topic Hi Jack, in Network Access Control

Dot1.x error 5434

jack samuel — Mon, 11 Mar 2019 06:51:35 GMT

Dears,

attached is the error for dot1x.

I have configured dot1x and it is working fine with dell laptop as I tried with 2 or 3 users,, but it doesn't work with hp pc as it gives me the attached error.

when I left the office I have Google out and found the link https://supportforums.cisco.com/discussion/12451301/cisco-ise-changing-domain-user-doesnt-trigger-automatic-reauthentication ; now I want to know is it Suppress Anomalous Clients option is enabled by default ??? by unchecking that will the dot1x will work.

thanks

Hi Jack,

Pradeep S.R. — Mon, 13 Jun 2016 13:51:40 GMT

Hi Jack,

Please let me know which version of ISE you are using and do u created the ISE Authz policies based on device profile or only 802.1x attribute?

1. by looking at the screenshot I can see device is getting profiled as cisco device ?

2. u need to compare the policy for working device and non- working HP PC- as in screenshot shows device sending the authentication- MAB(Mac address bypass) method.

3. yes - by default radius suppress setting is enabled in ISE- you can verify in settings->protocol->Radius protocols-settings -it only applies to devices if Reject Request After Detection is enabled and policy will be in effect till the request rejection interval time specified-

share the details- will suggest the fix.

Cheers,

Pradeep

*** Rate if it helps

Dear Pradeepa,

jack samuel — Mon, 13 Jun 2016 14:11:42 GMT

Dear Pradeepa,

I have configured MAB for HP printers which are detected by ISE as HP device so I gave them full permit now when I started to move the users HP PC's they are also seen as a HP device and they are also falling in MAB so to avoid such situation I disabled the Printer MAB policy for time being and try to restart the HP PC then as per the screenshot nothing was seen in the authorization logs as per the attached this is becz of they have already been suppressed. please correct me,

how I can avoid HP pc to fall as HP device rather then they are capable of Dot1x.

thanks

Hi jack,

Pradeep S.R. — Mon, 13 Jun 2016 14:51:11 GMT

Hi jack,

To get the profiling accuracy - we should enable( DNS,DHCP,SNMP, SNMPTRAP, RADIUS) -profiler option in profiler configuration.-

there are 4 options to achieve this.

1. check logs and see on which parameter device is getting profiled as HP device? (like radius,dns or dhcp).

2. u have to tweak the profiling policy for the HP -device and other workstation devices - please refer the Cisco profiling accuracy -http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-30-ISE_Profiling_Design_Guide.pdf

3. still profiling accuracy fails - create customised profiling policy for HP-workstation

4. create autz policy based on 802.1x attribute and with the domain group-(users AD group) without any device profile.to overcome profiling issue,.

Cheers,

Pradeep

*** Rate if it helps

Dear Pradeepa,

jack samuel — Mon, 13 Jun 2016 16:32:27 GMT

Dear Pradeepa,

I have done the below still it falls as a HP device, In authorization rule I have a condition as domain computer and domain user but still

4. create autz policy based on 802.1x attribute and with the domain group-(users AD group) without any device profile.to overcome profiling issue,.

thanks

Hi Jack,

Pradeep S.R. — Mon, 13 Jun 2016 16:50:27 GMT

Hi Jack,

I meant to say if none of the 3 options work then only we should go with authz policy without any profiling attribute in that- it means policy should not depend on any profiling parameter

Dears,

jack samuel — Fri, 17 Jun 2016 08:10:02 GMT

Dears,

you can verify in settings->protocol->Radius protocols-settings -it only applies to devices if Reject Request After Detection is enabled and policy will be in effect till the request rejection interval time specified-

I have disabled the above policy, still some of the PC are failing by error

5434	Endpoint conducted several failed authentications of the same scenario

I can see a mac address of the machine in the radius live logs instead of their hostname for example host/HR-PC1 as an identity and it gives me the below error.

5434 endpoint conducted several failed authentications of the same scenario.

