ā03-28-2019 04:37 AM
Hi,
I have ISE 2.4.0.357 with patch 1,2 and 3. Also I have PC with Win 10 and AnyConnect version 4.5.04029
On ISE I configured authentication dot1x for domain PC and MAB for printers and IP Phones. All works is ok, but some PC can't authenticate properly and in ISE logs I see the next log "15039 Rejected per authorization profile". And some time later this PC is authenticate correct. And it's continue over and over.
Can anybody faced with problem like this?
the output command sh run int fa0/6 is:
interface FastEthernet0/6
switchport access vlan 17
switchport mode access
switchport port-security mac-address sticky
switchport port-security mac-address sticky XXXX.XXXX.XXXX
switchport port-security
authentication event fail action next-method
authentication event server dead action authorize vlan 17
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
spanning-tree portfast
the piece of output command sh auth sess int fa0/6 is:
Runnable methods list:
Method State
dot1x Failed over
mab Failed over
switch is WS-C2960+24PC-L and IOS is 15.0(2)SE8
ā03-28-2019 05:54 AM
ā03-29-2019 12:59 AM
ā03-30-2019 03:24 PM
Check the auth detailed reports and see whether the failed sessions have values of all the attributes to match on your policy rules.
ā03-28-2019 08:11 AM
Hi,
Remove the "switchport port-security" configuration on all the switchports where you have 802.1x or MAB configured.
Port-security creates issues when used with dot1x/MAB.
Then try again to see if the problem persists.
Please rate if helpful.
ā09-30-2021 07:47 AM
hi. i new user for ISE. please can you tell me what problems they may have when i configure a 802.1x whit portsecure??
ā09-30-2021 08:09 AM - edited ā09-30-2021 08:14 AM
Port security is implemented by the device and if it conflicts with server authentication, will supersede it. The server isn't aware of port-security. The other thing is that dot1x denies any traffic until authenticated, port-security doesn't authenticate, so dot1x is a more complete access method. I'm not aware of any case where port-security would supplement dot1x security.
I would suggest using host-mode multi-domain for a single phone and pc, as did Mike above.
As for the ISE policies, I would use the Allowed Protocols to determine or limit the policy set, and not use those in the policies themselves. I would drop the RADIUS types, It's already a condition of the policy set "RadiusFlowType EQUALS Wired802_1x". If the allowed protocols are limited to these specific ones, then no issue, but if you have more in your allowed protocols and you're filtering here, they could be negotiating another protocol (EAP-TLS) and with these policies you'd be forcing them to a default deny result. I suspect that removing the first 4 conditions in the authorization policy and leaving only the Domain Computers condition would likely improve consistency.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide