Intermittent 802.1x Authentication Issue

ermer — Mon, 11 Mar 2019 07:35:33 GMT

We have been running the below configuration for several years now. More and more when a user logs into a computer, they will be prompted with the Cisco Guest Portal or have no network access. Just logging off and back in again usually resolved the issue but it is frustrating for our users. Originally we had mostly Windows 7 computers and the occurrences were very low. It seems as computers were replaced with Windows Vista, 8.1 and now 10 that it is happening more frequently. 99% of the time when this happens the computer is cold booted from being off overnight and the user tries to log in as soon as the Ctrl-Alt-Del screen appears. We have been instructing users to wait 60 seconds before logging in and this has helped, although not always. It appears that either the 802.1x service has not started on the computer or it is taking too long to respond to ISE and then getting denied.

Is there any timeouts that should be changed either in ISE or on the Windows machine?

ISE 1.4 patch 8 authenticating to 2012R2 AD Domain Controllers

4500 Chassis running IOS cat4500e-universalk9.SPA.03.04.05.SG.151-2.SG5.bin

There are ACL’s on the switch VLAN and ISE pushes down a dACL at login.

Computers are authenticated through ISE via AD and then re-authenticated when the user logs in.

Port Configuration:

authentication control-direction in

authentication event fail action next-method

authentication event server dead action authorize voice

authentication host-mode multi-auth

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication timer reauthenticate server

authentication violation restrict

mab

snmp trap mac-notification change added

snmp trap mac-notification change removed

dot1x pae authenticator

dot1x timeout tx-period 10

storm-control broadcast level 0.50

spanning-tree portfast

spanning-tree bpduguard enable

Windows GPO enabled for “Always wait for the network at computer startup and logon”

802.1X profile on Windows computer:

Block period: 1 minute

Computer Authentication: User re-authentication

EAPOL Start Message: Transmit per IEEE 802.1X

Maximum Authentication Failures: 100

Maximum EAPOL-Start Messages Sent: 3

Held Period: 20 seconds

Start Period: 5 seconds

Authentication Period: 30 seconds

Single Sign On type: PreLogon

Maximum acceptable delay for network connectivity: 20 seconds

Try to change the config on

agrissimanis — Mon, 03 Apr 2017 14:11:15 GMT

Try to change the config on few ports to

authentication order dot1x mab

dot1x timeout tx-period 5

and see if the problem still occurs frequently

I found this to be working well in our environment, but each case is different of course

Also, I have the dot1x block period set to 0 in Windows network profile

topic Try to change the config on in Network Access Control

Intermittent 802.1x Authentication Issue

Try to change the config on