Solved: Re: Cisco ise 2.4 anyconnect all windows restart authentication failed dot1x

emre · ‎03-30-2020

hello everyone

I have a problem guys,

1 piece standalone cisco ise v2.4 I use it in the building

500 to 800 users are working

''now; map authentication side is actively working now ''

anyconnect is installed on all computers and config is ready,

and when I activate the ports on the switch, I see that there is authentication on it

so the system is working'

but

there is no authentication at all when I restart computers,

running system before restarting computers
does not work after restarting computers

authentication does not work when I restart computers

and non-authentication users

anyconnect software asks for username and password

Meanwhile, I upgraded the patch updates

I made switch firmware updates

and there are switches operating in different brands

juniper,alcatel,huawei

I request your support on this matter, friends

thanks,

I'm transmitting the config information in the attachment,

'''

aaa authentication login default group XX_tacacs local
aaa authentication login console local
aaa authentication login CONSOLE none
aaa authentication dot1x default group radius
aaa authorization config-commands
aaa authorization exec default group XX_tacacs local if-authenticated
aaa authorization exec CONSOLE none
aaa authorization commands 1 default group XX_tacacs local if-authenticated
aaa authorization commands 15 default group XX_tacacs local if-authenticated
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group baro_tacacs
aaa accounting commands 1 default start-stop group XX_tacacs
aaa accounting commands 15 default start-stop group XX_tacacs

'''

port config

interface GigabitEthernet1/0/3
switchport mode access
switchport voice vlan 40
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
power inline port 2x-mode
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 1
spanning-tree portfast
spanning-tree bpduguard enable

thomas · ‎05-16-2020

It's time to call TAC.

In the future, please provide relevant configurations and errors in the beginning of your post to make it faster and easier for people to provide suggestions. See How to Ask The Community for Help.

View solution in original post

thomas · ‎03-30-2020

NEVER use Port Security with 802.1X.

You must disable Port Security if you want to use 802.1X.

'authentication host-mode multi-domain' will ensure you only have 1 endpoint each on the Voice VLAN and Data VLAN.

emre · ‎03-31-2020

you have to use it for computer and ip phone connections,
my problem has nothing to do with it,
my problem with anyconnect software
thanks :)

Cristian Matei · ‎03-30-2020

Hi,

As you're running multi-domain mode, do your computers attach to the IP Phones, or directly to the switch? Also, you should be removing port-security, as the moment you have authentication configured on the port, port-security is kinda built-in, and based on the host mode, one or multiple MAC addresses are allowed.

What is the OS on your computers, and do you use the native supplicant or AnyConnect NAM module?

Regards,

Cristian Matei.

emre · ‎03-31-2020

yes,running multi-domain mode
my phones are already working in this case (My 800 phones work this way)

win10 and xp
yes, AnyConnect NAM module I use
anyconnect is already running

friends,
My problem
when i restart computers
anyconnect authentication does not happen

thanks :)

thomas · ‎03-31-2020

Then what is your AnyConnect configuration?

emre · ‎04-01-2020

hi thomas

I'm sending in the attachment

@thomas wrote:
Then what is your AnyConnect configuration?

emre · ‎04-01-2020

I'm sending in the attachment

emre · ‎04-18-2020

Hello friends ,

are there any experienced and knowledgeable friends to help me ?
none of you have faced this problem ?
someone must have encountered this problem

poongarg · ‎04-18-2020

Can you check below setting on NAM under Client Policy, if the Connection Attempt is selected as "After user login"

emre · ‎04-19-2020

thank you for your answer buddy

settings this way

what is it supposed to be ??

can you send me a sample that works smoothly ?

thank you

emre · ‎04-22-2020

there are so many ccie here nobody know what this problem is

emre · ‎05-08-2020

hello to everyone
is there anyone knowledgeable to help me with this ?

if possible, friends who work in complex structures and build structures !

thomas · ‎05-12-2020

Did you disable Port Security on the switchports first then try AnyConnect?

802.1X and Port Security will fight for control of the port.

emre · ‎05-14-2020

hi thomas
What does it have to do with Port Security?
anyconnect agent does not look at port security