https://community.cisco.com/t5/network-access-control/cisco-ise-works-and-sometimes-doesn-t/m-p/3872242#M472309 <P>I recommend you work in&nbsp; Limited Access Mode ( authentication open ) on your switch ports ,with a pre-defined ACL so that you dont impact your users.</P> <P>You can then start looking at your logs and get a better understanding of why dot1x is failing without impacting anyone, as well as understand your policy structure.</P> <P>&nbsp;</P> Thu, 13 Jun 2019 07:36:32 GMT ldanny 2019-06-13T07:36:32Z https://community.cisco.com/t5/network-access-control/cisco-ise-works-and-sometimes-doesn-t/m-p/3872091#M472307 <P>I'm not sure how to describe this issue.&nbsp; Or what to even look for to resolve it.&nbsp; But here goes nothing:<BR /><BR />My company has recently deployed ISE to a facility for Identity management.&nbsp; After several months we ran into a host and myriad of problems which, thankfully, were resolved in one form or another.&nbsp; Recently we've had users report network related issues as ISE issues.&nbsp; 9 times out of 10, they're false alarms or red-herrings.&nbsp; A user mistyped there password, or an update was rolled out that knocked them offline, stuff like this.</P><P>&nbsp;</P><P>However for the 1 out of 10... I can't explain.</P><P>&nbsp;</P><P>A bit of background - We deployed ISE in an Apple majority environment.&nbsp; With only a handful of users on Windows.&nbsp; So features like EAP-Chaining are a no-go (Apple doesn't natively support it, and we haven't tested a 'supposedly' updated Cisco Anyconnect version that fixes this).&nbsp; Again this is all fine, we've been working around certain limitations.</P><P>&nbsp;</P><P>From the user's perspective, they've logged into there machine without issues.&nbsp; But now the internet isn't working, and they have a Guest portal asking them to register with the network.&nbsp; And ISE is none-the-wiser that they're a corporate user.&nbsp; A simple reboot corrects the problem.&nbsp; But it's still an issue I'm trying to solve and prevent.</P><P>&nbsp;</P><P>Any help is appreciated.</P> Thu, 13 Jun 2019 01:01:56 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-works-and-sometimes-doesn-t/m-p/3872091#M472307 TitanAE 2019-06-13T01:01:56Z https://community.cisco.com/t5/network-access-control/cisco-ise-works-and-sometimes-doesn-t/m-p/3872130#M472308 Sounds like dot1x is failing on the laptops and it’s falling back to MAB and redirect to guest portal<BR /><BR />Please open a tac case to look at switch ise and even desktop logs<BR /> Thu, 13 Jun 2019 03:02:06 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-works-and-sometimes-doesn-t/m-p/3872130#M472308 Jason Kunst 2019-06-13T03:02:06Z https://community.cisco.com/t5/network-access-control/cisco-ise-works-and-sometimes-doesn-t/m-p/3872242#M472309 <P>I recommend you work in&nbsp; Limited Access Mode ( authentication open ) on your switch ports ,with a pre-defined ACL so that you dont impact your users.</P> <P>You can then start looking at your logs and get a better understanding of why dot1x is failing without impacting anyone, as well as understand your policy structure.</P> <P>&nbsp;</P> Thu, 13 Jun 2019 07:36:32 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-works-and-sometimes-doesn-t/m-p/3872242#M472309 ldanny 2019-06-13T07:36:32Z