Symptom

Reauthentication fails with the message: 12539 Failed to decrypt the EAP-TLS session ticket received from supplicant Under specific conditions which are are reliant on certificate attributes, Master Secret that is negotiated during TLS handshake and certain internal ISE attributes. The root of the issue is the inconsistency in encryption and decryption method in the ISE logic when computing the session ticket to be issued to the clients during stateless session resume.

Conditions

EAP-TLS authentication Under Allowed protocols, EAP-TLS settings, enable the option: "Enable Stateless Session Resume"

Workaround

Disable the "Enable Stateless Session Resume" option Move to a version where this issue is fixed.

Further Problem Description