Hello community,

I have a basic and initial network configuration for 802.1X based authentication where an endpoint basically needs to authenticate with the CISCO ISE via Active Directory.

The authenticator switch is a CISCO 3650 and the endpoint is a laptop with OS Windows 10.

The server chain works well, i.e. the CISCO ISE server and Active Directory server are connected and authenticated (the Test User diagnostic tool provided by the ISE GUI is executed with SUCCESS).

The switch and CISCO ISE chain works well, i.e. the switch and the CISCO ISE are connected and the authentication process for a user is correctly executed (from the switch consolle #test aaa group radius test-user ...).

The Windows 10 based endpoint is properly configured according to the CISCO ISE guide as well as the CISCO 3650 switch.

Whenever the endpoint is connected to the switch, it sends a EAPOL Start message but the switch never replies.

Curiously the test started on the switch side (from the switch consolle #dot1x test eapol-capable interface gigabitEthernet 1/0/10) works well showing the endpoint answer.

Some information:

- CISCO switch 3650:

   Cisco IOS Software [Denali], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.3.7, RELEASE SOFTWARE (fc4)
   cisco WS-C3650-48PD (MIPS) processor (revision S0) with 865683K/6147K bytes of memory.

Attached the switch configuration (without explicit network information).

- CISCO ISE:

   ver: 2.7.0.356

   PID: ISE-VM-K9

   ADE-OS: 3.0.7.057

- Endpoint (laptop):

   OS: Windows 10

   Ethernet: Realtek PCIe GbE Family Controller (10.42.526.2020)

   802.1X Enabled.

The issue seems to be trivial but it's driving me crazy; after reading again and again the CISCO documentation (e.g. ISE Secure Wired Access Prescriptive Deployment Guide), blogs, etc. I have no clues left on how to solve it. 

Thank you in advance.

Kind regards,

Luca.