topic Re: ISE Deployment Issues in Network Access Control

ISE Deployment Issues

NETAD — Fri, 16 Nov 2018 17:22:54 GMT

Hello, I'm working on an ISE deployment and I have couple of issues that I'm encountering. Maybe someone have see similar issues before.

1-All of a sudden certain windows machines stop doing dot1x and revert to MAB until a GPO update is forced, or sometimes removing dot1x from the port and putting it back.

2-Remote desktop only work with machine authorization after the user logs in. I've seen that the only way to get user authorization after the remoting in is by using the anyconnect NAM module. Is that accurate or is there a way to get this working right.

3-ISE is profiling the cisco 3800 APs as Cisco Access Points only and not a specific model. Is that ok?

We're on ISE 2.2 patch 4 with all win10 pcs.

Thanks

Re: ISE Deployment Issues

paul — Fri, 16 Nov 2018 17:44:04 GMT

For #1 it sounds like there is an issue with your GPO setup. You shouldn't see devices revert back to MAB (unless they are in hibernation or rebooting).

For #3 that is normal because the CDP attributes are wrong in the Cisco profile for the 2802i APs. Look at the CDP attributes retrieved for the AP and compare them to the Cisco profile. You will see the error. You can modify then Cisco profiles if you want to. In most cases, you don't really care about the specific model of AP outside of asset tracking.

Re: ISE Deployment Issues

Jason Kunst — Fri, 16 Nov 2018 18:47:41 GMT

To help us all out in the future please don't post a list of questions that are unrelated to each other. This doesn't help those answering or in the future it won't help those researching same issues. Its best to search for each issue then post appropriate subject and message when you don't find what you need. A couple of these already have answers as well in the community. Google search works well first and then if you don't find something then search the community directly.

if you have follow up questions it would be nice to split those into a new thread to keep clean and on-point.

@paul did a great job summarizing some of these and i am going to add onto that

1-All of a sudden certain windows machines stop doing dot1x and revert to MAB until a GPO update is forced, or sometimes removing dot1x from the port and putting it back.

PAUL > For #1 it sounds like there is an issue with your GPO setup. You shouldn't see devices revert back to MAB (unless they are in hibernation or rebooting).

JAK > correct NAM is a stable way to do this. This is not an ISE question but an anyconnect question or general windows

https://community.cisco.com/t5/vpn-and-anyconnect/remote-desktop-to-dot1x-authenticated-machine-throws-internal/td-p/3471895

https://community.cisco.com/t5/policy-and-access/dot1x-and-remote-desktop-connections/td-p/403708

3-ISE is profiling the cisco 3800 APs as Cisco Access Points only and not a specific model. Is that ok?

PAUL > For #3 that is normal because the CDP attributes are wrong in the Cisco profile for the 2802i APs. Look at the CDP attributes retrieved for the AP and compare them to the Cisco profile. You will see the error. You can modify then Cisco profiles if you want to. In most cases, you don't really care about the specific model of AP outside of asset tracking.

Re: ISE Deployment Issues

NETAD — Fri, 16 Nov 2018 19:44:26 GMT

Thanks guys, I will double check the GPO setup and update the thread.