Symptom
ISE cannot retrieve a peer certificate during EAP-TLS.
show logging application prrt-server.log | include "sent no certificate" displays the next
EAP-TLS: Unable to retrieve peer certificate from cache,EapTlsProtocol.cpp:1318
Crypto,2023-06-27 21:22:47,773,ERROR,0x7f1854d64700,NIL-CONTEXT,Crypto::Result=39, Crypto.SSLConnection.getPeerCertificate - Peer sent no certificate,SSLConnection.cpp:531
Failure reason: 22047 User name attribute is missing in client certificate
Conditions
This defect impacts only EAP-TLS AND ISE 3.1 patch 7
runtime-aaa component is NOT set to debug.
Workaround
Disable EAP-TLS session resume from Administration > System > Settings > Protocols > EAP-TLS.
Uncheck Enable Stateless Session Resume from Policy > Results > Authentication > Allowed Protocols > Allow EAP-TLS
Further Problem Description
You may see this error if session resumption is not enabled as well if it was a genuine issue. If session resumption is not enabled and you see this error, take a packet capture on ISE side to confirm if the certificate is being sent ISE and troubleshoot from there.
