cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

143
Views
0
Helpful
6
Replies
Participant

Slow Login Native supplicant Windows 10 compared to NAM

We are in the process of deploying dot1x with ISE.  We have noticed that there is drastic difference in the "login" time for a machine that is locked between the native supplicant and NAM.  If using the native one it takes over 12 seconds for the desktop to be displayed, the NAM it is almost instant.  Debugging the switch shows no dot1x packets for either test, and the port shows authenticated as expected.  I have looked at windows logs and see nothing and there doesn't appear to be any dot1x traffic or logs on the ISE server.

 

Any suggestions?

 

Joe

6 REPLIES 6
VIP Advocate

Re: Slow Login Native supplicant Windows 10 compared to NAM

Wired or wireless supplicant?

 

Are you doing Machine auth, User auth or both?

 

Machine auth (if configured) is used when machine boots up, as well as when you log out of current user session.  When you log in with a user account credential, then a user supplicant authentication is triggered (if its configured of course).

 

Share some screen shots etc.  

Participant

Re: Slow Login Native supplicant Windows 10 compared to NAM

We are using both machine and user authentication. Machine Auth works as expected and is almost immediate, I can see the correct authorization profile applied and proper dACL placed on the port. User logs in and I see user authentication take place and correct profile is applied. If I lock the machine at this time, the access-session on the switch remains authorized and there is no change, but when the user "unlocks" the machine and attempts to get to the desktop is when I am seeing the over 12 sec delay. I don't see any dot1x events during this sequence for either supplicant as there is no change in the authentication session. If use the NAM module for the same machine/user the "unlock" process is less than 2 seconds.

I can provide screen shots if needed when I get onsite.

Thanks,

Joe
Highlighted
Cisco Employee

Re: Slow Login Native supplicant Windows 10 compared to NAM

What can I say go "NAM".

Jokes apart, make sure you select both the option in the native supplicant.

Also turn on debugs for dot1x on the switch and look at the logs on the ISE side to see if it even makes it to the switch.

You can also confirm this by seeing if there are RADIUS logs during those 15 seconds.

Check out Windows logs to see if you can find additional information.

 

-Krishnan

Participant

Re: Slow Login Native supplicant Windows 10 compared to NAM

I have enabled dot1x debugging and the port is already authenticated:

 

PadCORP4510#show access-session interface gigabitEthernet 1/43

Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi1/43 503d.e57d.8830 mab VOICE Auth 0A0425180000083F234BDC34
Gi1/43 d481.d76b.1635 dot1x DATA Auth 0A042518000008A78F9F2EEC

 

Machine is in a locked state and when I put in creds there are no logged messages for either supplicant as the authentication is not changing...I have looked in the Windows Event Logs but haven't found anything of note...is there a specific location or log to inspect?

 

Thanks,

 

Joe

 

VIP Advocate

Re: Slow Login Native supplicant Windows 10 compared to NAM

Please share your Windows Wired Supplicant screenshots - e.g.

 

winsup0.png

 

winsup1.PNGwinsup2.PNG

Participant

Re: Slow Login Native supplicant Windows 10 compared to NAM

Services.PNGDOT1x Authentication.PNGPEAP Properties.PNGMSCHAP.PNGAdvanced Authentication Settings.PNG