Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1024
Views
0
Helpful
2
Replies

Dot1x Re-authentication not working in ISE 3.1

Teg2424
Level 1
Level 1

‎10-27-2023 02:24 AM

After migrating from Cisco ISE version 2.7 to 3.1 re-authentication of dot1x devices fails. Nothing has changed on the switch.

Port configuration (relevant) is as follows:

authentication order mab dot1x
authentication priority dot1x mab

This is because dhcp clients should get an ip as soon as possible. For this to work in ISE we have the following configured in the autorization profile:

cisco-av-pair = termination-action-modifier=1

Everything works fine if we config the port as follows:

authentication order dot1x mab
authentication priority dot1x mab

But as i said; the old situation did work using ISE 2.7 and we would like to have it working again.

ISE version: ISE 3.1 patch 7

Switch version: cisco WS-C3650-48PS   Version 16.12.08

Initial authentication using dot1x works (after a shut/ no shut), but after the reauthentication timer expires the device falls back to a default MAB profile. We can see in a packet trace the switch sends  a MAB access  request but only an dot1x Accounting request. No access request.

Device is an IP phone, but this problem occures with other devices as well (printers, clients)

We already contacted TAC, they think the problem is somewhere in the switch. I disagree as nothing has changed since migrating.

Any idea?

 

 

 

0 Helpful
2 Replies 2

marce1000
Hall of Fame
Hall of Fame

‎10-27-2023 03:08 AM

 

  - Ref : https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_integration.html#task_ABD9CBD547B542A6A3CE26EE8B2C9910
        Looking at Step 8 , seems to add a number of port directives for re-authentication , are you using any of these  ?

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Teg2424
Level 1
Level 1
In response to marce1000

‎10-27-2023 03:21 AM

These are the port settings:

 

authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation protect
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 300
dot1x timeout tx-period 10

0 Helpful
Customers Also Viewed These Support Documents