01-29-2019 01:51 AM
We faced with an issue 5440 Endpoint abandoned EAP session and started new
Use case: Corporate users using corporate machine – Dot1x authentication using certificates (User + Machine) EAP-FAST and Posture assessment
Network Devices:
Cisco WS-3750X - IOS 15.2(4)E7
Cisco WS-3650 - IOS 16.3.7
Deployment details:
ISE 2.4.0.357, Patch 1,2,3,4,5
AnyConnect module v.4.7.00136
Windows 7, 10.
Use case works perfect with 3650 switch IOS 16.3.7 on Win7 and Win10.
But if we trying to use 3750X with IOS 15.2(4)E7, we have a problems only with Win10 while Win7 works correctly.
01-29-2019 01:57 AM - edited 01-29-2019 02:04 AM
does the 3750X have configured with ip device tracking command?
have you test the same windows pc working fine on one switch and not working on the different switch.
you can check the windows server log
01-29-2019 04:05 AM - edited 01-29-2019 04:06 AM
No, 3750X haven't configured with ip device-tracking command. But I think that it shouldn't be a main problem, because the switch can authorize and authenticate Win7.
And there is no way to test worked Win10 workstations on the same switch because of separated locations.
01-29-2019 04:06 AM
can you share the switch config please.
09-26-2019 07:48 AM
Do you know of an issue with ip device tracking being configured?
01-29-2019 04:09 AM
Sounds like your looking at IOS/OS issue here.
You could try another code but this doesnt seem to be related to ISE .
01-29-2019 04:11 AM
yes could be as the gentleman is on
Cisco WS-3750X - IOS 15.2(4)E7
Cisco WS-3650 - IOS 16.3.7
01-29-2019 04:15 AM
01-29-2019 04:17 AM - edited 01-29-2019 04:18 AM
check this cisco ise 2.4 switch matrix/compatiable table
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/compatibility/b_ise_sdt_24.html
01-29-2019 04:22 AM
when you mention failing are these all Win10 clients or a single one?
If these are Win10 client are they all hanging off the same switch?
01-29-2019 04:23 AM
@ldannyI asked the similar question and the answer was
"And there is no way to test worked Win10 workstations on the same switch because of separated locations."
01-29-2019 04:34 AM - edited 01-29-2019 04:35 AM
If Win7 works just fine then this just could be OS behavior and not ISE , but just relying on one win10 workstation will not suffice obviously. Not much to go on if with just testing one endpoint on a specific switch.
You could try to run a sniffer to see if you find anything interesting.
01-29-2019 04:57 AM
01-29-2019 05:02 AM
Are you using NAM or Native supplicant for dot1x?
Could you send a sniffer.
01-29-2019 05:47 AM
using Dot1x authentication using certificates (User + Machine) EAP-FAST and Posture assessment
if you see the first post :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide