ISE release 1.1.0.665…

sample port configuration:

SWLX0203#show running-config interface fastEthernet 0/14
Building configuration...

Current configuration : 628 bytes
!
interface FastEthernet0/14
switchport access vlan 6
switchport mode access
switchport voice vlan 20
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end

So, the thing is;

Without a failed vlan configured or failed authorization profile, the mab authentication tries indefinitely to authenticate a non authorized client behind a hub or unmanaged switch...

any ideas?

Steps...

11001  Received RADIUS Access-Request

11017  RADIUS created a new session

11027  Detected Host Lookup Use Case (Service-Type = Call Check (10))

Evaluating Service Selection Policy

15048  Queried PIP

15048  Queried PIP

15004  Matched rule

Evaluating Identity Policy

15006  Matched Default Rule

15013  Selected Identity Store - Internal Endpoints

24209  Looking up Host in Internal Hosts IDStore - 00:22:3F:B0:25:E4

24217  The host is not found in the internal endpoints identity store

22056  Subject not found in the applicable identity store(s)

22058  The advanced option that is configured for an unknown user is used

22061  The 'Reject' advanced option is configured in case of a failed authentication request

11003  Returned RADIUS Access-Reject

Everything seems to be working OK, except it should have a max number of authentication tries...

regards

Nuno