Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
419
Views
0
Helpful
2
Replies

Endpoint fails to authenitcate after port bounce / computer reboot

REJR77
Level 1
Level 1

‎02-20-2023 03:33 AM

Hi,

We use ISE to authenticate Windows 10 endpoint (22H2, with native supplicant) in an SD-Access Network .
Some endpoints are authenticated with EAP-TLS and a machine certificate. These endpoints need to have a fixed IP address.
We manage to authenticate the endpoint so certificate are fine (for ISE and endpoint), but when a port bounce or restart of the computer occures, we observed Failed Authentication, and it can takes several minutes or hours to get back access to the network.

From ISE point of view we can see that the endpoint tries first to authenticate with EAP-TLS (for some reason it fails, "5440 Endpoint abandoned EAP session and started new"==> looks like an endpoint issue), then it moves to MAB (of course fails) and 10 minutes after we can see that the EAP-TLS authenitcation is successful.

What we tried
- Moving the endpoint on another switch with another version: issue is still present
- Shut / no shut of the interface: issue still occures
- Restart of the computer: issue still occures

Workaround found
- Changing the Network Adapter of the endpoint to DHCP ==> but we need a fixed IP
or
- Uncheck "Fallback to unauthorized network" on the network adapter ==> which add some delay to the network connection when connecting on other network

Have you seen that kind of behaviour? Any settings we can change on ISE or on the switch? We can think of a supplicant misconfiguration but as it can authenticate in the end I can say that the certificates are OK.

Regards

0 Helpful
2 Replies 2

Arne Bier
VIP
VIP

‎02-20-2023 12:21 PM

A port bounce should not have this kind of negative effect.

How does your switch config look?  Using IBNS 1.0 or IBNS 2.0? 

We should take a look at the following:

- show derived-config interface xxxx

- show policy-map type control subscriber (if using IBNS 2.0)

- ISE Error Messages for the EAP failures

If DHCP is part of the solution, then you could make static reservations in the DHCP server, which is possibly a better solution than hard coding IP addresses in hosts. But since layer 3 happens after successful EAP, the real question is why the EAP is failing?

Are these endpoints connected to a phone, or directly into the switch?

Do you have device-tracking configured?

 

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni

‎02-20-2023 12:41 PM

Are you using Anyconnect NAM? I have seen this behavior logged as a bug when NAM is in use. 

0 Helpful
Customers Also Viewed These Support Documents