Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1565
Views
0
Helpful
2
Replies

Is ISE have funtion block after some failure by default ?

quangle1993
Level 1
Level 1

‎12-14-2017 08:00 PM - edited ‎02-21-2020 10:41 AM

I have a topology as below :

 

ISE---SW1---SW2


I config authentication with Cisco ISE on Sw1. SW2 only have vlan assign configure. If i connect Endpoint (Laptop, IP-phone) to SW1 then everything work fine. Both Dot1x and MAB authentication success. But when i connect Endpoint to Sw2. Only IP-phone authentication success with MAB method. Then i un-plug my laptop and re-connect to SW1. It still authencation faild. I use command "show authentication session" and the output point that my laptop still in the port connect to Sw2 (Port G1/0/1 for example) which not true. Then i use command "show mac address-table interface g1/0/5" the output like below :

 

Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ------------------ ----------- -----
14 0007.3b93.92fc DYNAMIC DROP
Total Mac Addresses for this criterion: 1

 

The authentication log keep alert that my laptop authentication on port G1/0/1(connect to Sw2) which my laptop not connect to it anymore. I must un-plug port connect to Sw2 and then re-plug my laptop to Sw1 and only then my laptop authentication success again. I think when i un-plug the port connect to Sw2, mac address table on that port be clear and then i plug my laptop a again, my laptop's mac-address is accepted on new port so it authentication success. And after some testing, i can't not authentication my laptop anymore. Though i connect directly to Sw1 which i configure authentication on it. I can make sure 100% that i type the credential right. But it still failed and even i change credential to another user. It still failed. So i guess, ISE was block my laptop after some failure authentication.

Labels:
0 Helpful
2 Replies 2

Mohammed al Baqari
Level 11
Level 11

‎12-16-2017 07:45 PM

Seems that you don't have keepalives enabled in your authentication configuration. Try these commands at port level as Cisco best practice.

authentication periodic
dot1x pae authenticator
dot1x timeout quiet-period 300
dot1x timeout tx-period 10
dot1x timeout ratelimit-period 300
dot1x timeout held-period 300
0 Helpful

quangle1993
Level 1
Level 1
In response to Mohammed al Baqari

‎12-18-2017 12:11 AM

Thanks Mohammed,

Can I ask you one more thing ? Can i config authentication with ISE on Distribute Switch instead of Access Switch ? I has try this but there is a problem. There are two kind of Endpoint in my lab (PC/Laptop and IP-phone). When i config athentication on Distribute Sw and connect my Endpoint to Access Switch. Only IP-Phone Authentication success. Laptop Authentication Failed though i type the right credentical. But when i connect directly to Distribute Sw, my laptop authentication success with same credential. So i think there is some config i need to add when config on distribute Switch right ?

0 Helpful
Customers Also Viewed These Support Documents