08-21-2019 07:33 AM
HI all,
I hope everyone is doing well.
One of my health care customers is currently facing issue with ISE 2.4 in regards of authentication authorization when it comes down to PC coming back from sleep mode. Do we have recommendations, workaround in regards of this issue please ?
The customer is having Win7 and Win 10 devices connected to a switch or connected to IP phone.
Any input is greatly appreciated.
Thank you in advance.
Regards
Ross
08-21-2019 12:21 PM
08-22-2019 12:38 AM
We are looking for long time so the timer option is not a valid option in this case.
08-21-2019 01:48 PM
Can you please describe the problem in more detail?
Native Windows supplicant? And if so, how is it configured ? (User Auth only - or machine only, or both ?)
From memory I think this may be expected behaviour if you do machine auth only and the machine goes to sleep. Machine wakes up but does not perform machine auth, since it believes nothing has changed (verify state of that switch interface with the show access-session command). At the login screen the user logs on and doesn't get authenticated on the network, because machine auth is configured.
08-22-2019 12:37 AM
Yep. We are using the Win 7 win 10 native supplicant here. Machine Auth :)
08-22-2019 02:23 AM
Hi,
I am afraid we need some more information
0)What kind of error do you see? Authentication error logged on ISE or timeout/no response error logged on the SWITCH?
1)Which is current native windows supplicant configuration in term of EAP methods and authentication type (Machine and user, machine only , user only)
2)Which are switches models/versions
3)How is the switch port configured?
4)Is MAR involved, if so with with timers?
5)Is the error in play only when the PC is connected to a phone? If yes which is the model of the phone?
Regards
MM
02-21-2021 04:23 AM
Hi all,
I am having the same authentication and authorization issue when it comes down to PC coming back from sleep mode.
When the PC is in sleep mode ISE tries to authenticate with the mac address of the PC which does not match any rule and ends in the deny implicit rule.
Machine wakes up but does not perform machine auth. At the login screen user logs on and doesn’t get authenticated on the network.
Do we have recommendations, workaround in regards of this issue please ?
Should I check something in the switch configuration?
02-22-2021 12:13 AM
I think it's quite unlikely you are hitting one of these old MS bugs
kb980295 (https://mskb.pkisolutions.com/kb/980295)
but if the PC does not perform dot1x authentication after resume usually is a windows side issue.
Anyway in order to give a deeper look, some piece of information is missing
1)Which is current native windows supplicant configuration in term of EAP methods and authentication type (Machine and user, machine only , user only)
2)Which are switches models/versions
3)How is the switch port configured?
4)Is MAR involved, if so with with timers?
5)Is the error in play only when the PC is connected to a phone? If yes which is the model of the phone?
Regards
MM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide