topic Re: PC user cannot get response from ISE in Network Access Control

PC user cannot get response from ISE

eigrpy — Sat, 20 Feb 2021 21:00:41 GMT

Hello, The below is configuration on switch3560 and its port for 802.1x. The PC adapter is configured with authentication and enable IEEE 802.1x, but when the PC plugged into the switch port, the PC cannot get any response to promote to enter any credential . Anyone can give some suggestion? Thank you

aaa group server radius Name-dot1x_auth
server 10.0.10.21 auth-port 1645 acct-port 1646
!
aaa authentication dot1x default group Name-dot1x_auth
aaa authorization network default group Name-dot1x_auth
aaa accounting update newinfo
aaa accounting dot1x default start-stop group Name-dot1x_auth
!
!
aaa server radius dynamic-author
client 10.0.10.21 server-key Cisco123
!
aaa session-id common
system mtu routing 1500
mab request format attribute 32 vlan access-vlan
!

interface FastEthernet0/3
switchport access vlan 10
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 10
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 3

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf
radius-server dead-criteria tries 2
radius-server host 10.0.10.21 auth-port 1645 acct-port 1646
radius-server key Cisco123
radius-server vsa send accounting
radius-server vsa send authentication

Re: PC user cannot get response from ISE

balaji.bandi — Sat, 20 Feb 2021 21:00:46 GMT

the config is missed here - Look at ISE LiveLogs what you see there ? on the switch, is the Port come up ?

Re: PC user cannot get response from ISE

eigrpy — Sat, 20 Feb 2021 21:15:29 GMT

Thank you for your reply. no logs message over there.

Going to Operations----> Radius or Tacacs -----> Live Logs or Live Sessions

Is this a good way to check?

Re: PC user cannot get response from ISE

balaji.bandi — Sat, 20 Feb 2021 21:33:21 GMT

ISE side that is the place to look -

check the config :

auth-port 1812 acct-port 1813

http://www.network-node.com/blog/2015/12/30/switch-configuration-for-dot1x

Re: PC user cannot get response from ISE

Rob Ingram — Sat, 20 Feb 2021 22:25:05 GMT

@eigrpy

Is it just one user on this switch or all users?

Is the switch defined as a NAD in ISE? and with the correct shared secret? This might explain why you see nothing in the logs.

When you say the computer isn't prompting for credentials, what is your supplicant configuration? (provide screenshots). Normally if the computer was joined to AD, you'd pass through the user/computer credentials so you'd never be prompted.

You can use tcpdump on ISE to determine whether the switch is even attempting to communicate with ISE.

HTH

Re: PC user cannot get response from ISE

MHM Cisco World — Sat, 20 Feb 2021 22:59:16 GMT

switchport access vlan 10

switchport mode access

authentication event fail action next-method<-NO NEED

authentication event server dead action authorize vlan 10

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication order mab dot1x<- NO NEED

authentication priority dot1x<-NO NEED

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 3
switch port voice vlan <-need this

this misconfig
there are two different method
1-mab which is make SW fallback to mac when there is no EAPoL
2-mab 802.1x order when there you want to next method when first method failed.

Re: PC user cannot get response from ISE

eigrpy — Sat, 20 Feb 2021 23:37:35 GMT

@Rob Ingram

Is it just one user on this switch or all users?

----- there is only one users on the switch(lab)

Is the switch defined as a NAD in ISE? and with the correct shared secret? This might explain why you see nothing in the logs

----- the switch is defined as NAD in the ISE

tcpdump on ISE

----- Did not find the switch ip address in this tcpdump file, and the PC have not joined the domain yet

When you say the computer isn't prompting for credentials, what is your supplicant configuration?

----- Please see the below:

Re: PC user cannot get response from ISE

Damien Miller — Sat, 20 Feb 2021 23:42:28 GMT

Have you considered doing a pcap on the port and validating you are seeing EAPOL messages?

Re: PC user cannot get response from ISE

MHM Cisco World — Sun, 21 Feb 2021 00:14:38 GMT

Do you make change as i suggest above

show auth session interface

share the output to see what we get

Re: PC user cannot get response from ISE

eigrpy — Sun, 21 Feb 2021 01:18:43 GMT

Switch#sh authentication sessions interface fastEthernet 0/5
No Auth Manager contexts currently exist
Switch#
Switch#sh authentication sessions interface fastEthernet 0/3
No Auth Manager contexts currently exist
Switch#
Switch#sh authentication sessions interface fastEthernet 0/2
No Auth Manager contexts currently exist

------------------

interface FastEthernet0/2
switchport access vlan 10
!
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 10
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 3

Re: PC user cannot get response from ISE

MHM Cisco World — Sun, 21 Feb 2021 03:45:58 GMT

dot1x system-auth-control <- this need
aaa new model <- this need