This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hello, everyone. We have recently started deploying port based authentication system and facing some problems. We use 4 ISE nodes 2 for mng (Active&Standby) and 2 as PSN. We have created wired mab (For Cameras, Printers and IpPhones) and dot1x policies. All computers have been forced by GPO for getting certificate and Anyconnect xml File. The problem is while implementing PCs one by one we face some interesting problems. The main problem is that some PCs authenticate using dot1x while others match with mab policy and fail. I am posting the switch configuration hope anyone will help.
Thanks in advance.
Solved! Go to Solution.
I am ,agree with @Jason Kunst are you sure that PC authenticate with MAB are with updated GPO . In my deployment i have same ,but this is not problem of ISE ,when the PC try DOT1X and it fail it start MAB this is normal because it not match all criteria by dot1x. Some of my Domain PC was not with updated GPO and always fail after gpupdate /force and restart the machine all is ok. And 1 more thing when a windows machine go to sleep or hibernate always make MAB this is the thing what i see in my deployment ,and as i told above this is not problem of ISE it is the problem of endpoints .
Moreover, sometimes PCs can authenticate because I see in the live logs that they send their mac-address as identity instead of Domain Computer name. Can it be also related to GPO or PC?
IT can be 2 things: 1 Not updated group policy 2 Not started WLAN AUTOCONFIG SERVICE or WIRED AUTOCONFIG service
But all of these are configurable by GPO by your Domain admin. And as i wrote before all Windows sleep machines will be authenticated by MAB .In my deployment we set machines not going to sleep or hibernate .
No, in my case it is not because of sleep. all PCs are open. I have checked all GPOs 1 was for Anyconnect mobile client, another for Anyconnect configuration xml and last one for certificate. All are okay and same among all computers. However some computers cannot authenticate using dot1x and trying mab and fail. I am posting debug output.
Thank you for your response. I will check the solutions provided. One more problem i face is a bit different. I check computer and see that certificates and Anyconnect configuration xml files are installed by GPO. However some PCs cannot authenticate and ISE gives this log:
12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain
What can be cause of this error?