Cisco Community
English
Register
Great changes are coming to Cisco Community in July. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

882
Views
0
Helpful
5
Replies
Wissam Bteich
Beginner
Beginner
‎11-09-2012 07:15 AM
‎11-09-2012 07:15 AM

Cisco ISE - Reauthentication of client if server becomes alive again

Dears,

I have this case where Cisco ISE server is used to authenticate & authorize clients on the network.

I configured the switch port to authorize the client in case the ISE server is dead (or not reachable).

The thing is that I want to reauthenticate the client once the ISE server becomes alive again but I am not able to.. ("Additional Information is needed to connect to this network" bullet is not appearing and the client PC remains authenticated and assigned to the VLAN.

Below is the switch port configuration:

interface FastEthernet0/5

switchport access vlan 240

switchport mode access

switchport voice vlan 156

authentication event server dead action authorize vlan 240

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication order dot1x mab

authentication priority mab

authentication port-control auto

mab

dot1x pae authenticator

spanning-tree portfast

Anyone can help?

Regards,

Labels:
2 people had this problem
0 Helpful
5 REPLIES 5
mlovellette
Enthusiast
Enthusiast
‎05-27-2014 10:00 PM
‎05-27-2014 10:00 PM

Did you get a fix for this?  I am running into the same issue running 12.2(55)SE9.

0 Helpful
Saurav Lodh
Rising star
Rising star
‎05-28-2014 02:50 AM
‎05-28-2014 02:50 AM

Refer. the Auth fail config. ,, while Radius is down ,

https://supportforums.cisco.com/discussion/9994111/8021x-critical-authentication-feature-12225see

0 Helpful
mohanak
Cisco Employee
Cisco Employee
‎06-02-2014 04:01 AM
‎06-02-2014 04:01 AM

Please check whether the switch is dropping the connection or the server.

 

Symptoms or Issue

 

802.1X and MAB authentication and authorization are successful, but the switch is dropping active sessions and the epm session summary command does not display any active sessions.

Conditions

 

This applies to user sessions that have logged in successfully and are then being terminated by the switch.

Possible Causes

 

The preauthentication ACL (and the subsequent DACL enforcement from Cisco ISE) on the NAD may not be configured correctly for that session.

 

The preauthentication ACL is configured and the DACL is downloaded from Cisco ISE, but the switch brings the session down.

 

Cisco ISE may be enforcing a preposture VLAN assignment rather than the (correct) postposture VLAN, which can also bring down the session.

Resolution

 

Ensure the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.

 

Check to see whether or not the DACL name in Cisco ISE contains a blank space (possibly around or near a hyphen "-"). There should be no space in the DACL name. Then ensure that the DACL syntax is correct and that it contains no extra spaces.

 

Ensure that the following configuration exists on the switch to interpret the DACL properly (if not enabled, the switch may terminate the session):

  
radius-server attribute 6 on-for-login-auth
  
radius-server attribute 8 include-in-access-req
  
radius-server attribute 25 access-request include
  
radius-server vsa send accounting
  
radius-server vsa send authentication

 

0 Helpful
Stephen McBride
Beginner
Beginner
‎06-02-2014 03:15 PM
‎06-02-2014 03:15 PM

Just noticed your config has "authentication priority mab"

Try "authentication priority dot1x mab"

 

Not 100% but I would suggest this could be your problem

0 Helpful
Venkatesh Attuluri
Cisco Employee
Cisco Employee
‎06-04-2014 10:17 AM
‎06-04-2014 10:17 AM

what is switch model and software version

0 Helpful
Latest Contents
Earn $100! Interview with Cisco on Network Risk, Compliance ...
Created by S Nath on 06-27-2022 01:56 PM
0
0
0
0
Are you responsible for risk management, compliance management and auditing of a network?    If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ... view more
Converting Cisco Secure Endpoint Connectors from Audit to Pr...
Created by Sohaib Ahmed on 06-23-2022 05:19 PM
0
0
0
0
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari... view more
🧦💚 Tell us about your ZTNA journey in exchange for a pair ...
Created by betswang on 06-23-2022 03:05 PM
0
15
0
15
  Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ... view more
Cisco ASA Access-list ACL using network object
Created by Meddane on 06-23-2022 06:59 AM
0
0
0
0
  A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se... view more
How To: Cisco ISE Captive Portals with Aruba Wireless
Created by ahollifield on 06-22-2022 06:23 PM
4
10
4
10
How To: Cisco ISE Captive Portals with Aruba Wireless Authors: Adam Hollifield, Brad Johnson IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube