We are using both machine and user authentication. Machine Auth works as expected and is almost immediate, I can see the correct authorization profile applied and proper dACL placed on the port. User logs in and I see user authentication take place and correct profile is applied. If I lock the machine at this time, the access-session on the switch remains authorized and there is no change, but when the user "unlocks" the machine and attempts to get to the desktop is when I am seeing the over 12 sec delay. I don't see any dot1x events during this sequence for either supplicant as there is no change in the authentication session. If use the NAM module for the same machine/user the "unlock" process is less than 2 seconds.

I can provide screen shots if needed when I get onsite.

Thanks,

Joe

What can I say go "NAM".

Jokes apart, make sure you select both the option in the native supplicant.

Also turn on debugs for dot1x on the switch and look at the logs on the ISE side to see if it even makes it to the switch.

You can also confirm this by seeing if there are RADIUS logs during those 15 seconds.

Check out Windows logs to see if you can find additional information.

 

-Krishnan

I have enabled dot1x debugging and the port is already authenticated:

 

PadCORP4510#show access-session interface gigabitEthernet 1/43

Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi1/43 503d.e57d.8830 mab VOICE Auth 0A0425180000083F234BDC34
Gi1/43 d481.d76b.1635 dot1x DATA Auth 0A042518000008A78F9F2EEC

 

Machine is in a locked state and when I put in creds there are no logged messages for either supplicant as the authentication is not changing...I have looked in the Windows Event Logs but haven't found anything of note...is there a specific location or log to inspect?

 

Thanks,

 

Joe

 

Please share your Windows Wired Supplicant screenshots - e.g.