06-13-2016 06:23 AM - edited 03-10-2019 11:51 PM
Dears,
attached is the error for dot1x.
I have configured dot1x and it is working fine with dell laptop as I tried with 2 or 3 users,, but it doesn't work with hp pc as it gives me the attached error.
when I left the office I have Google out and found the link https://supportforums.cisco.com/discussion/12451301/cisco-ise-changing-domain-user-doesnt-trigger-automatic-reauthentication ; now I want to know is it Suppress Anomalous Clients option is enabled by default ??? by unchecking that will the dot1x will work.
thanks
Solved! Go to Solution.
06-21-2016 02:33 AM
Hi Jack,
I want to keep MAB policy on top and dot1x policy below in authorization policy,- Yes
If suppose HP Printers which are profiled as a HP -Device in ISE , can I statically map these device to a particular static group instead of automatic mapping to HP-Device- Yes you can do that.
Cheers,
Pradeep
06-13-2016 06:51 AM
Hi Jack,
Please let me know which version of ISE you are using and do u created the ISE Authz policies based on device profile or only 802.1x attribute?
1. by looking at the screenshot I can see device is getting profiled as cisco device ?
2. u need to compare the policy for working device and non- working HP PC- as in screenshot shows device sending the authentication- MAB(Mac address bypass) method.
3. yes - by default radius suppress setting is enabled in ISE- you can verify in settings->protocol->Radius protocols-settings -it only applies to devices if Reject Request After Detection is enabled and policy will be in effect till the request rejection interval time specified-
share the details- will suggest the fix.
Cheers,
Pradeep
*** Rate if it helps
06-13-2016 07:11 AM
Dear Pradeepa,
I have configured MAB for HP printers which are detected by ISE as HP device so I gave them full permit now when I started to move the users HP PC's they are also seen as a HP device and they are also falling in MAB so to avoid such situation I disabled the Printer MAB policy for time being and try to restart the HP PC then as per the screenshot nothing was seen in the authorization logs as per the attached this is becz of they have already been suppressed. please correct me,
how I can avoid HP pc to fall as HP device rather then they are capable of Dot1x.
thanks
06-13-2016 07:51 AM
Hi jack,
To get the profiling accuracy - we should enable( DNS,DHCP,SNMP, SNMPTRAP, RADIUS) -profiler option in profiler configuration.-
there are 4 options to achieve this.
1. check logs and see on which parameter device is getting profiled as HP device? (like radius,dns or dhcp).
2. u have to tweak the profiling policy for the HP -device and other workstation devices - please refer the Cisco profiling accuracy -http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-30-ISE_Profiling_Design_Guide.pdf
3. still profiling accuracy fails - create customised profiling policy for HP-workstation
or
4. create autz policy based on 802.1x attribute and with the domain group-(users AD group) without any device profile.to overcome profiling issue,.
Cheers,
Pradeep
*** Rate if it helps
06-13-2016 09:32 AM
Dear Pradeepa,
I have done the below still it falls as a HP device, In authorization rule I have a condition as domain computer and domain user but still
4. create autz policy based on 802.1x attribute and with the domain group-(users AD group) without any device profile.to overcome profiling issue,.
thanks
06-13-2016 09:50 AM
Hi Jack,
I meant to say if none of the 3 options work then only we should go with authz policy without any profiling attribute in that- it means policy should not depend on any profiling parameter
06-17-2016 01:10 AM
Dears,
you can verify in settings->protocol->Radius protocols-settings -it only applies to devices if Reject Request After Detection is enabled and policy will be in effect till the request rejection interval time specified-
I have disabled the above policy, still some of the PC are failing by error
5434 | Endpoint conducted several failed authentications of the same scenario |
I can see a mac address of the machine in the radius live logs instead of their hostname for example host/HR-PC1 as an identity and it gives me the below error.
5434 endpoint conducted several failed authentications of the same scenario.
