07-03-2018 11:52 PM
Hi Experts.
There is this small set of users that we are moving to closed mode, but keeping the posture checks in audit mode.
The setup we are using is as follows:
ISE:
Version: 2.3.0.298
Patch: 2,3
AnyConnect with NAM: 4.5.04029
Now what is happening is that, when I connect just the computer to the port, everything works fine as it should.
Authentication happens and posture runs no issues.
Now, I bring in the IP phone and connect the computer behind the IP phone:
The phone registers, but the computer stays in limited connectivity.
Now here I have to manually select the Wired profile from the drop down.
After that only, it authenticates and run the posture check.
I have tested this multiple times, but the issue stays as it is.
This is the switch configuration:
interface GigabitEthernet2/0/8
description ** DSI| Prise C0-099 | Salle 0.134 **
switchport access vlan 242
switchport mode access
switchport voice vlan 260
authentication event server dead action authorize vlan 230
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
Has anyone observed this behavior before?
07-04-2018 03:05 AM
Here is another update to this issue:
This was a laptop that we were testing with.. So it has two profiles on NAM, one for the Wired and another for the Wifi access.
Now, when we disabled the Wifi, and then connected to the port behind the IP phone, it just worked without any issues.
We verified this multiple times and it worked right.
So the question here is, is NAM unable to select from profile when user is already connected to Wifi?
07-04-2018 04:25 AM
You have to configure NAM properly and will be work ,and why you need NAM ,in mine deployment all profiles for PC,notebooks coming from Active directory ,wired PC take GPO for wired and Wireless take GPO for wireless.
One more thing ,are LAN WAN switching work on this PC correctly ,if yes i think NAM will auto switch profiles.
07-04-2018 05:19 AM
We are using NAM to allow for EAP-Chaining, we have a requirement for user and computer authentication, thus NAM was the only option to go with.
Prior to deploying ISE and NAM, it was working fine.
Then when we were running WiFi and Wired connections in open mode, there were no issues reported.
And when we now moved to closed mode, we have started to see these issues when a wifi user connects to the wired port.
07-04-2018 10:35 AM
YOu can use computer and user authentication without NAM ,and i am sure of that.In mine deployment is without NAM and working machine and user authentication via Eap-chaining
07-04-2018 10:44 AM
This is new to me, I wasn't aware that there were native supplicants capable of eap-chaining. Do you have a reference link for this functionality? I know windows gave the option for computer and user auth but that only ever chose one or the other, not both at once.
07-04-2018 07:32 PM
I think there is a mix-up.
You are correct that only AnyConnect NAM can perform EAP Chaining but not Windows native 802.1X supplicants. Windows native supplicants can have computer or user authentication one or the other and ISE admin may choose to use Machine Access Restriction (MAR) in AD and condition on WasMachineAuthenticated to enforce the user auth with a valid prior computer auth.
07-04-2018 07:59 PM
YEs Hslai is right ,but in autorization rules you can make 1rule for machine authorization and second rule user auth.
MAchine will match always first but the trick here is the user ,alway his rule must above the machine and include
was machine authenticated =true
And as you told it will match always 1 but it will match machine first at boot and secon when user log in .
07-05-2018 01:22 AM
It turned out that the switch in question was running an unsupported version of iOS, 15.0(2) EX4.
So, I think it might be hitting the bug here, https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuo92394/?rfs=iqvred, although this version if iOS is not mentioned in the bug...
Nevertheless, I have requested to upgrade the version of iOS to supported version of, IOS 15.2(2) E6.
Post that we would run the tests again and capture the results.
Thank you,
07-05-2018 08:52 AM
Thanks a lot for the update.
I am guessing the NAD is of 2960X and the CCO showing 15.0.2-EX4(ED) as a deferred release.
Yes, it's good to use one of the validated OS in Table 2 of ISE 2.4 Supported Cisco Access Switches
If you encounter further issues, best to consult with the particular switch platform team.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide