Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1096
Views
10
Helpful
3
Replies

Computer hitting MAB instead of Dot1x.

ironman28
Level 1
Level 1

‎04-10-2020 08:40 AM

We have three or four computers out of 500 PCs everyday that is hitting the MAB authentication with Internet Only policy which has no internal resource access.  After the computer is rebooted, it is able to hit the dot1x authentication and everything is fine.  We are running ISE 2.3 patch 6 and AnyConnect 4.5.  Anyone see this before?

0 Helpful
3 Replies 3

Damien Miller
VIP Alumni
VIP Alumni

‎04-10-2020 09:43 AM

There are a lot of components at play here, but it's often not an ISE problem if it works following a reboot. In no particular order, some things to check.

I would compare the four machines NIC driver versions to some known working machines, update as required. Confirm if the machines have power saving features enabled on the NIC, while others may not.

See if these machines have a failed dot1x attempt, or if the switch eapol starts are going unanswered.

Understand the workflow of the user/machine leading up to this issue. Are they suspending the machine, hibernating, locking then returning and unlocking etc. That helps narrow down the components.


Have a look at this if you are using AC NAM, there are some notes about use NAM with system standby. If you're not using the most recent 4.5 NAM client they list some resolved caveats that could create your symptoms.
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect45/release/notes/b_Release_Notes_AnyConnect_4_5.html

Lastly, if you are using AC NAM, then TAC can help you debug this on the client side and analyze the dart file.

Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Damien Miller

‎04-10-2020 11:42 AM

Agree with @Damien Miller . Adding additional thoughts:

-If you are using NAM, how exactly are you using it?  If you are using it for eap-chaining for comp+user auth then dot1x may be getting terminated and failing over to mab since you may be missing user auth in off hours.  

-I would recommend upgrading AC client + modules being used to something along the lines of 4.8.x.  Below is one Cisco Security Advisory relating to AC that I am aware of:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj

HTH!

ironman28
Level 1
Level 1
In response to Damien Miller

‎04-11-2020 06:53 AM

Thank you.  I will try to update the AC to see what happens.  

0 Helpful
Customers Also Viewed These Support Documents