https://community.cisco.com/t5/network-access-control/quot-no-sessions-match-supplied-criteria-quot-on-a-dot1x-enabled/m-p/3497893#M539149 <HTML><HEAD></HEAD><BODY><P>I suggest downgrading the IOS on the switch. Current recommended version for Cat 4500 Sup8 is 3.6.3 per <A href="http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/compatibility/ise_sdt.html" title="http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/compatibility/ise_sdt.html">Cisco Identity Services Engine Network Component Compatibility, Release 2.0 - Cisco</A> </P></BODY></HTML> Wed, 20 Apr 2016 04:32:19 GMT howon 2016-04-20T04:32:19Z https://community.cisco.com/t5/network-access-control/quot-no-sessions-match-supplied-criteria-quot-on-a-dot1x-enabled/m-p/3497892#M539147 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>We are seeing some strange <SPAN data-dobid="hdw">behaviour on Catalyst 4K SUP 8 running 03.06.04.E <BR /></SPAN></P><P>1. One configuring the below interface commands the machine is denied access as "no sessions match supplied criteria" message is displayed by issuing "show authentication session interface gi4/15 de" command.</P><P>2. The ISE logs show that the machine is trying to authenticate via MAB.</P><P></P><P>By removing dot1x configuration everything is working.</P><P></P><P><SPAN style="font-family: calibri,verdana,arial,sans-serif;">interface GigabitEthernet4/15</SPAN></P><P><SPAN style="font-family: calibri,verdana,arial,sans-serif;"> switchport access vlan 912</SPAN></P><P><SPAN style="font-family: calibri,verdana,arial,sans-serif;"> switchport mode access</SPAN></P><P><SPAN style="font-family: calibri,verdana,arial,sans-serif;"> switchport voice vlan 942</SPAN></P><P><SPAN style="font-family: calibri,verdana,arial,sans-serif;"> ip access-group Dot1x_Preauth_Restricted_IN in</SPAN></P><P><SPAN style="font-family: calibri,verdana,arial,sans-serif;"> logging event link-status</SPAN></P><P><SPAN style="font-family: calibri,verdana,arial,sans-serif;"> authentication event fail action next-method</SPAN></P><P><SPAN style="font-family: calibri,verdana,arial,sans-serif;"> authentication host-mode multi-auth</SPAN></P><P><SPAN style="font-family: calibri,verdana,arial,sans-serif;"> authentication open</SPAN></P><P><SPAN style="font-family: calibri,verdana,arial,sans-serif;"> authentication order dot1x mab</SPAN></P><P><SPAN style="font-family: calibri,verdana,arial,sans-serif;"> authentication priority dot1x mab</SPAN></P><P><SPAN style="font-family: calibri,verdana,arial,sans-serif;"> authentication port-control auto</SPAN></P><P><SPAN style="font-family: calibri,verdana,arial,sans-serif;"> authentication violation replace</SPAN></P><P><SPAN style="font-family: calibri,verdana,arial,sans-serif;"> mab</SPAN></P><P><SPAN style="font-family: calibri,verdana,arial,sans-serif;"> no snmp trap link-status</SPAN></P><P><SPAN style="font-family: calibri,verdana,arial,sans-serif;"> dot1x pae authenticator</SPAN></P><P><SPAN style="font-family: calibri,verdana,arial,sans-serif;"> dot1x timeout tx-period 10</SPAN></P><P><SPAN style="font-family: calibri,verdana,arial,sans-serif;"> dot1x max-reauth-req 1</SPAN></P><P><SPAN style="font-family: calibri,verdana,arial,sans-serif;"> storm-control broadcast include multicast</SPAN></P><P><SPAN style="font-family: calibri,verdana,arial,sans-serif;"> storm-control broadcast level 0.10</SPAN></P><P><SPAN style="font-family: calibri,verdana,arial,sans-serif;"> spanning-tree portfast</SPAN></P><P><SPAN style="font-family: calibri,verdana,arial,sans-serif;"> spanning-tree bpduguard enable</SPAN></P><P><SPAN style="font-family: calibri,verdana,arial,sans-serif;">end</SPAN></P><P></P><P></P><P>The endpoint is correctly configured with dot1x. After stopping wired autoconfig&nbsp; "no sessions match supplied criteria" is displayed again even though we should be expecting MAB.</P><P></P><P>It seems to be an issue with a particular machine as other machines are able to authenticate from the same port.</P><P>However shouldn't the switch still be able authenticate the machine via MAB if for some reason the supplicant is corrupted ?</P><P></P><P>Please let me know if anyone has encountered the same issue.</P><P></P><P></P><P></P><P></P><P>Thanks,</P><P>Utkarsh</P></BODY></HTML> Mon, 18 Apr 2016 12:54:37 GMT https://community.cisco.com/t5/network-access-control/quot-no-sessions-match-supplied-criteria-quot-on-a-dot1x-enabled/m-p/3497892#M539147 umahar 2016-04-18T12:54:37Z https://community.cisco.com/t5/network-access-control/quot-no-sessions-match-supplied-criteria-quot-on-a-dot1x-enabled/m-p/3497893#M539149 <HTML><HEAD></HEAD><BODY><P>I suggest downgrading the IOS on the switch. Current recommended version for Cat 4500 Sup8 is 3.6.3 per <A href="http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/compatibility/ise_sdt.html" title="http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/compatibility/ise_sdt.html">Cisco Identity Services Engine Network Component Compatibility, Release 2.0 - Cisco</A> </P></BODY></HTML> Wed, 20 Apr 2016 04:32:19 GMT https://community.cisco.com/t5/network-access-control/quot-no-sessions-match-supplied-criteria-quot-on-a-dot1x-enabled/m-p/3497893#M539149 howon 2016-04-20T04:32:19Z https://community.cisco.com/t5/network-access-control/quot-no-sessions-match-supplied-criteria-quot-on-a-dot1x-enabled/m-p/3497894#M539151 <HTML><HEAD></HEAD><BODY><P>The issue was solved by Windows team by applying Windows patches. </P></BODY></HTML> Thu, 12 May 2016 06:31:00 GMT https://community.cisco.com/t5/network-access-control/quot-no-sessions-match-supplied-criteria-quot-on-a-dot1x-enabled/m-p/3497894#M539151 umahar 2016-05-12T06:31:00Z https://community.cisco.com/t5/network-access-control/quot-no-sessions-match-supplied-criteria-quot-on-a-dot1x-enabled/m-p/3497895#M539152 <HTML><HEAD></HEAD><BODY><P>Which windows OS was this? I might be having the same problem with windows 10 on Wired Dot1x</P></BODY></HTML> Wed, 30 May 2018 16:45:17 GMT https://community.cisco.com/t5/network-access-control/quot-no-sessions-match-supplied-criteria-quot-on-a-dot1x-enabled/m-p/3497895#M539152 kngitonga 2018-05-30T16:45:17Z