Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2920
Views
0
Helpful
1
Replies

Intermittent 802.1x Authentication Issue

ermer
Level 1
Level 1

‎03-31-2017 04:50 AM - edited ‎03-11-2019 12:35 AM

We have been running the below configuration for several years now.  More and more when a user logs into a computer, they will be prompted with the Cisco Guest Portal or have no network access.  Just logging off and back in again usually resolved the issue but it is frustrating for our users.  Originally we had mostly Windows 7 computers and the occurrences were very low.  It seems as computers were replaced with Windows Vista, 8.1 and now 10 that it is happening more frequently.  99% of the time when this happens the computer is cold booted from being off overnight and the user tries to log in as soon as the Ctrl-Alt-Del screen appears.  We have been instructing users to wait 60 seconds before logging in and this has helped, although not always.  It appears that either the 802.1x service has not started on the computer or it is taking too long to respond to ISE and then getting denied.

 

Is there any timeouts that should be changed either in ISE or on the Windows machine?

 

ISE 1.4 patch 8 authenticating to 2012R2 AD Domain Controllers

4500 Chassis running IOS cat4500e-universalk9.SPA.03.04.05.SG.151-2.SG5.bin

There are ACL’s on the switch VLAN and ISE pushes down a dACL at login.

Computers are authenticated through ISE via AD and then re-authenticated when the user logs in.

 

 

Port Configuration:

 authentication control-direction in

 authentication event fail action next-method

 authentication event server dead action authorize voice

 authentication host-mode multi-auth

 authentication order mab dot1x

 authentication priority dot1x mab

 authentication port-control auto

 authentication timer reauthenticate server

 authentication violation restrict

 mab

 snmp trap mac-notification change added

 snmp trap mac-notification change removed

 dot1x pae authenticator

 dot1x timeout tx-period 10

 storm-control broadcast level 0.50

 spanning-tree portfast

 spanning-tree bpduguard enable

 

 

Windows GPO enabled for “Always wait for the network at computer startup and logon”

 

802.1X profile on Windows computer:

Block period: 1 minute

Computer Authentication: User re-authentication

EAPOL Start Message: Transmit per IEEE 802.1X

Maximum Authentication Failures: 100

Maximum EAPOL-Start Messages Sent: 3

Held Period: 20 seconds

Start Period: 5 seconds

Authentication Period: 30 seconds

Single Sign On type: PreLogon

Maximum acceptable delay for network connectivity: 20 seconds

Labels:
0 Helpful
1 Reply 1

agrissimanis
Level 1
Level 1

‎04-03-2017 07:11 AM

Try to change the config on few ports to 

 authentication order dot1x mab

 dot1x timeout tx-period 5

and see if the problem still occurs frequently

I found this to be working well in our environment, but each case is different of course

Also, I have the dot1x block period set to 0 in Windows network profile

0 Helpful
Customers Also Viewed These Support Documents