03-20-2019 05:33 AM
Running a C4506-E 15.2(2)E8
Machines are authenticating through ISE. Within 30 seconds one will fail to authenticate (After it has already passed authentication)..It seems like a round robin of machines that are failing to authenticate after they already authenticate. This process continues forever. Its like ISE is only accepting so many Mac addresses from this switch to authenticate at once, and every time that limit is reached one is forced to fail authentication to make room for another machine. Im not too sure where to start as far as troubleshooting this issue. Any advice would help.
03-20-2019 06:08 AM
the first place to look is in ISE under LiveLogs (or in Reports) to see why ISE had to fail the authentication. Sometimes the reason that ISE gives is not the real reason/cause, but it's a starting point.
What version of ISE?
What type of PAN/PSN? SNS-34 or SNS-35 etc.
How many endpoints do you see in the dashboard?
I doubt this makes any difference, but is the CPU trending high?
03-20-2019 06:52 AM
03-20-2019 06:57 AM
When you look at the switch side do you see the session go into an authenticated state? There could be attributes that you are passing back from ISE that cause the session to go Unauth so it never truly completes even though ISE authenticated it. If you see everything look good on the switch side watch the detailed "show auth session" or "show access-session" output for that port. You will probably see Dot1x rerunning constantly. If the switch is satisfied with the authentication the only way it would rerun Dot1x is if it received a EAPol start message from the client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide