Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
561
Views
0
Helpful
2
Replies

Cisco ISE Works... and sometimes doesn't

Go to solution
TitanAE
Level 1
Level 1

‎06-12-2019 06:01 PM

I'm not sure how to describe this issue.  Or what to even look for to resolve it.  But here goes nothing:

My company has recently deployed ISE to a facility for Identity management.  After several months we ran into a host and myriad of problems which, thankfully, were resolved in one form or another.  Recently we've had users report network related issues as ISE issues.  9 times out of 10, they're false alarms or red-herrings.  A user mistyped there password, or an update was rolled out that knocked them offline, stuff like this.

 

However for the 1 out of 10... I can't explain.

 

A bit of background - We deployed ISE in an Apple majority environment.  With only a handful of users on Windows.  So features like EAP-Chaining are a no-go (Apple doesn't natively support it, and we haven't tested a 'supposedly' updated Cisco Anyconnect version that fixes this).  Again this is all fine, we've been working around certain limitations.

 

From the user's perspective, they've logged into there machine without issues.  But now the internet isn't working, and they have a Guest portal asking them to register with the network.  And ISE is none-the-wiser that they're a corporate user.  A simple reboot corrects the problem.  But it's still an issue I'm trying to solve and prevent.

 

Any help is appreciated.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ldanny
Cisco Employee
Cisco Employee

‎06-13-2019 12:36 AM

I recommend you work in  Limited Access Mode ( authentication open ) on your switch ports ,with a pre-defined ACL so that you dont impact your users.

You can then start looking at your logs and get a better understanding of why dot1x is failing without impacting anyone, as well as understand your policy structure.

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎06-12-2019 08:02 PM

Sounds like dot1x is failing on the laptops and it’s falling back to MAB and redirect to guest portal

Please open a tac case to look at switch ise and even desktop logs
0 Helpful

Go to solution
ldanny
Cisco Employee
Cisco Employee

‎06-13-2019 12:36 AM

I recommend you work in  Limited Access Mode ( authentication open ) on your switch ports ,with a pre-defined ACL so that you dont impact your users.

You can then start looking at your logs and get a better understanding of why dot1x is failing without impacting anyone, as well as understand your policy structure.

 

0 Helpful
Customers Also Viewed These Support Documents