Cisco ISE 802.1X Windows Random Disconnections

dimi.kard · ‎02-19-2025

Hello,

We've got our setup with cisco ise, some cisco switches and eap-tls as the authentication method for users & computers and on the other hand mab for "dumb" devices. Computers mix of 10 & 11, strange behavior is sometimes not so often users get disconnected from network. When check logs on ise i can see they got rejected cause they end up matching mab policy with final result being rejected. Firstly i've had bigger number of how often user got disconnected from the network, we've noticed that the timeout action on switch ports was equal to terminate, we've changed this to reauthenticate every 12 hours on the authorization profiles in ise and now we've noticed disconnections every three or more days but again from different users. Does anyone have any idea ?

Thanks

ahollifield · ‎02-19-2025

Do you have user certificates pushed to all machines? Are the devices going into sleep mode where the supplicant is not running? Why not use TEAP? What is the NAD?

https://community.cisco.com/t5/security-documents/how-to-ask-the-community-for-help/ta-p/3704356

dimi.kard · ‎02-19-2025

Hi,

user and machine certificates correctly deployed, users work on computer when this happens, NAD devices are cisco switch 2960, cisco 1000.

Thanks

ahollifield · ‎02-19-2025

Drivers up to date?

dimi.kard · ‎02-19-2025

Yes, drivers updated, tx-period on default, also users connect via cisco iphone (seen same behaviour with users connect directly) without any docking stations in between. It's really confusing to me.

Thanks

dimi.kard · ‎02-19-2025

Let me know if you need additional info.

dimi.kard · ‎02-21-2025

Hello,

Attached is a debug dot1x i run for two clients that had problem authenticating.