Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
452
Views
0
Helpful
3
Replies

ISE 2.2 fail to authenticate machine which is updated with Windows 10 version 1803

siddhesh.parab@orange.com1
Level 1
Level 1

‎09-13-2018 07:04 AM

 

Issue reported by customer :-

Upon installing ‘Feature Update to Windows 10 version 1803’ some computers fail to pick up an IP address on an ISE only port. Machines connect correctly and obtains IP on NON-ISE port.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

We have seen logs for one of the mac address. Where laptop is sending the MAC address as identify an hence taking policy for MAB instead of dot1x.

After some time laptop sending its machine certificate and its getting authenticated with proper dot1x policy.

 

Switch port is configured properly as below, but now question is ,why the laptop is sending MAC address initially instead of certificate and after some time its sending certificate.

Have you face similar issues from any client? What is the solution for same?

Live logs from ISELive logs from ISE

0 Helpful
3 Replies 3

Jason Kunst
Cisco Employee
Cisco Employee

‎09-13-2018 08:24 AM

Please work through the TAC on troubleshooting support issues
0 Helpful

siddhesh.parab@orange.com1
Level 1
Level 1
In response to Jason Kunst

‎09-13-2018 08:48 AM - edited ‎09-13-2018 08:52 AM

 
0 Helpful

siddhesh.parab@orange.com1
Level 1
Level 1
In response to Jason Kunst

‎09-13-2018 08:52 AM

Already contacted TAC.. still need more detailed resolution...any one is facing issue after upgrading windows 10 1803

 

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The machine is responsible for presenting the certificate, to ISE for authenticating.

Only when the ISE is presented with the certificate, it passes the authentication.

 

When the supplicant is not presenting  the certificate it lands up to the MAB policies.

ISE cannot change the any of the certificate parameters of the client machine.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents