Dear Jan

Thanks for your reply,actually

 I have enabled the wired dot1.X in windows 8.1 machine but still, i have seen many post saying that this error is due to clinet but what specific i have to do apart from enabling wired auto config service in windows 8, i have also enable the tick in the LAN settings for the 8021.x

thanks

Have you decided to use peap or eap-tls, have you installed a trusted certificate on ISE for EAP? Did you setup ise for PEAP or EAP-TLS ? What does your windows dot1x config look like?

Dear Jan,

Thanks for reply,

g) Click Additional Settings and select Specify authentication mode and specify User authentication. Click "OK" twice.

For above step i am using both user and machine.

Did you setup ise for PEAP or EAP-TLS ?

PEAP, once it is successful i will plan for EAP-TLS, Any configuration link for help will be appreciated.

What does your windows dot1x config look like?

same as per the link provided by you i have removed the certificate tick and for the last step (g) i am using both user and machine.

thanks

Dear jan.

+5 for you

it worked for me when I change in advanced setting to user mode.

but now I am not able to browse the internet. where things are missing

Thanks

Depends,

- Are you starting in one access vlan, and then send another vlan to the switch in your authorization profile ?

- Are you using open mode, with an ACL on the switch port?

- What is sh auth sess for the interface saying when you are unable to reach the internet?

Dear Jan,

I have only one data vlan and one voice vlan

i have a default access-list configured on the port as below

Extended IP access list ACL-DEFAULT
    10 permit udp any eq bootpc any eq bootps (17 matches)---AD
    20 permit udp any any eq domain (7669 matches)
    21 permit tcp any host 10.208.7.2 eq 389 ---AD
    22 permit tcp any host 10.208.7.3 eq 389---AD
    60 permit icmp any any (164 matches)
    70 permit udp any any eq tftp
    90 permit ip any host 10.208.47.19 (7 matches) ----ISE
    100 deny ip any any log (19242 matches)

when machine authenticates i don't see the downloadable access-list on the port when i execute below command

sh authentication sessions interface gigabitEthernet 3/23
            Interface:  GigabitEthernet3/23
          MAC Address:  c8cb.b80f.3c1f
           IP Address:  10.208.36.12
            User-Name:  Administrator
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-host
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0AD02F330000012C1E9439C8
      Acct Session ID:  0x0000014C
               Handle:  0x6700012D

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

I believe that if you have an ACL set in the configuration of the switch port, you also need to send an dacl in your authz profile, like make one with "permit ip any any", otherwise you will be authenticated and authorized, but still only have access to whats defined in your ACL-DEFAULT.

Sorry, i didn't read your last post properly....so you are in fact sending another dacl with something like "permit ip any any" ? If so, you should check if it is in fact applied, with "sh ip access-list interface gi3/23". Also, why are you running multi-host? You should normally run single-host or multi-domain or multi-auth. Multi-host will allow any hosts on the port, as long as one host has authenticated. I'm not sure if that even works with open mode and ACLs. Try changing to host-mode to multi-auth

Dear Jan,

Please find the attached authorization policy snapshot.

There is  nothing seen on executing comand sh ip access-list gig3/XX the switch ios is cat4500e-universalk9.SPA.03.04.05.SG.151-2.SG5.bin

I have ASA module in between ISE and the user subnet, do i have to enable any ports for communication for DACL.

i can see the local switch logs that a port 80 traffic is blocked by acl that confirms that DACL is not downloading.

thanks

Oh, it's a IOS XE switch, the command to show the acl is a different one i think. At least it is on 3850/3650 switches.

Try "show platform acl"

Also make sure that the ip of your pc is listed in "show ip device tracking all" in the correct vlan and as active.

Dear Jan,

show platform acl doesn't works,

sh ip device tracking all
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
IP Device Tracking Probe Delay Interval = 0
---------------------------------------------------------------------
  IP Address     MAC Address   Vlan  Interface              STATE
---------------------------------------------------------------------
10.208.36.12    c8cb.b80f.3c1f  36   GigabitEthernet3/23    ACTIVE

Total number interfaces enabled: 1
Enabled interfaces:
  Gi3/23

Thanks

Hmm, and "show ip access-list interface G3/23" does not show an ACL ?

Are you shure you are actually sending the correct authorization profile back to the switch ? Can you find an example of a correct authentication, where the ACL is listed as being sent back to the switch, in the details of the auth event ?

Also, to be completely sure, try enabling debug aaa authorization, this should show you whats being sent from ise, and errors if it can't be applied for some reason, or if indeed it's not actually being sent.

Also, check your whole switch config, against the universal trustsec switch configuration guide, there are several radius related commands, that needs to be entered, to get everything working properly. Also, make sure the you have configured "dynamic author" in the switch for all your PSN's, and that ISE is Allowed to start connections using CoA(udp/1700 maybe also udp/3799 not sure), towards your switches management ip.

Dear Jan

I will do as per your instruction above but want to know one quick question i upgraded to 1.2 and the Nexus devices are not supported by ISE 1.2, my topology is as such

ISE---Nexus7K (core)-----4500 (Access) ------USER

thanks