Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12502
Views
36
Helpful
7
Replies

802.1x authentication with Cisco ISE/Windows 11

Go to solution
network_geek1979
Level 1
Level 1

‎11-28-2022 01:08 AM

Team, we see issues with 802.1x authentication after Windows 11 upgrades.

Few complaints coming in are when the machine is idle for some time the 802.1x authentication breaks and the end users  computer goes in the default Internet only access VLAN. This typically happens for end users who are using docking stations.

Unless the end user does not unplug/plug the cable the 802.1x authentication does not succeed.

We are not using any posture assessments, we have only the 802.1x authentications.

I know that Windows 11 and 802.1x authentication have been a challenge but specifically any suggestion? Anyone has come across these issues?

 

Regards!!

N.

1 person had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎11-28-2022 01:53 PM

This sounds like another case of FlexAuth (order mab dot1x, priority dot1x mab) with legacy IBNS configuration on the switch. See this whitepaper for the expected behaviour and workaround using the 'terminate-action-modifier=1' Cisco AV pair (in the footer on page 3).
Flexible Authentication Order, Priority, and Failed Authentication

This doc also shows an example of how to use this option:
Top Ten mis-configured Cisco IOS Switch settings for ISE integration  

 

View solution in original post

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-07-2022 04:03 PM

@network_geek1979 If you still have some Windows 10 clients with similar docking stations and working fine, then Windows 11 is more likely the source of this networking problem. The following two articles might interest you, in case you have not read them yet:

I have only tested a couple of Windows 11 VM with manual configured wired .1X and found it prompted for more user interactions for domain login.

View solution in original post

7 Replies 7

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-28-2022 05:25 AM

Are you using EAP-MSCHAPv2? There is a known issue whereby Windows 11 update 22H2 credential Guard feature disables the MSCHAPv2 protocol since it is considered insecure. You can re-enable it via registry key (most commonly set via GPO).

The long term recommendation is to move to a secure inner method like EAP-TLS but that requires a PKI to issue certificates and takes a bit of planning and deployment testing.

Go to solution
network_geek1979
Level 1
Level 1
In response to Marvin Rhoads

‎11-28-2022 05:54 AM

Hi Marvin,
At our end we using EAP-TLS. Again, we see these issues after Windows 11 only.

 

Thanks!

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to network_geek1979

‎11-28-2022 06:13 AM

That's a new one by me then. It does sound like something changed in the supplicant behaviour though.

What does the RADIUS live log indicate is happening?

0 Helpful

Go to solution
network_geek1979
Level 1
Level 1
In response to Marvin Rhoads

‎12-05-2022 05:19 AM

The Radius live logs show that user sessions is toggling between Production VLAN and Guest VLAN.
We are not sure why this is going on.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎11-28-2022 01:53 PM

This sounds like another case of FlexAuth (order mab dot1x, priority dot1x mab) with legacy IBNS configuration on the switch. See this whitepaper for the expected behaviour and workaround using the 'terminate-action-modifier=1' Cisco AV pair (in the footer on page 3).
Flexible Authentication Order, Priority, and Failed Authentication

This doc also shows an example of how to use this option:
Top Ten mis-configured Cisco IOS Switch settings for ISE integration  

 

Go to solution
network_geek1979
Level 1
Level 1
In response to Greg Gibbs

‎12-05-2022 05:20 AM

In our case we do the dot1x first, and then mab.

This is for both, order and priority.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-07-2022 04:03 PM

@network_geek1979 If you still have some Windows 10 clients with similar docking stations and working fine, then Windows 11 is more likely the source of this networking problem. The following two articles might interest you, in case you have not read them yet:

I have only tested a couple of Windows 11 VM with manual configured wired .1X and found it prompted for more user interactions for domain login.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents