topic Re: 802.1x authentication with Cisco ISE/Windows 11 in Network Access Control

802.1x authentication with Cisco ISE/Windows 11

network_geek1979 — Mon, 28 Nov 2022 09:08:02 GMT

Team, we see issues with 802.1x authentication after Windows 11 upgrades.

Few complaints coming in are when the machine is idle for some time the 802.1x authentication breaks and the end users computer goes in the default Internet only access VLAN. This typically happens for end users who are using docking stations.

Unless the end user does not unplug/plug the cable the 802.1x authentication does not succeed.

We are not using any posture assessments, we have only the 802.1x authentications.

I know that Windows 11 and 802.1x authentication have been a challenge but specifically any suggestion? Anyone has come across these issues?

Regards!!

Re: 802.1x authentication with Cisco ISE/Windows 11

Marvin Rhoads — Mon, 28 Nov 2022 13:25:13 GMT

Are you using EAP-MSCHAPv2? There is a known issue whereby Windows 11 update 22H2 credential Guard feature disables the MSCHAPv2 protocol since it is considered insecure. You can re-enable it via registry key (most commonly set via GPO).

The long term recommendation is to move to a secure inner method like EAP-TLS but that requires a PKI to issue certificates and takes a bit of planning and deployment testing.

Re: 802.1x authentication with Cisco ISE/Windows 11

network_geek1979 — Mon, 28 Nov 2022 13:54:47 GMT

Hi Marvin,
At our end we using EAP-TLS. Again, we see these issues after Windows 11 only.

Thanks!

Re: 802.1x authentication with Cisco ISE/Windows 11

Marvin Rhoads — Mon, 28 Nov 2022 14:13:45 GMT

That's a new one by me then. It does sound like something changed in the supplicant behaviour though.

What does the RADIUS live log indicate is happening?

Re: 802.1x authentication with Cisco ISE/Windows 11

Greg Gibbs — Mon, 28 Nov 2022 21:53:31 GMT

This sounds like another case of FlexAuth (order mab dot1x, priority dot1x mab) with legacy IBNS configuration on the switch. See this whitepaper for the expected behaviour and workaround using the 'terminate-action-modifier=1' Cisco AV pair (in the footer on page 3).
Flexible Authentication Order, Priority, and Failed Authentication

This doc also shows an example of how to use this option:
Top Ten mis-configured Cisco IOS Switch settings for ISE integration

Re: 802.1x authentication with Cisco ISE/Windows 11

network_geek1979 — Mon, 05 Dec 2022 13:19:10 GMT

The Radius live logs show that user sessions is toggling between Production VLAN and Guest VLAN.
We are not sure why this is going on.

Re: 802.1x authentication with Cisco ISE/Windows 11

network_geek1979 — Mon, 05 Dec 2022 13:20:34 GMT

In our case we do the dot1x first, and then mab.

This is for both, order and priority.

Re: 802.1x authentication with Cisco ISE/Windows 11

hslai — Thu, 08 Dec 2022 00:03:16 GMT

@network_geek1979 If you still have some Windows 10 clients with similar docking stations and working fine, then Windows 11 is more likely the source of this networking problem. The following two articles might interest you, in case you have not read them yet:

I have only tested a couple of Windows 11 VM with manual configured wired .1X and found it prompted for more user interactions for domain login.

Re: 802.1x authentication with Cisco ISE/Windows 11

NETSEC11 — Wed, 30 Oct 2024 13:23:25 GMT

@network_geek1979 , Did you manage to fix this issue? I am having exactly the same problem. Authentication is working but Authorization policy is hitting default which puts the user to Quarantine. It only happens after upgrading to windows 11 and also using a docking station. Would like to know which solution fixed your issue?