05-12-2019 09:04 PM - edited 02-21-2020 11:05 AM
Since the roll out of fully authenticating dot1x for wired endpoints and mad for printers/vtc. Been noticing two things when customers log into endpoints.
1. Customer has already been authenticated and working on documents. After x amount of time, it seems as though the session drops which as a result there profile disappears (background, shortcut to shared drives, network connection) drops but customer is still logged in. They experience a black background with mouse available. Some are patient than others, so the session comes back. And others that tried to log off then log back in, remain having the black background. And try again until either they log off and walk away or they are persistent and get the profile restored.
2. Customer makes the attempt to log into endpoint but receive a Domain is unavailable...
Environment:
-cisco 2960 (user/endpoint switch)
-ISE 2.4
-DOT1x with Wired AutoConfig (supplicant)
-windows 10 with wired connectivity & static IPs
What I've been able to piece together so far is that these endpoints tries to do DHCP with discovery of 169.254.x.x APIPA
-I see on the firewall "Deny UDP Reverse path 169.254.x.x...to 255.255.255.x from vlan xx"
-we have static IP's configured, so why would this start (although the answer to that could be that our supplicant is Wired AutoConfig service in windows 10 and wants to advertise this first before choosing to use the static IP definied"
-log from endpoint, TCPIP 4199 "duplicate ip 0.0.0.0 to C4.4-.--.--.--" I cannot find any mac address on switches, ISE appliances, etc that we own. But to match up the duplicate ip error message, i stumbled onto this link,https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/8021x/116529-problemsolution-product-00.pdf
From what I can gather about all this is that since Windows 10 added this Wired AutoConfig service - it wants to do this first before using static IP? But why would this happen if endpoints have static IP? should that DHCP step be disabled and move to STATIC IP?
Oh and another thing, to temporarily clear the issue, staff has been rebooting the workstation and is able to authenticate.
Need help understanding this and was wondering if you folks could help me get to the right path of resolving and understanding dot1x and supplicant when it has Static IP.
As for the second issue (not sure yet what that problem is..or if its also part of dot1x at all).
05-13-2019 05:54 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide