DOT1X to Cisco ISE fails after switch reload

Rob McCarty · ‎10-20-2015

Dot1x works until a switch is reloaded, afterward ports do not re-authenticate until they are bounced again, or endpoint is rebooted (NIC bounced)

Looking at logs with TAC they say the host is not responding (windows box) but why would bouncing the port fix it and not the switch reload in the first place? Is the port coming up before the switch is ready to authenticate? Someone must have run into a similar problem in a large scale deployment, we can recreate this with multiple switches and hosts.

config:

authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
snmp trap mac-notification change added
snmp trap mac-notification change removed

jwmolenaar · ‎11-30-2015

Hi Rob,

I've seen the same behaviour but from a technical perspective the switch was trying to authenticate. From what I've seen my conclusion was that the authentication process on the switches started way too late causing the supplicant on Windows to time-out. For some reason it takes a while to recover from situation.

My experience is that after about 20 minutes everything starts to work normal again.

Regards, Jan-Willem