topic Re: ISE 802.1x and Windows Logoff in Network Access Control

ISE 802.1x and Windows Logoff

danielnunes — Mon, 11 Mar 2019 03:28:22 GMT

Hi Guys,

i have a ISE works fine using 802.1x but we have a strange behavior when the client just logoff the windows machine, after the client login again, the machine does not authenticate and stuck as a message " not possible to authenticate". Then I need to take off the cable machine and put again, after this everything works fine.

This happens just using logoff windows.

could someone help me about it?

thanks a lot

ISE 802.1x and Windows Logoff

Richard Atkin — Tue, 28 May 2013 20:26:51 GMT

Need more detail.. What Config have you got on the switchport and what authentication Config have you got on the Client?

Re: ISE 802.1x and Windows Logoff

danielnunes — Tue, 28 May 2013 20:36:06 GMT

Hi Rik,

I am using this configuration.

interface GigabitEthernet3/33

switchport access vlan 22

switchport mode access

switchport voice vlan 23

ip access-group ACL-DEFAULT in

logging event link-status

authentication event fail action next-method

authentication host-mode multi-domain

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication violation restrict

mab

snmp trap mac-notification change added

snmp trap mac-notification change removed

dot1x pae authenticator

dot1x timeout tx-period 10

qos trust device cisco-phone

spanning-tree portfast

spanning-tree bpduguard enable

service-policy input AutoQos-4.0-Cisco-Phone-Input-Policy

service-policy output AutoQos-4.0-Output-Policy

the client are using the NAC Agent the way to perform a posture.

If i take off the cable and put again, everything works fine, but if the client try to logoff and after a time login again, the NIC Card can not be authenticated.

thanks a lot

ISE 802.1x and Windows Logoff

Jatin Katyal — Tue, 28 May 2013 21:22:30 GMT

so its MDA that means a PC is connected behind the phone. If I'm not wrong the CDP Enhancement for Second Port Disconnect working fine when we plug/unplug the cable but when a user logoff it doesn't (only if we are using cisco phones). In order to clear the sessions switch need to detect link state for devices connected behind IP phones.

Are we using 802.1x or MAB on the windows PC's?

Can we also look at the debugs when clients are unable to authenticate.

show authentication session interface

debug dot1x all

Jatin Katyal
- Do rate helpful posts -

ISE 802.1x and Windows Logoff

Richard Atkin — Tue, 28 May 2013 21:27:32 GMT

And have you got Machine Authentication enabled on the Clients?

Hi Jatin,I was looking for

fernandossilva — Mon, 05 Jun 2017 15:24:38 GMT

Hi Jatin,

I was looking for some information on the forum and am having exactly the problem that you put in your post, users have the PC is connected behind the ip phone. Some users lose authentication, and only come back when plug/unplug the cable.

How you managed to solve this problem.

Thank you.

Fernando Silva

Re: ISE 802.1x and Windows Logoff

mikisa.timothy2 — Wed, 15 Jul 2020 06:03:17 GMT

Hello,

Has anyone got a solution to this problem,

Its affecting almost all of my clients' regardless of whatever ise version i'm using

Re: ISE 802.1x and Windows Logoff

Colby LeMaire — Wed, 15 Jul 2020 13:54:10 GMT

On Windows, when a user is logged in, the computer is in the "user state" and sends user credentials. When a user logs off, the computer switches to "machine state" and sends machine credentials. If your supplicant is configured to do machine OR user authentication, then make sure the machine is passing authentication and getting enough access to reach AD domain controllers. When you are having this issue, do a "show authentication sessions interface X details". See what it shows there. If it shows Authorized, then make sure that the ACL applied (if any) is allowing connection to domain controllers.

Re: ISE 802.1x and Windows Logoff

mikisa.timothy2 — Thu, 16 Jul 2020 05:12:16 GMT

Hello,

No ACL is applied, and the supplicant is using 802.1x user authentication only.

this problem happens only when the user logoff and then back in, when they login the network adapter card shows authentication failure and the show authentication command on the switch also gives a result of authentication failed.

until you unplug the computer cable and plug it again.

This happens regardless of the switch model, supplicant windows version and ise version.

Please advise.

Re: ISE 802.1x and Windows Logoff

Colby LeMaire — Thu, 16 Jul 2020 14:29:11 GMT

Since you are configured to do user authentication only, the computer cannot authenticate to the switch once the user logs out. Change your supplicant to do machine or user and in your policies, just allow basic access for Domain Computer. That allows the computer to authenticate when the user is not logged in and can get GPO's and do user authentication if cached credentials aren't being used.

You can also SPAN the switchport and grab a capture of what is happening in that scenario. Sounds like you can recreate it very easily.

Re: ISE 802.1x and Windows Logoff

mikisa.timothy2 — Thu, 16 Jul 2020 16:46:30 GMT

This is very helpful and it makes alot of sense let me do that thanks.