cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8057
Views
4
Helpful
15
Replies

Cisco ISE 2.0 Native Supplicant Certificate Issue

Maxim Bezzubov
Beginner
Beginner

Hi

ISE 2.0. Corp PC joined to the AD, OS Win 8.1. I have created a GPO following this https://technet.microsoft.com/en-us/library/dd759154.aspx

So computer acc have auth, after that - users auth does. It works fine until I enable option: Validate server certificate. We have bought for the EAP a public certicate from  Thawte, Thawte root is distrubluted via GPO - users trusted it.

After Windows OS is booted I have seen this on switch:

sh authentication sessions interface gi1/0/19 details
Interface: GigabitEthernet1/0/19
MAC Address: xxxx
IPv6 Address: Unknown
IPv4 Address: 10.x.x.x
User-Name: host/notebook.domain.local
Status: Unauthorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: 10s (local), Remaining: 9s
Session Uptime: 170s
Common Session ID: 0A6401090000002303AF7A9D
Acct Session ID: 0x0000001F
Handle: 0x3900000F
Current Policy: POLICY_Gi1/0/19

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Method status list:
Method State

dot1x Stopped

So Machine auth is stucked. I noticed that if now I login in Windows and just logout, Machine auth is proceed correctly, so as user then.

I couldn't figured out where is bug or some miscofiguration: Windows, ISE or dot1x on switch.

Switch 2960S, IOS 15.2.2, thw newest, tried another one - no luck. Debug is showed:

%DOT1X-5-FAIL: Authentication failed for client (MAC) on Interface Gi1/0/19 AuditSessionID 0A6401090000001C03831815

%RADIUS-4-RADIUS_DEAD: RADIUS server 10.x,x,x:1812,1813 is not responding.

%RADIUS-4-RADIUS_ALIVE: RADIUS server 10.x,x,x::1812,1813 is being marked alive.

15 Replies 15

Yep. I think in the same way about issue with native suppl. Yes, I've already tried to disable GPO and manully configure test PC - no luck. It just stucking on dot1x auth so as error on switch about unreacheble switch.

Some manuals that I've found in Internnet says that it need to disable cert checks. It weird. Thats may me think that I have no problem with AnyConnect. Unfortunately in our enterprise deployment installing AnyConnect on all user PC is not a option. So I have to use Native Windows Suppl.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: