Cisco ise guest portal timeout fine tuning

danielesquaranti · ‎06-10-2025

Hi,

I set a web auth guest portal that work in mab, After dot1x auth, in case of the PC attached Is not in out Network.

The problem Is that if there are PC's that have the 802.1x set in Windows with smart card or other, the portal appears after 5 minutes or, in many cases, It doesn't appear. If 802.1x Is not set in the PC, the portal Is quick.

What are the best settings to Speed up the portal for those PCs?

Thanks for the support

Arne Bier · ‎06-15-2025

That depends on how your switch is configured to process DOT1X and MAB. The standard and usual case is to process DOT1X first, and then timeout (if no supplicant response is received) to MAB. With IBNS 2.0 you can even do DOT1X and MAB concurrently - although, that has its pros and cons. There is nothing wrong with switching the order around (MAB first , then DOT1X) but that could have issues of its own - usually one or more device types that give you the most grief.

Have a look at your switch config and see what your DOT1X timer values are like - 5 minutes does sound a bit long.

If you have foreign endpoints connected to your network (e.g. from other organizations) then the supplicant should reply, and then ISE should reject them (since these are foreign endpoints). If you fail DOT1X then the PC should revert to sending non-DOT1X packets, and your switch should process that as unknown MAB endpoints, which I guess lands them in the guest portal redirection Authorization Result.

Windows has its own timers that will restart a failed DOT1X process - can't remember - I think it's 10 minutes or 20 minutes - the Wired Auto Service will keep trying to see if it can connect via 802.1X.

MHM Cisco World · ‎06-19-2025

Sorry I can not get what you try

You want both

802.1x and web authc ?

MHM