Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
537
Views
0
Helpful
5
Replies

Authentication issues in ISE 2.0 deployment

kamlenegi
Level 1
Level 1

‎07-08-2016 05:07 AM - edited ‎03-10-2019 11:55 PM

Hello All,

We have deployed ISE 2.0 for wired & wireless users. Now we are increasing users in LAN and facing more problems, can someone help us to fine tune ISE auth parameter. Issues are:

1. Sleep mode domain systems goes in mab authentication and stuck in preauth vlan which should be dot1x. After unplug & plug the lan cable then it works and dot1x success. Everyday users come in the morning and need to unplugged & plugged the lan cable which is not a solution.

2. IP address conflict message seems in may system after authentication success, can we do fine tune ISE for this.

3. Some systems wired auto config goes stop automatically and windows supplicant stop working. 

Please help us to do the best practice configuration.

Thanks

Kamlesh

Labels:
0 Helpful
5 Replies 5

nspasov
Cisco Employee
Cisco Employee

‎07-22-2016 09:26 AM

Hello Kamlesh, my comments below:

1) What type of machines and what type of Operating System are running on them

2) Who is handling the IP address assignment in your network? This sounds like a DHCP configuration issue rather than ISE. 

3) Are you turning the auto config client via GPO? If so, have you confirmed that there aren't conflicting policies that might be causing this? Event viewer should give you more info on why and who turned that service off. 

I hope this helps!

Thank you for rating helpful posts!

0 Helpful

kamlenegi
Level 1
Level 1
In response to nspasov

‎07-24-2016 09:25 AM

Hi Neno,

We are using Windows 7 & 10 machines, maximum are win7. IP address is assigning from Window DHCP server.

How I can check auto config client via GPO?

Thanks

Kamlesh

0 Helpful

jan.nielsen
Level 7
Level 7

‎07-24-2016 03:42 AM

IP address conflict is usually caused by a windows flaw, it can be solved with :

ip device tracking probe delay 10

http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/8021x/116529-problemsolution-product-00.html

0 Helpful

kamlenegi
Level 1
Level 1
In response to jan.nielsen

‎07-24-2016 09:26 AM

Thanks Jan,

Let me configure & observe.

Thanks

Kamlesh

0 Helpful

lajan jaleel
Level 1
Level 1

‎07-25-2016 04:41 AM

Dear kamlesh,

Are you using anyconnect supplicant for authentication or you are using Windows native Authentication for Dot1x.

Also Could you please post the ISE policies for reference.

Thanks & Regards,

LAJAN JALEEL

0 Helpful
Customers Also Viewed These Support Documents