Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1169
Views
2
Helpful
3
Replies

Best Practice to suppress rejected user

Go to solution
csco11552159
Level 5
Level 5

‎02-15-2018 11:39 AM

Hi,

I just wonder if there this a best practice to suppress rejected users to keep restarting authentication process.

we haven't change default "quiet-period" yet, looking for if there are some better way to do that.

we have seen 2 type flooding by endpoints:

1) some devices have 802.1x enabled but failed 802.1x authentication, then keep re-start dot1x authentication process.

2) some devices doesn't have 802.1x authentication enabled and passed MAB, but still keep restarting the authentication. 

thank you.

1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎02-15-2018 12:00 PM

Hi Chao,

Here is the deck that discusses best practices end to end for 802.1x that includes flooding, failure suppression etc.,

https://www.slideshare.net/kuches/piw-ise-best-practices-62037002

Thanks

Krishnan

View solution in original post

3 Replies 3

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎02-15-2018 12:00 PM

Hi Chao,

Here is the deck that discusses best practices end to end for 802.1x that includes flooding, failure suppression etc.,

https://www.slideshare.net/kuches/piw-ise-best-practices-62037002

Thanks

Krishnan

Go to solution
csco11552159
Level 5
Level 5
In response to kthiruve

‎02-16-2018 07:47 AM

thank you very much.

it seems we have to change every single switches ports configuration.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to csco11552159

‎02-16-2018 09:20 AM

You can also review Live session BRKSEC-3699 @ On-Demand Library - Cisco Live Global Events where I cover this topic in some depth.  Be sure to access the Reference version of presentation.

I cover the topics as to what can be done from endpoint to ISE and parts in between.

1) some devices have 802.1x enabled but failed 802.1x authentication, then keep re-start dot1x authentication process.

Craig: In this case, you want suppression and optionally Access-Reject to kick in, since that user will trigger excessive auth volume until they fix their 802.1X config. 

2) some devices doesn't have 802.1x authentication enabled and passed MAB, but still keep restarting the authentication. 

Craig: Devices that do not support 802.1X should not trigger reauth after successful MAB.  This sounds like another issue where client is actually trying 802.1X at machine or user level, or switch is set to short session reauth timer.

/Craig

0 Helpful
Customers Also Viewed These Support Documents