https://community.cisco.com/t5/network-access-control/dot1x-authentication-problem/m-p/3822943#M474608 <P>When you look at the switch side do you see the session go into an authenticated state?&nbsp; There could be attributes that you are passing back from ISE that cause the session to go Unauth so it never truly completes even though ISE authenticated it.&nbsp; If you see everything look good on the switch side watch the detailed "show auth session" or "show access-session" output for that port.&nbsp; You will probably see Dot1x rerunning constantly.&nbsp; If the switch is satisfied with the authentication the only way it would rerun Dot1x is if it received a EAPol start message from the client.</P> Wed, 20 Mar 2019 13:57:40 GMT paul 2019-03-20T13:57:40Z https://community.cisco.com/t5/network-access-control/dot1x-authentication-problem/m-p/3822863#M474605 <P>Running a C4506-E 15.2(2)E8</P> <P>&nbsp;</P> <P>Machines are authenticating through ISE. Within 30 seconds one will fail to authenticate (After it has already passed authentication)..It seems like a round robin of machines that are failing to authenticate after they already authenticate. This process continues forever. Its like ISE is only accepting so many Mac addresses from this switch to authenticate at once, and every time that limit is reached one is forced to fail authentication to make room for another machine. Im not too sure where to start as far as troubleshooting this issue. Any advice would help.</P> Wed, 20 Mar 2019 12:33:35 GMT https://community.cisco.com/t5/network-access-control/dot1x-authentication-problem/m-p/3822863#M474605 fredrick.pettiford 2019-03-20T12:33:35Z https://community.cisco.com/t5/network-access-control/dot1x-authentication-problem/m-p/3822892#M474606 <P>the first place to look is in ISE under LiveLogs (or in Reports) to see why ISE had to fail the authentication.&nbsp; Sometimes the reason that ISE gives is not the real reason/cause, but it's a starting point.</P> <P>&nbsp;</P> <P>What version of ISE?</P> <P>What type of PAN/PSN? SNS-34 or SNS-35 etc.</P> <P>How many endpoints do you see in the dashboard?</P> <P>I doubt this makes any difference, but is the CPU trending high?</P> Wed, 20 Mar 2019 13:08:10 GMT https://community.cisco.com/t5/network-access-control/dot1x-authentication-problem/m-p/3822892#M474606 Arne Bier 2019-03-20T13:08:10Z https://community.cisco.com/t5/network-access-control/dot1x-authentication-problem/m-p/3822938#M474607 Thanks for the reply,<BR /><BR />Total endpoints = 92335<BR />Active endpoints = 22148<BR /><BR />ISE Version = 2.1.0.474 <BR />PID= SNS-3495-K9<BR />Installed Patched 1.2.3.5.7.8<BR /><BR />CPU is not trending high. Steady around 10%<BR /><BR /><BR />Also when checking the live logs i see the machine authenticating..but it shows it authenticating 1033 times.<BR />Like i mentioned about the devices just keep re-authenticating.<BR /> Wed, 20 Mar 2019 13:52:43 GMT https://community.cisco.com/t5/network-access-control/dot1x-authentication-problem/m-p/3822938#M474607 fredrick.pettiford 2019-03-20T13:52:43Z https://community.cisco.com/t5/network-access-control/dot1x-authentication-problem/m-p/3822943#M474608 <P>When you look at the switch side do you see the session go into an authenticated state?&nbsp; There could be attributes that you are passing back from ISE that cause the session to go Unauth so it never truly completes even though ISE authenticated it.&nbsp; If you see everything look good on the switch side watch the detailed "show auth session" or "show access-session" output for that port.&nbsp; You will probably see Dot1x rerunning constantly.&nbsp; If the switch is satisfied with the authentication the only way it would rerun Dot1x is if it received a EAPol start message from the client.</P> Wed, 20 Mar 2019 13:57:40 GMT https://community.cisco.com/t5/network-access-control/dot1x-authentication-problem/m-p/3822943#M474608 paul 2019-03-20T13:57:40Z