Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
779
Views
0
Helpful
2
Replies

Endpoints not hitting do1x auth policy

Go to solution
Amar_Tufo
Level 1
Level 1

‎01-23-2023 06:19 AM

Dear all,

I'm particularly new on the ISE field, so pardon me if I'm explaining something wrong. I'll write only about wired endpoints.

Can someone please guide me further because I fell like I'm hitting the end in a case where I'm having multiple endpoints which are dot1x auth capable, and are configured to authenticate that way, same as network devices and also ISE, and in the end those endpoints aren't authenticated and being rejected, while ISE live logs showing that those endpoints are being rejected per auth profile which is the one configured for MAB authentication, and I'm not seeing that ISE has recorded or shown me a live log where it tells me that dot1x auth has occurred at all, it shows me only the livelog wich refers to the tried MAB auth policy

The point is that this shouldn't happen at all, authentication order and priority is set to first do dot1x then to MAB as fallback. (this is proven by the fact that we have hunderts of other endpoints where dot1x auth occurs at first and was successful).

All those endpoints, the one that do auth per dot1x or not,are:

  • domain members,
  • the same GPO are applied to them, the ones that which relate to network adapter settings
  • they have a valid certificate for client authen on their local store,
  • they share the same NAD's
  • on int conf auth order and priority is configured dot1x then mab
  • also the authentication policy on policy sets is set dot1x above mab,
  • none of those endpoints are entered into User identity groups on ISE,

When I'm checking directly on the switch with sh auth ses int gi1/0/10 details, it says dot1x running, after some time nothing happens, then it states dot1x stopped and mab stopped, simultaneously watching ISE live logs, no log about that particular endpoint performing dot1x only the one where ISE rejects the enpoint per MAB. 

I've tried with clear auth ses int or mac on switched, to shut no shut the interface, it changes nothing. Also tried to remove mab command from the interface on those problematic endpoints, to see will they somehow onyl do dot1x, nothing.

Does anyone have a hint where to look at, what to do next, how to force the enpoint/switch/ISE execute dot1x, how to troubleshoot further? If more information is needed, I will try to provide more. Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Amar_Tufo
Level 1
Level 1
In response to ahollifield

‎01-26-2023 12:52 AM

It was due to not set auto start to wired autoconfig service. Thank you for you time.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
ahollifield
VIP
VIP

‎01-23-2023 06:50 AM

This sounds like a supplicant issue on the endpoint where 802.1X is not enabled on the device so the switch fails back to MAB.  I would check your supplicant configuration, certificate, etc.    Make sure your NIC drivers are also up to date.

https://community.cisco.com/t5/security-documents/how-to-ask-the-community-for-help/ta-p/3704356

0 Helpful

Go to solution
Amar_Tufo
Level 1
Level 1
In response to ahollifield

‎01-26-2023 12:52 AM

It was due to not set auto start to wired autoconfig service. Thank you for you time.

0 Helpful
Customers Also Viewed These Support Documents