Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
611
Views
0
Helpful
1
Replies

802.1X port configuration and MS supplicant

Roger Base
Level 1
Level 1

‎09-22-2014 10:36 AM - edited ‎03-10-2019 10:02 PM

Hi There. 

I am experiencing a very strange problem with the built in 802.1X supplicant on the WIN7. I have about 200 computers where I run 802.1X on all of them.
I use machine certificate and EAP-TLS for the 802,1.X. The switch is programmed to use 802.1X first and MAB as failover (check the config below).

Random computers fails with 802.1X. The switch cannot start 802.1X with the computer and switch tries with MAB because 802.1x fails. And the computer dosent match the MAB rule on ISE beacuse its not this way it should work.  If the same computer tries next day it will work properly with the 802.1X.  

I haven't configured the dot1x timeout quiet-period or dot1x timeout tx-period parameters because I do not have experiences with these commands. 

I noticed that the failing computer is trying to authenticate with the MAC address and not the hostname as intended. I do not know why this is happening for random computers.  

I hope someone can help me to solve this problem. 

 

SWITCH1#show authentication sessions interface  GigabitEthernet2/0/13
            Interface:  GigabitEthernet2/0/17
         MAC Address:  782b.cba4.f812
           IP Address:  Unknown
            User-Name:  782bcba4f812
               Status:  Authz Failed
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-host
     Oper control dir:  in
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A01FA740000022A13425681
      Acct Session ID:  0x00000398
               Handle:  0x5200031B
 
Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Failed over
 
SWITCH1#
 
SWITCH1#show run int GigabitEthernet2/0/13
Building configuration...
 
Current configuration : 729 bytes
!
interface GigabitEthernet2/0/13
description **USERPORT**
switchport access vlan 1732
switchport mode access
ip access-group ACL-DEFAULT-DENY+ALL in
srr-queue bandwidth share 1 11 11 78
srr-queue bandwidth shape 10 0 0 0
queue-set 2
priority-queue out
authentication control-direction in
authentication host-mode multi-host
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
mls qos trust dscp
dot1x pae authenticator
storm-control broadcast level 10.00
storm-control multicast level 10.00
spanning-tree portfast
spanning-tree guard root
service-policy input limit-ef
end

Labels:
0 Helpful
1 Reply 1

nspasov
Cisco Employee
Cisco Employee

‎09-23-2014 11:00 PM

I have hit similar issue(s) in my past deployments. Take a look at this link

http://robert.penz.name/555/list-of-ieee-802-1x-hotfixes-for-windows-7/

I would check the affected machine(s) and make sure that it has all of the hot fixes from the link that are related to your issue. I have found that the most of the time 976373 fixed the problem. 

Hope this helps!

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful
Customers Also Viewed These Support Documents