11-12-2018 04:47 AM
Hello, everyone. We have recently started deploying port based authentication system and facing some problems. We use 4 ISE nodes 2 for mng (Active&Standby) and 2 as PSN. We have created wired mab (For Cameras, Printers and IpPhones) and dot1x policies. All computers have been forced by GPO for getting certificate and Anyconnect xml File. The problem is while implementing PCs one by one we face some interesting problems. The main problem is that some PCs authenticate using dot1x while others match with mab policy and fail. I am posting the switch configuration hope anyone will help.
Thanks in advance.
Solved! Go to Solution.
11-13-2018 06:04 AM
11-12-2018 05:33 AM
11-12-2018 06:35 AM
I am ,agree with @Jason Kunst are you sure that PC authenticate with MAB are with updated GPO . In my deployment i have same ,but this is not problem of ISE ,when the PC try DOT1X and it fail it start MAB this is normal because it not match all criteria by dot1x. Some of my Domain PC was not with updated GPO and always fail after gpupdate /force and restart the machine all is ok. And 1 more thing when a windows machine go to sleep or hibernate always make MAB this is the thing what i see in my deployment ,and as i told above this is not problem of ISE it is the problem of endpoints .
11-13-2018 02:21 AM
Moreover, sometimes PCs can authenticate because I see in the live logs that they send their mac-address as identity instead of Domain Computer name. Can it be also related to GPO or PC?
11-13-2018 04:18 AM
IT can be 2 things: 1 Not updated group policy 2 Not started WLAN AUTOCONFIG SERVICE or WIRED AUTOCONFIG service
But all of these are configurable by GPO by your Domain admin. And as i wrote before all Windows sleep machines will be authenticated by MAB .In my deployment we set machines not going to sleep or hibernate .
11-13-2018 05:40 AM
No, in my case it is not because of sleep. all PCs are open. I have checked all GPOs 1 was for Anyconnect mobile client, another for Anyconnect configuration xml and last one for certificate. All are okay and same among all computers. However some computers cannot authenticate using dot1x and trying mab and fail. I am posting debug output.
11-13-2018 05:57 AM
Hi what kind of switch is that this debug is a little strange for me its not like a cisco switch
11-13-2018 06:04 AM
11-13-2018 10:14 PM
Thank you for your response. I will check the solutions provided. One more problem i face is a bit different. I check computer and see that certificates and Anyconnect configuration xml files are installed by GPO. However some PCs cannot authenticate and ISE gives this log:
12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain
What can be cause of this error?
11-14-2018 05:52 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide