Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
527
Views
0
Helpful
4
Replies

Automatic client re-authentication

Josh Morris
Level 3
Level 3

‎09-19-2014 07:36 AM - edited ‎03-10-2019 10:02 PM

Do people generally enable automatic re-authentication? I am having issues with re-authentication overnight when users are not logged in to their machines. They come in the next morning to find their machine authenticated but unauthorized. I am running in closed mode, so they don't get an IP address at that point. Thanks.

Labels:
0 Helpful
4 Replies 4

MMstre
Level 3
Level 3

‎09-19-2014 07:48 AM

I have configured re-auth, but my customers have all backed out of it because it is a nuisance... its always funny when someone invests in security and then loosens up because its a nuisance...

Anyhow, are you doing machine and user auth?  or just user?

Are you using the native supplicant or NAM?

When you say they find their machine authenticated, but not authorized, please clarify. Where are they seeing this?  In the monitor logs?  What authZ profile is being applied?

0 Helpful

Josh Morris
Level 3
Level 3
In response to MMstre

‎09-19-2014 10:26 AM

Thanks Michael. I ended up disabling the reauth earlier because the issue was just too random and I didn't have time for a deep dive. 

But I am doing just MAB currently. They were authenticated, but not authorized because the DACL wasn't getting applied because they weren't getting an IP address. Since I'm running in closed mode, they weren't getting an IP address that could be applied to the DACL, so it was a double issue. No IP, no DACL.

0 Helpful

MMstre
Level 3
Level 3
In response to Josh Morris

‎09-19-2014 10:33 AM

Do you have the pre-auth ACL on the switchport? And is it allowing DNS and DHCP? 

DHCP requests are sent prior to ISE coming into play. 

Additionally, the DACL has nothing to do with the IP address of the machine, DACL is strictly between switch and ISE.  However i do see what you're getting at with the DACL not having the IP of the machine.  

If there is no IP, i would start with checking the pre-auth ACL on the switch, and the DACL that is applied to the MAB sessions.

0 Helpful

Josh Morris
Level 3
Level 3
In response to MMstre

‎09-22-2014 05:24 AM

I am running in closed mode, so there is not a pre-auth DACL on the port. I guess I could put one that allowed DHCP, but the main reason I moved to closed mode is because I'm doing a lot of dynamic VLAN assignment, and having DHCP allowed would cause issues with clients who need to have their VLAN changed.

0 Helpful
Customers Also Viewed These Support Documents