topic ISE High Repeat Counts in Network Access Control

ISE High Repeat Counts

graeme.walker — Sat, 09 Mar 2019 03:14:04 GMT

Hi,

I've noticed a quirky issue within our ISE console and the repeat counter.

Our system has been running fine with just the odd issue we can easily resolve (mainly phones being unable to drop the session behind then from laptops).

However, we noticed that if a building connectivity is dropped back to the core network switch, all devices that are use a MAB rule to authenticate (phones and printers) from that switch stack experience high repeat counts for a day or two, which then drops down to "normal". Laptops and PCs which are using a certificate to authenticate are fine.

Does anyone know why this could happen? To me, it appears as though the switch is queing up authentication requests and the ISE console is just taking time to "catch up" with this.

Switch IOS version: 15.2(2)E7

ISE Version: 2.4.0.357

Installed Patches: 2

I can provide some more information if needed to help identify the issue.

Cheers,

Graeme

Re: ISE High Repeat Counts

Mike.Cifelli — Mon, 25 Feb 2019 13:26:41 GMT

The repeat counter will increment when there are authentication requests that have been repeated with no change in 24 hours. Do you have a re-authentication timer configured in your authz profiles OR manually deployed on your switchports? If you do, this may be the reason as to why you are seeing the repeat counter increment.

HTH!

Re: ISE High Repeat Counts

graeme.walker — Tue, 26 Feb 2019 10:24:25 GMT

Thanks Mike,

From what I can see it is configured on each individual port:

Current configuration : 814 bytes
!
interface GigabitEthernet3/0/48
description Standard User/Voice Port
switchport mode access
switchport voice vlan 10
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 1800
dot1x timeout tx-period 5
dot1x max-req 1
dot1x max-reauth-req 1
spanning-tree portfast
end

The issue I am having is when a switch stack has a loss of connectifity back to the ISE server (which is rare but has happened after some fiber repatching), that stack seems to run slow and devices have continuous repeat attempts just from devices connected to that stack hitting MAB rules. The stacks in other buildings are fine.

I have reset the repeat counter and will monitor this - I've also asked for the stack in question to be reloaded but that is like asking for blood...

Cheers,

Graeme