topic Re: Issues with Device Authentication on ISE: Intermittent Disconnecti in Network Access Control

Issues with Device Authentication on ISE: Intermittent Disconnections

t-musin — Thu, 30 Jan 2025 04:10:02 GMT

We are experiencing unstable connectivity between endpoint devices and Cisco ISE. Random disconnections occur at unpredictable times, and standard troubleshooting methods (shut/no shut, removing port-security) do not resolve the issue. The only temporary solution is to remove the ISE configuration from the port, after which connectivity is restored. Additionally, authentication failures are observed, where devices (PCs or phones) fail to authenticate depending on the configured mode (multi-auth or multi-domain). Help me understand the problem

Re: Issues with Device Authentication on ISE: Intermittent Disconnecti

ahollifield — Thu, 30 Jan 2025 11:58:31 GMT

Is there a network problem? Is the AAA server alive from the NAD prospective? What is the NAD? Wired or wireless?

https://community.cisco.com/t5/security-documents/how-to-ask-the-community-for-help/ta-p/3704356

Re: Issues with Device Authentication on ISE: Intermittent Disconnecti

t-musin — Thu, 30 Jan 2025 12:15:06 GMT

No network problems,

If I understand the meaning of the word NAD correctly, we are using Cat9300 for user connection

Communication with the radius server is available. The problem is solved by removing the ISE configuration from the port

Re: Issues with Device Authentication on ISE: Intermittent Disconnecti

Dustin Anderson — Thu, 30 Jan 2025 14:55:37 GMT

By your logs, port security is shutting the ports down. Not sure why as you have max3 and it only has 2 stored. On the other hand with 802.1x and MAB you probably don't need port security as it would be a nightmare to manage if PCs move around.

Now, there are many ways to do it, but this is what we do.

1, Set an ACL on the port that grants minimal access needed to authenticate. Block everything else.

2, If ISE authenticates, send down a dACL that will replace the restrictive one for more access.

Another note since you are doing MAB, on 3850 and 9300 if you reverse the commands it will do MAB and 802.1x at the same time instead of waiting for the 802.1x timer to run out before doing MAB.

authentication order mab dot1x
authentication priority dot1x mab

Nov  6 15:59:36: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/18, changed state to up
Nov  6 16:00:15: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (0025.8416.ee01) with reason (No Response from Client) on Interface Gi1/0/18 AuditSessionID 000000000001721B01218909
Nov  6 16:01:58: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/18, putting Gi1/0/18 in err-disable state
Nov  6 16:01:58: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet1/0/18, new MAC address (80e8.2c27.63cb) is seen.AuditSessionID  lwiwiHH^D(^K<[S
Nov  6 16:01:58: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (80e8.2c27.63cb) with reason (No Response from Client) on Interface Gi1/0/18 AuditSessionID 000000000001721C01231D59
Nov  6 16:01:59: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/18, changed state to down

Re: Issues with Device Authentication on ISE: Intermittent Disconnecti

MHM Cisco World — Thu, 30 Jan 2025 14:58:34 GMT

Remove port secuirty

Then share

Show authentication session interface x/x detail

MHM

Re: Issues with Device Authentication on ISE: Intermittent Disconnecti

thomas — Fri, 31 Jan 2025 00:19:30 GMT

802.1X and Port Security are incompatible and fight for control of the port. Remove Port Security.