15039 rejected per authorization profile
Some of the PC were working fine with dot1x but suddenly they started with this issue.
thanks
Thanks
06-17-2016 02:20 AM
Hi Jack,
system is hitting the deny policy as there is no 802.1x request from the PC and there is MAB authz allowed for that devices- that is reason you are getting that error,
Do you configured MAB(Mac address bypass) authz policy for the windows devices? if yes please verify the policy.
Problem looks like with PC just verify the wiredautoconfig service is running in PC? there are no certificate related errors?
as you said some of the PC's are working then it clearly indicate problem with system not ISE,
Ref Link:
https://supportforums.cisco.com/blog/12256681/getting-past-intermittentunexplained-8021x-problems-windows-7
Microsoft
https://support.microsoft.com/en-us/kb/2736878
Cheers,
Pradeep
06-17-2016 03:29 AM
Dear
thanks for the reply, I appreciate,
Do you configured MAB(Mac address bypass) authz policy for the windows devices? if yes please verify the policy
yes I have configured mab for hp printers and not for HP pc's becz they are dot1x capable, my MAB policy was on top and dot1x was below that so all Hp pc were hitting MAB then I twick the MAB policy below dot1x and all PC started hitting dot1x policy, when I start to move the pc switch port configuration in dot1x they were successfully authenticating, for pc A I configured the switch port in dot1 and it authenticate successfully , the next day when I came the same pc gave me an error
5434 endpoint conducted several failed authentications of the same scenario.
15039 rejected per authorization profile
why that so it is happening , before migrating the switch configuration I want to confirm the error is related to PC or misconfiguration on ISE
Problem looks like with PC just verify the wiredautoconfig service is running in PC? there are no certificate related errors?
yes it is running and the PC NIC configuration are as the below link. please confirm that I am on the correct path.
https://supportforums.cisco.com/discussion/12451301/cisco-ise-changing-domain-user-doesnt-trigger-automatic-reauthentication
thanks
06-17-2016 03:37 AM
Hi Jack,
yes it is running and the PC NIC configuration are as the below link. please confirm that I am on the correct path.
Yes you are on right path.
Cheers,
Pradeep
06-17-2016 03:57 AM
Dear Pradeepa,
To get the profiling accuracy - we should enable( DNS,DHCP,SNMP, SNMPTRAP, RADIUS) -profiler option in profiler configuration.-
I have enabled all the probes but enabling probe will not make things for me there must be some extra configuration has to be done, if you can brief me how I can segregate HP printers and HP PC that are profiled as a HP-Device
there are 4 options to achieve this.
1. check logs and see on which parameter device is getting profiled as HP device? (like radius,dns or dhcp).
I have to see this in the endpoint ??
2. u have to tweak the profiling policy for the HP -device and other workstation devices - please refer the Cisco profiling accuracy -http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-30-ISE_Profiling_Design_Guide.pdf
can you brief on my issue I will read it but for time being what can be done.
3. still profiling accuracy fails - create customized profiling policy for HP-workstation
how I am following by the below link in which the device which is not profiled can be statically group to a new group.
https://www.youtube.com/watch?v=11464Fjm2tA
thanks
06-17-2016 04:18 AM
Hi Jack,
q 1? Yes you have to check endpoint details from Administration->Identity Management->Identities->Endpoints (screenshot attached)
q 2? if you go the profiling architecture and CF (Certainty Factor) value - section guide it helps to u.
Q 3? yes it helps- you can statically map failing device to particular group -it is feasible solution small scale deployment and for large scale dynamic profiling is better option.
06-17-2016 05:03 AM
Dear Pradeepa,
I want to keep MAB policy on top and dot1x policy below in authorization policy,
If suppose HP Printers which are profiled as a HP -Device in ISE , can I statically map these device to a particular static group instead of automatic mapping to HP-Device
thanks
06-21-2016 02:33 AM
Hi Jack,
I want to keep MAB policy on top and dot1x policy below in authorization policy,- Yes
If suppose HP Printers which are profiled as a HP -Device in ISE , can I statically map these device to a particular static group instead of automatic mapping to HP-Device- Yes you can do that.
Cheers,
Pradeep
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide