Symptom

In environments where EAP-MD5 is used for MAB on third party network access devices customer may notice huge amount of errors in ISE live logs like "Packet is already in progress". Situation may become worst with time and majority of authenticaiton request for the endpoints connected to third party network access devices may start failing. Issue itself is caused by MAB EAP-MD5 but if regular EAP and EAP-MD5 MAB are done for the same endpoint both may fail.

Conditions

ISE 2.2P4 or later (problem may be seen in earlier releases but initially issue has been discovered on 2.2P4) which provides authentication to third party network access devices using MAB over EAP-MD5 Below you can find exact flow which causing the problem: 1. Radius Access-Request with EAP Identity request is recieved, 2. ISE sends Access-Challenge with proposal of EAP type, 3. One minute later Switch resends initial Access-Request but with other packet ID, 4. This new request makes ISE to believe that session has been abandoned by endpoint, 5. As expected ISE creates new Session ID for new request but no Access-Challenge is sent, 6. This new session cause all subsequent attempts to fail. Packets are either dropped by duplicate manager or because "Previous session in progress"

Workaround

Move to MAB based on PAP instead of EAP-MD5

Further Problem Description