03-12-2020 12:47 PM
Hello everyone,
I am currently in the process of configure 802.1x for my classified network. Here is what I am working with:
Windows 10 workstations (suplicants using windows suplicant software)
C3900 switch stack (authenticator)
Cisco ISE (Radius authentication server)
I configured the supplicants. Configured the switches with global aaa commands and interface with dot1x commands, and configured the Radius server in the cisco ISE.
Here is the problem... When I try to authenticate from the workstation, it authenticates my user sucessfully but the workstation is denied. When I look at the Radius logs in the ISE, it tells me that authentication is resulting in pass for my user credentials, but the workstation is being denied. As a result, I am allowed to login in the workstation, but no access to the network is granted.
I was hoping someone can point me in the right direction on how to fix this issue. I could provide more details if necessary.
Thanks
03-12-2020 01:28 PM
Would need to see your dot1x configuration that you have on the switch along with the error message you are getting on ISE in the Live Logs.
03-13-2020 05:55 AM
Since its on a classified environment, I cant share the full configurations, but the port I am testing has the following 802.1x configs on it:
#ip access-group PRE-AUTH in - this is a ACL i created to allow access to some things prior authorization such as DHCP.
#authentication open
#authentication port-control auto
#dot1x pae authenticator
The ISE server Radius Live logs is giving me the following error:
"The client stopped responding to EAP session and started a new one"
I tried different options on the client authentication tab, but nothing seems to fix the issue.
The "Automatically use my Windows logon name and password (and domain if any)" checkbox is not selected because it is not allowing me to select it. I assume this is something that needs to be changed in the Group Policy, but have not been able to figure out how to do that.
Hope this helps. Thanks
03-13-2020 10:00 AM
Hi,
1. You need to make sure that the Windows supplicant is properly configured for the EAP(802.1x) method that ISE expects.
2. Make sure "aaa authorization network" is configured if you receive any authorisations from ISE (like ACL or VLAN), if you receive a VLAN make sure the VLAN is created on the switch, if you receive a VLAN name, make sure a VLAN on the switch with the exact same name exists. Use this document as a reference to validate your configuration:
Regards,
Cristian Matei.
03-13-2020 04:23 AM
As @Marius Gunnerud suggested we need to see yourconfig with logs on ISE
here is some reference guide if you like to investigate and read for your intrest:
03-13-2020 08:24 AM
03-19-2020 11:54 AM
How are you trying to authenticate the machines (MAC, certificate, etc.)?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide