topic Re: 802.1X EAP-TLS in Network Security

802.1X EAP-TLS

AbelBurgos5029 — Wed, 16 Dec 2020 19:52:29 GMT

Hello everyone,

I am currently in the process of rolling out Dot1x in a small classified network. The network has the following:

(12) Windows 10 Machines using native supplicant software

(1) Cisco C9300 acting as the authenticator

(1) Cisco ISE acting as the authentication Server using AD for credentials

I configured certificate auto-enrollment for machines and users in the AD and it is working fine; all machines as well as users are able to get their certificate to authenticate with EAP-TLS. Everything was working fine until I had to switch around 3 machines to different switchports. Out of the 3 machines that I switched around only 1 can still authenticate. The others two no longer can.

I am thinking this might have something to do with the mac address-table, DHCP or something like that. Anyone have had this issue before? Any help will be appreciated!

Thanks

Abel

Re: 802.1X EAP-TLS

balaji.bandi — Wed, 16 Dec 2020 22:50:23 GMT

what you see logs on the switch and ISE.

Re: 802.1X EAP-TLS

AbelBurgos5029 — Thu, 17 Dec 2020 13:33:42 GMT

I will take a look at the ISE and Switch logs tomorrow and post it here. Currently stucked home with the Snow Storm (NY).

Re: 802.1X EAP-TLS

AbelBurgos5029 — Mon, 21 Dec 2020 19:50:49 GMT

Hello,

I reviewed the ISE logs and the workstation is being rejected with the reason that "the workstation abandoned the EAP session and started a new one." Any idea on why does this happen?

Thanks

Re: 802.1X EAP-TLS

Marvin Rhoads — Tue, 22 Dec 2020 03:45:33 GMT

That issue is most often due to supplicant configuration issues. It can be difficult to troubleshot due to there being so many potential variables on endpoint configurations. I'd start with verifying the various settings under the supplicant configuration (security tab of the network adapter properties). You didn't mention how you pushed out the configurations - was it via GPO or manually set them?

Re: 802.1X EAP-TLS

AbelBurgos5029 — Wed, 23 Dec 2020 16:08:32 GMT

Marvin,

The supplicant configurations are pushed via GPO. So the workstation having the issues has the same configuration as the rest of the machines.

Re: 802.1X EAP-TLS

Marvin Rhoads — Wed, 23 Dec 2020 17:09:49 GMT

GPO should standardize the supplicant config.

Is it a wired or wireless adapter? I have seen driver issues with wireless sometimes cause this. Less often is that the case with wired.

Re: 802.1X EAP-TLS

fasease22680 — Tue, 02 Mar 2021 21:34:44 GMT

Unity Connection has a "Route from subsequent routing rule" choice that can be used for this sort of "snow day" function (i.E. Everybody calling in hears a message after which the decisionlink that is routed to where it'd have long past commonly after that.