Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
456
Views
0
Helpful
5
Replies

Authentication session freeze 802.1x

muhammadtalha
Level 1
Level 1

‎01-28-2024 09:26 PM

Dear All, 

I am facing an issue with my 802.1x wired implementation. The authentication settings on endpoint is computers or users because ise allows domain users and domain computers network access. The issue is that when the user logs out of their pc, after a while when no user is logged in, the pc will not get network access and also in ise I can not see any live session for that pc. When I do show mac address, I can only see the mac address of the IP Phone and not the mac address of the PC, and when I do show authentication session I can see the mac address of the endpoint there but and the status is unauth. 

The switch keeps logging dot1x failed for client with mac address (endpoint mac address), which is weird because I do not see the mac address of the endpoint on the interface and also I do not see any log of the mac address in ise live logs.

To solve this issue, I have to manually clear auth session etc, but I do not understand what exactly is happening here. I read the documentation of 802.1x implementation but did not find anything related.

Labels:
0 Helpful
5 Replies 5

Arne Bier
VIP
VIP

‎01-28-2024 10:20 PM

This might be an issue with session management on the switch - if the MAC address is gone, then it could be that the switch has cleared the session because the PC has not sent an Ethernet frame within the Inactivity-Timer period. 

can you share your switch interface config:

show derived-config interface <interface>
show run | section device-tracking policy

Are you using IBNS 2.0? If so, can you share your policy map? If so, please show us these - and also your Service Template that sets the Inactivity-Timer 

show policy-map type control subscriber <name of policy map>
show run | section service-template IA-TIMER

 

 

0 Helpful

muhammadtalha
Level 1
Level 1
In response to Arne Bier

‎01-28-2024 10:23 PM

Thanks for your response, I am not using device-tracking policy and also I am using IBNS 2.0.

0 Helpful

Arne Bier
VIP
VIP

‎01-28-2024 10:32 PM

Device-Tracking is required for NAC to work as expected. It's not something you want to avoid or not configure correctly.

Have a good look at this Guide from Cisco - it's the best starting point for checking that you have all your ducks in a row.

0 Helpful

muhammadtalha
Level 1
Level 1
In response to Arne Bier

‎01-28-2024 10:43 PM

I tried configuring device tracking on 2960X 15.2(2) E3 but the switch does not support this command. However, when I do IP device tracking interface, I can see the mac address of the IP Phone and vlan of the IP Phone and nothing related to the endpoint vlan or mac address and also the show auth session still has the mac address of the endpoint and is still unauth.

Gi3/0/16 (MAC ADDRESS) N/A UNKNOWN Unauth C0A837170000037F3E7076DD

0 Helpful

Arne Bier
VIP
VIP

‎01-29-2024 01:48 PM

Check this out first.

We're not clairvoyant. Garbage in, garbage out.

0 Helpful
Customers Also Viewed These Support Documents