Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1102
Views
0
Helpful
16
Replies

If 802.1x fails globally??

Go to solution
Michael Bartholomæussen
Level 1
Level 1

‎08-09-2018 01:25 AM

Hi All,

 

If it should happen, that something goes wrong and ISE cant authenticate devices on switch ports via 802.1x, what immediately actions could remove 802.1x from switches or allow all devices onto the network?

 

Best regards,

Michael

0 Helpful
16 Replies 16

Go to solution
Rob Ingram
VIP
VIP
In response to paul

‎09-06-2018 11:05 AM

If the client is issued a certificate from AD using GPO and if configured the client will automatically renew certificates before expiration, usually a couple of months before expiration. Therefore this renewal process would all be transparent to ISE, you are reliant on AD/GPO doing it's job.

HTH
0 Helpful

Go to solution
Michael Bartholomæussen
Level 1
Level 1
In response to paul

‎09-06-2018 11:06 AM

my thought exactly, and since MAB auth is connected, there will be no CoA. What if we imagined that a client with an expired certificate gets profiled with CorpPC_EXPRIED, and with the new certificate it gets the old profile back CorpPC, and then the new profile triggers CoA?

On the other hand, if a client has an expired certificate the machine hasn't been in contact we the domain for a long time, then there might be a valid reason to contact the IT department :)

 

I'm going to pick at this again, what if the server side certificate expires, the one ISE uses to authenticate clients, and all endpoints get MAB auth and hits the portal. How would we fix this after the certificate have been updated?

0 Helpful
Customers Also Viewed These Support Documents