cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1207
Views
0
Helpful
16
Replies

If 802.1x fails globally??

Hi All,

 

If it should happen, that something goes wrong and ISE cant authenticate devices on switch ports via 802.1x, what immediately actions could remove 802.1x from switches or allow all devices onto the network?

 

Best regards,

Michael

16 Replies 16

If the client is issued a certificate from AD using GPO and if configured the client will automatically renew certificates before expiration, usually a couple of months before expiration. Therefore this renewal process would all be transparent to ISE, you are reliant on AD/GPO doing it's job.

HTH

my thought exactly, and since MAB auth is connected, there will be no CoA. What if we imagined that a client with an expired certificate gets profiled with CorpPC_EXPRIED, and with the new certificate it gets the old profile back CorpPC, and then the new profile triggers CoA?

On the other hand, if a client has an expired certificate the machine hasn't been in contact we the domain for a long time, then there might be a valid reason to contact the IT department :)

 

I'm going to pick at this again, what if the server side certificate expires, the one ISE uses to authenticate clients, and all endpoints get MAB auth and hits the portal. How would we fix this after the certificate have been updated?