topic Re: dot1x taking 30 seconds to machine or user authenticate in Network Access Control

dot1x taking 30 seconds to machine or user authenticate

laurathaqi — Thu, 14 Oct 2021 07:22:17 GMT

Dear community,

I applied dot1x in a supplicant, authenticating via Cisco ISE. Authentication is successful, but whenever I restart the machine, the first authentication takes exactly 30 seconds to finish.

The Show authentication session int f0/1 shows dot1x success, authentication via PEAP. Meaning that its not failing to MAB, thus that timeout delay is out of play.

Configuration applied in the switch are:

switchport access vlan 1
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 30
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

Rule on ISE checks for the "is user is part of Domain Users or Domain Computers", then authenticate and allow access. Meanwhile the Supplicant is configured to authenticate via dot1x "User or Machine Authenticate".

Can someone please orient me towards what kind of delay this might be!? Its a usual behaviors, in meaning that it happens after each restart on my ports.

Any suggestion would be highly appreciated.

Looking forward to hearing from you!

Best regards,

Laura

Re: dot1x taking 30 seconds to machine or user authenticate

Rob Ingram — Thu, 14 Oct 2021 10:13:08 GMT

Hi @laurathaqi

Run a capture on ISE, filter on the NAD ip address the host is connected to and run the test again, that may provide some clue as to whether the client or ISE is slow to respond. Check the ISE live logs and look for the latency for communication to the AD DCs.

Is it just the one computer or NAD that is experiencing this issue?

Re: dot1x taking 30 seconds to machine or user authenticate

laurathaqi — Thu, 14 Oct 2021 12:21:37 GMT

Hi @Rob Ingram

It is happening in all of the computers were I am activating dot1x PEAP at. Without dot1x configuration, it used to work all fine.

The ISE Live Logs Error Messages are usually lack in explanations as all I get is, NAD or Supplicant may not be configured correctly. However, that's quite a wide scope to look at, specially as I doublechecked the configuration ten times now, and its all based on the Administration GUIDE of Cisco ISE.

With further troubleshooting I got another error on the way with information in the Event Logs of Microsoft, in the User Machine when trying to authenticate as following: A fatal error occurred while creating a TLS Client Credentials. The internal Error State is 10013.

I read that this is an issue when the server and the supplicant can not agree in a communication protocol to communicate with.

After a while now, I am getting the error of: "Windows can’t verify the certificate of the ise1.domainexample.com".

Based on google, this message solution is either of the following three: Windows Update bug(build1803 to 1809), ISE Certificate missing or in the Host's NIC to disable the option to "Verify the server's identity by validating the certificate.

1. Windows 10 is on the OS Build 19043.1237

2. ISE Certificates were generated and signed from the Root CA, and the Root CA is distributed via GPO to Domain Users.

3. Disabling "Verify the server's identity by validating the certificate" does not seem to be best solution as the certificate its generated and Signed by the Root and it should be working properly.

I am assuming that the logging delay issue has to do with the ones noted in this post. However, I am about to connect with the cliet in the upcoming hours and further troubleshoot.

Do you have any idea or suggestion on how to further attack this problem?

Note: Will run a capture, and update you after some hours from now.

Thank you,

Laura

Re: dot1x taking 30 seconds to machine or user authenticate

Rob Ingram — Thu, 14 Oct 2021 12:56:17 GMT

@laurathaqi

Is the ISE EAP certificate issued by the same CA as the computers?

If you take a packet capture on the computer that would provide some useful information.

If you enable radius and aaa debugs on the switch when the computer/user logs in that would provide a clue.