cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

710
Views
0
Helpful
9
Replies
Highlighted

ISE matching MAB Policy instead of Dot1x

Hello, everyone. We have recently started deploying port based authentication system and facing some problems. We use 4 ISE nodes 2 for mng (Active&Standby) and 2 as PSN. We have created wired mab (For Cameras, Printers and IpPhones) and dot1x policies. All computers have been forced by GPO for getting certificate and Anyconnect xml File. The problem is while implementing PCs one by one we face some interesting problems. The main problem is that some PCs authenticate using dot1x while others match with mab policy and fail. I am posting the switch configuration hope anyone will help.

 

Thanks in advance.

 

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE matching MAB Policy instead of Dot1x

From what i can see, Switch is sending out EAPOL packets but the client is not responding. If you re doing EAP-TLS, make sure the client has a user/machine certificate. Check if 802.1x is enabled on the adapter. Regardless, the bottom line is that the client is not responding to EAPOL packets. Suggest you to have a look at https://community.cisco.com/t5/security-blogs/getting-past-intermittent-unexplained-802-1x-problems-on-windows/ba-p/3104109 and see if any of them help.

View solution in original post

9 REPLIES 9
Cisco Employee

Re: ISE matching MAB Policy instead of Dot1x

Here are some guides for configuration of wired


https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

If some PCs work and some don’t likely problem with the pcs. Make sure the are patched

For troubleshooting assistance please work through tac
Contributor

Re: ISE matching MAB Policy instead of Dot1x

I am ,agree with @Jason Kunst  are you sure that PC authenticate with MAB are with updated GPO . In my deployment i have same ,but this is not problem of ISE ,when the PC try DOT1X and it fail it start MAB this is normal because it not match all criteria by dot1x. Some of my Domain PC was not with updated GPO and always fail after gpupdate /force  and restart the machine all is ok. And 1 more thing when a windows machine go to sleep or hibernate always make MAB this is the thing what i see in my deployment ,and as i told above this is not problem of ISE it is the problem of endpoints .

Re: ISE matching MAB Policy instead of Dot1x

Moreover, sometimes PCs can authenticate because I see in the live logs that they send their mac-address as identity instead of Domain Computer name. Can it be also related to GPO or PC?

Contributor

Re: ISE matching MAB Policy instead of Dot1x

IT can be 2 things: 1 Not updated group policy 2 Not started WLAN AUTOCONFIG SERVICE or WIRED AUTOCONFIG service

But all of these are configurable by GPO by your Domain admin. And as i wrote before all Windows sleep machines will be authenticated by MAB .In my deployment we set machines not going to sleep or hibernate .

 

Re: ISE matching MAB Policy instead of Dot1x

No, in my case it is not because of sleep. all PCs are open. I have checked all GPOs 1 was for Anyconnect mobile client, another for Anyconnect configuration xml and last one for certificate. All are okay and same among all computers. However some computers cannot authenticate using dot1x and trying mab and fail. I am posting debug output.

Contributor

Re: ISE matching MAB Policy instead of Dot1x

Hi what kind of switch is that this debug is a little strange for me its not like a cisco switch

Cisco Employee

Re: ISE matching MAB Policy instead of Dot1x

From what i can see, Switch is sending out EAPOL packets but the client is not responding. If you re doing EAP-TLS, make sure the client has a user/machine certificate. Check if 802.1x is enabled on the adapter. Regardless, the bottom line is that the client is not responding to EAPOL packets. Suggest you to have a look at https://community.cisco.com/t5/security-blogs/getting-past-intermittent-unexplained-802-1x-problems-on-windows/ba-p/3104109 and see if any of them help.

View solution in original post

Re: ISE matching MAB Policy instead of Dot1x

Thank you for your response. I will check the solutions provided. One more problem i face is a bit different. I check computer and see that certificates and Anyconnect configuration xml files are installed by GPO. However some PCs cannot authenticate and ISE gives this log:

 

12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

 

What can be cause of this error?

Cisco Employee

Re: ISE matching MAB Policy instead of Dot1x

The anyconnect issue is separate please open another thread and also work through TAC for support troubleshooting issues if urgent