prrt-server.log | include "sent no certificate"
EAP-TLS: Unable to retrieve peer certificate from cache,EapTlsProtocol.cpp:1318 Crypto,2023-06-27 21:22:47,773,ERROR,0x7f1854d64700,NIL-CONTEXT,Crypto::Result=39, Crypto.SSLConnection.getPeerCertificate - Peer sent no certificate,SSLConnection.cpp:531

Workaround/Solution

Solution

To address this issue, Cisco recommends upgrading to Cisco ISE Release 3.1 Patch 8 or later.

Workaround

If upgrading the ISE system software is not immediately possible, Cisco recommends performing both of the following configuration changes:

Uncheck EAP-TLS Session Resume from Administration > System > Settings > Protocols > EAP-TLS.
Uncheck Enable Stateless Session Resume from Policy > Results > Authentication > Allowed Protocols > Allow EAP-TLS.

Revision History

Version	Description	Section	Date
1.0	Initial Release	—	2023-DEC-21

For More Information

For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:

Receive Email Notification About New Field Notices

To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

This Document Applies to These Products

Identity Services Engine Software