OPERATIONAL DEFECT DATABASE
...
...
ISE cannot retrieve a peer certificate during EAP-TLS. show logging application prrt-server.log | include "sent no certificate" displays the next EAP-TLS: Unable to retrieve peer certificate from cache,EapTlsProtocol.cpp:1318 Crypto,2023-06-27 21:22:47,773,ERROR,0x7f1854d64700,NIL-CONTEXT,Crypto::Result=39, Crypto.SSLConnection.getPeerCertificate - Peer sent no certificate,SSLConnection.cpp:531 Failure reason: 22047 User name attribute is missing in client certificate
This defect impacts only EAP-TLS AND ISE 3.1 patch 7 runtime-aaa component is NOT set to debug.
Disable EAP-TLS session resume from Administration > System > Settings > Protocols > EAP-TLS. Uncheck Enable Stateless Session Resume from Policy > Results > Authentication > Allowed Protocols > Allow EAP-TLS
You may see this error if session resumption is not enabled as well if it was a genuine issue. If session resumption is not enabled and you see this error, take a packet capture on ISE side to confirm if the certificate is being sent ISE and troubleshoot from there.
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
