cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
542
Views
0
Helpful
4
Replies

Automatic client re-authentication

Josh Morris
Level 3
Level 3

Do people generally enable automatic re-authentication? I am having issues with re-authentication overnight when users are not logged in to their machines. They come in the next morning to find their machine authenticated but unauthorized. I am running in closed mode, so they don't get an IP address at that point. Thanks.

4 Replies 4

MMstre
Level 3
Level 3

I have configured re-auth, but my customers have all backed out of it because it is a nuisance... its always funny when someone invests in security and then loosens up because its a nuisance...

Anyhow, are you doing machine and user auth?  or just user?

Are you using the native supplicant or NAM?

When you say they find their machine authenticated, but not authorized, please clarify. Where are they seeing this?  In the monitor logs?  What authZ profile is being applied?

Thanks Michael. I ended up disabling the reauth earlier because the issue was just too random and I didn't have time for a deep dive. 

But I am doing just MAB currently. They were authenticated, but not authorized because the DACL wasn't getting applied because they weren't getting an IP address. Since I'm running in closed mode, they weren't getting an IP address that could be applied to the DACL, so it was a double issue. No IP, no DACL.

Do you have the pre-auth ACL on the switchport? And is it allowing DNS and DHCP? 

DHCP requests are sent prior to ISE coming into play. 

Additionally, the DACL has nothing to do with the IP address of the machine, DACL is strictly between switch and ISE.  However i do see what you're getting at with the DACL not having the IP of the machine.  

If there is no IP, i would start with checking the pre-auth ACL on the switch, and the DACL that is applied to the MAB sessions.

I am running in closed mode, so there is not a pre-auth DACL on the port. I guess I could put one that allowed DHCP, but the main reason I moved to closed mode is because I'm doing a lot of dynamic VLAN assignment, and having DHCP allowed would cause issues with clients who need to have their VLAN changed.