Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1387
Views
30
Helpful
3
Replies

dot1x taking 30 seconds to machine or user authenticate

laurathaqi
Level 3
Level 3

‎10-14-2021 12:10 AM - edited ‎10-14-2021 12:22 AM

Dear community, 

 

I applied dot1x in a supplicant, authenticating via Cisco ISE. Authentication is successful, but whenever I restart the machine, the first authentication takes exactly 30 seconds to finish. 

 

The Show authentication session int f0/1 shows dot1x success, authentication via PEAP. Meaning that its not failing to MAB, thus that timeout delay is out of play.

 

Configuration applied in the switch are: 

switchport access vlan 1
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 30
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

 

Rule on ISE checks for the "is user is part of Domain Users or Domain Computers", then authenticate and allow access. Meanwhile the Supplicant is configured to authenticate via dot1x "User or Machine Authenticate".

 

Can someone please orient me towards what kind of delay this might be!? Its a usual behaviors, in meaning that it happens after each restart on my ports. 

 

Any suggestion would be highly appreciated. 

 

Looking forward to hearing from you! 

 

Best regards,

Laura 

 

3 Replies 3

Rob Ingram
VIP
VIP

‎10-14-2021 03:13 AM

Hi @laurathaqi 

Run a capture on ISE, filter on the NAD ip address the host is connected to and run the test again, that may provide some clue as to whether the client or ISE is slow to respond. Check the ISE live logs and look for the latency for communication to the AD DCs.

 

Is it just the one computer or NAD that is experiencing this issue?

laurathaqi
Level 3
Level 3
In response to Rob Ingram

‎10-14-2021 05:21 AM

Hi @Rob Ingram 

 

It is happening in all of the computers were I am activating dot1x PEAP at. Without dot1x configuration, it used to work all fine. 

 

The ISE Live Logs Error Messages are usually lack in explanations as all I get is, NAD or Supplicant may not be configured correctly. However, that's quite a wide scope to look at, specially as I doublechecked the configuration ten times now, and its all based on the Administration GUIDE of Cisco ISE.   

 

With further troubleshooting I got another error on the way with information in the Event Logs of Microsoft, in the User Machine when trying to authenticate as following: A fatal error occurred while creating a TLS Client Credentials. The internal Error State is 10013. 

I read that this is an issue when the server and the supplicant can not agree in a communication protocol to communicate with. 

After a while now, I am getting the error of: "Windows can’t verify the certificate of the ise1.domainexample.com". 

 

Based on google, this message solution is either of the following three: Windows Update bug(build1803 to 1809), ISE Certificate missing or in the Host's NIC to disable the option to "Verify the server's identity by validating the certificate

1. Windows 10 is on the OS Build 19043.1237 

2. ISE Certificates were generated and signed from the Root CA, and the Root CA is distributed via GPO to Domain Users. 

3. Disabling "Verify the server's identity by validating the certificate" does not seem to be best solution as the certificate its generated and Signed by the Root and it should be working properly. 

 

I am assuming that the logging delay issue has to do with the ones noted in this post. However, I am about to connect with the cliet in the upcoming hours and further troubleshoot. 

 

Do you have any idea or suggestion on how to further attack this problem? 

 

Note: Will run a capture, and update you after some hours from now. 

 

Thank you,

Laura  

 

 

Rob Ingram
VIP
VIP
In response to laurathaqi

‎10-14-2021 05:56 AM

@laurathaqi 

Is the ISE EAP certificate issued by the same CA as the computers?

If you take a packet capture on the computer that would provide some useful information.

If you enable radius and aaa debugs on the switch when the computer/user logs in that would provide a clue.

Customers Also Viewed These Support Documents