cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
488
Views
0
Helpful
3
Replies

DOT1X Authentication Problem

Running a C4506-E 15.2(2)E8

 

Machines are authenticating through ISE. Within 30 seconds one will fail to authenticate (After it has already passed authentication)..It seems like a round robin of machines that are failing to authenticate after they already authenticate. This process continues forever. Its like ISE is only accepting so many Mac addresses from this switch to authenticate at once, and every time that limit is reached one is forced to fail authentication to make room for another machine. Im not too sure where to start as far as troubleshooting this issue. Any advice would help.

3 Replies 3

Arne Bier
VIP
VIP

the first place to look is in ISE under LiveLogs (or in Reports) to see why ISE had to fail the authentication.  Sometimes the reason that ISE gives is not the real reason/cause, but it's a starting point.

 

What version of ISE?

What type of PAN/PSN? SNS-34 or SNS-35 etc.

How many endpoints do you see in the dashboard?

I doubt this makes any difference, but is the CPU trending high?

Thanks for the reply,

Total endpoints = 92335
Active endpoints = 22148

ISE Version = 2.1.0.474
PID= SNS-3495-K9
Installed Patched 1.2.3.5.7.8

CPU is not trending high. Steady around 10%


Also when checking the live logs i see the machine authenticating..but it shows it authenticating 1033 times.
Like i mentioned about the devices just keep re-authenticating.

When you look at the switch side do you see the session go into an authenticated state?  There could be attributes that you are passing back from ISE that cause the session to go Unauth so it never truly completes even though ISE authenticated it.  If you see everything look good on the switch side watch the detailed "show auth session" or "show access-session" output for that port.  You will probably see Dot1x rerunning constantly.  If the switch is satisfied with the authentication the only way it would rerun Dot1x is if it received a EAPol start message from the client.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: