topic Re: Network adapter shows as, Unauthenticated in Network Access Control

Network adapter shows as, Unauthenticated

dgaikwad — Mon, 13 Jul 2020 05:22:37 GMT

Hi Experts,

Setup
ISE 2.6 (standalone)
Switch 2960 running IOS 15.2(2)E7

Use cases is of dot1x and posture, all the client have AnyConnect installed.

The issue that we are seeing is as follows, when for the first time of the day when a client boots up, the dot1x authentication does not happen. And the network card shows as unauthenticated and endpoint use MAB instead.
To make this work, we have to manually disable and enable the network card. and then it works with dot1x and posture happens and then as per the compliance policy is assigned the right VLAN.
Once the adapter has been disabled and enabled, then for the entire day no matter how many times the machine connects or disconnects, issue is not seen and not replicated.

The desktop is running Windows 10 with the latest updates
The network adapter drivers have also been updated to the latest

Not sure what could be missing from the configuration, any pointers?
Or are there any specific timers that are needed to be enabled on switch configuration?

Re: Network adapter shows as, Unauthenticated

Arne Bier — Fri, 17 Jul 2020 23:21:47 GMT

Can you share the relevant parts of the IOS (interface) config?

And also show us how the Windows supplicant is configured?

Re: Network adapter shows as, Unauthenticated

zunaid.cse — Sun, 19 Jul 2020 16:46:28 GMT

Can you share your switch radius configuration!

Please check below command you applied in Global config mode in switch or not?

dot1x system-auth-control

radius-server vsa send accounting
radius-server vsa send authentication

Thanks,
Muhammad Zunaid Bhuiyan

Or you can directly contact with me. I will try to troubleshoot your issue remotely.

Mobile+Whatsapp+Viber+IMO: +8801962400050

Email: zunaid.cse@gmail.com

Skype: mzunaidbhuiyan

Re: Network adapter shows as, Unauthenticated

dgaikwad — Thu, 23 Jul 2020 09:31:24 GMT

This is the configuration that I have on the switch:

aaa new-model
!
!
aaa group server radius ISE
server name DC-ISE-01
!
aaa authentication login ISE-TACACS group tacacs+ local
aaa authentication dot1x default group radius
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 ISE-TACACS group tacacs+ local
aaa authorization commands 15 ISE-TACACS group tacacs+ local
aaa authorization network default group radius
aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group radius
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
!
!
!
!
aaa server radius dynamic-author
client <ISE Server> server-key 7 03270A180500701E1D5D4C
!
aaa session-id common
!
no ip domain-lookup
ip domain-name prasac.com.kh
ip device tracking probe auto-source
ip device tracking probe delay 10
!
interface GigabitEthernet1/0/1
switchport access vlan 115
switchport mode access
switchport voice vlan 125
authentication event server dead action reinitialize vlan 115
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
mab
dot1x pae authenticator
spanning-tree portfast edge
!
ip http server
ip http authentication local
ip http secure-server
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip tacacs source-interface Vlan105
!
ip access-list extended simple
deny udp any any eq domain
deny udp any eq bootps any eq bootpc
deny udp any eq bootpc any eq bootps
deny ip any host <ISE Server>
permit tcp any any eq www
permit tcp any any eq 443
!
radius server ISE
address ipv4 <ISE Server> auth-port 1812 acct-port 1813
key 7 072C705F4D06485744465E
!
dot1x system-auth-control

radius-server vsa send accounting
radius-server vsa send authentication

Network card config attached

Re: Network adapter shows as, Unauthenticated

dgaikwad — Thu, 23 Jul 2020 09:33:28 GMT

Yes, those commands are already applied on the switch, its that if you disable and enable the network adapter, then the dot1x works.
But, when the next day same PC starts up, it will again be needed to disable and enable the network card to have the dot1x working.

Re: Network adapter shows as, Unauthenticated

Arne Bier — Fri, 24 Jul 2020 00:50:18 GMT

Thanks for the comprehensive Windows supplicant screenshots. You are doing EAP-TLS User Authentication. It means that when the PC boots up and gets to the Windows Login screen, there will be no 802.1X sent to the switch. This explains the MAB. If the MAB causes an access-reject from ISE, then the switchport won't be in a good state and the PC might not have an IP address. Once the user logs into Windows, the supplicant will kick in - but by this time it's too late because the Cisco switch already has a session - and there was no Layer1 link down/up to cause the switch to restart the NAC. So, your solution to bounce the port is just that - Link Down/Up to cause the NAC process on the switch port. And then hey ....! User auth from Windows kicks in and the EAP-TLS does its job.

If your machines are domain joined, then change your supplicant to use Machine Authentication. This will ensure that the PC gets the NAC out of the way while PC is booting up.

There is another mode called User/Machine auth - this does both. But it means that you will get a NAC event during boot up to auth the machine, and then a NAC event when the user logs on. If you don't need to NAC every time the user logs on, the just do machine auth.

I will caution though ... what happens if the laptop goes to sleep after you've logged in and working for a while? Then come back from sleep and log into windows ... network will not work. Because the login event didn't trigger NAC event.

This is one reason to do both user/machine auth together, as long as you have a machine cert (always the case for domain joined machines) as well as user certs (pushed by Group Policy).

There are further complications if the user switches between wired and wireless, and mixes EAP methods (like EAP-TLS for machine auth and EAP-PEAP for user auth) - in those cases you will need Cisco AnyConnect client software.

OR ... the future ... ISE2.7 and Windows 10 (May 2020 release) using TEAP. The solution to all of the above.