15039 rejected per authorization profile

Some of the PC were working fine with dot1x but suddenly they started with this issue.

thanks

Thanks

Hi Jack,

Pradeep S.R. — Fri, 17 Jun 2016 09:20:20 GMT

Hi Jack,

system is hitting the deny policy as there is no 802.1x request from the PC and there is MAB authz allowed for that devices- that is reason you are getting that error,

Do you configured MAB(Mac address bypass) authz policy for the windows devices? if yes please verify the policy.

Problem looks like with PC just verify the wiredautoconfig service is running in PC? there are no certificate related errors?

as you said some of the PC's are working then it clearly indicate problem with system not ISE,

Ref Link:

https://supportforums.cisco.com/blog/12256681/getting-past-intermittentunexplained-8021x-problems-windows-7

Microsoft

https://support.microsoft.com/en-us/kb/2736878

Cheers,

Pradeep

Dear

jack samuel — Fri, 17 Jun 2016 10:29:55 GMT

Dear

thanks for the reply, I appreciate,

Do you configured MAB(Mac address bypass) authz policy for the windows devices? if yes please verify the policy

yes I have configured mab for hp printers and not for HP pc's becz they are dot1x capable, my MAB policy was on top and dot1x was below that so all Hp pc were hitting MAB then I twick the MAB policy below dot1x and all PC started hitting dot1x policy, when I start to move the pc switch port configuration in dot1x they were successfully authenticating, for pc A I configured the switch port in dot1 and it authenticate successfully , the next day when I came the same pc gave me an error

5434 endpoint conducted several failed authentications of the same scenario.

15039 rejected per authorization profile

why that so it is happening , before migrating the switch configuration I want to confirm the error is related to PC or misconfiguration on ISE

Problem looks like with PC just verify the wiredautoconfig service is running in PC? there are no certificate related errors?

yes it is running and the PC NIC configuration are as the below link. please confirm that I am on the correct path.

https://supportforums.cisco.com/discussion/12451301/cisco-ise-changing-domain-user-doesnt-trigger-automatic-reauthentication

thanks

Hi Jack,

Pradeep S.R. — Fri, 17 Jun 2016 10:37:53 GMT

Hi Jack,

yes it is running and the PC NIC configuration are as the below link. please confirm that I am on the correct path.

Yes you are on right path.

Cheers,

Pradeep

Dear Pradeepa,

jack samuel — Fri, 17 Jun 2016 10:57:54 GMT

Dear Pradeepa,

To get the profiling accuracy - we should enable( DNS,DHCP,SNMP, SNMPTRAP, RADIUS) -profiler option in profiler configuration.-

I have enabled all the probes but enabling probe will not make things for me there must be some extra configuration has to be done, if you can brief me how I can segregate HP printers and HP PC that are profiled as a HP-Device

there are 4 options to achieve this.

1. check logs and see on which parameter device is getting profiled as HP device? (like radius,dns or dhcp).

I have to see this in the endpoint ??

can you brief on my issue I will read it but for time being what can be done.

3. still profiling accuracy fails - create customized profiling policy for HP-workstation

how I am following by the below link in which the device which is not profiled can be statically group to a new group.

https://www.youtube.com/watch?v=11464Fjm2tA

thanks

Hi Jack,

Pradeep S.R. — Fri, 17 Jun 2016 11:18:07 GMT

Hi Jack,

q 1? Yes you have to check endpoint details from Administration->Identity Management->Identities->Endpoints (screenshot attached)

q 2? if you go the profiling architecture and CF (Certainty Factor) value - section guide it helps to u.

Q 3? yes it helps- you can statically map failing device to particular group -it is feasible solution small scale deployment and for large scale dynamic profiling is better option.

Dear Pradeepa,

jack samuel — Fri, 17 Jun 2016 12:03:05 GMT

Dear Pradeepa,

I want to keep MAB policy on top and dot1x policy below in authorization policy,

If suppose HP Printers which are profiled as a HP -Device in ISE , can I statically map these device to a particular static group instead of automatic mapping to HP-Device

thanks

Hi Marc,

Pradeep S.R. — Tue, 21 Jun 2016 09:33:51 GMT

Hi Jack,

I want to keep MAB policy on top and dot1x policy below in authorization policy,- Yes

If suppose HP Printers which are profiled as a HP -Device in ISE , can I statically map these device to a particular static group instead of automatic mapping to HP-Device- Yes you can do that.

Cheers,

Pradeep