Solved: Re: ISE 2.4 Default policy get hits but there is no authentication running.

davoodccnp · ‎12-20-2018

I have a question about ISE policy sets hits.

I build a lab in our Lan with one ISE 2.4 standalone and one cisco 3560E as NAD and running some MAB test.
There is a core switch between 3650E and ISE, 3650E use a trunk uplink, on ISE I only created one policy set, with wired MAB condition.

After testing ,endpoints are removed from 3560E , but I observed that Default policy set hits keep increasing slowly.

Don't understand why this happens, the only possible reason i know are profiling and device tracking, any idea?

paul · ‎12-20-2018

If you are doing RADIUS keep-alive checks on the switch and haven't built a policy set to capture that you are probably seeing that. The live logs should tell you what is hitting the default policy set. I usually set the default policy set to Deny Access because I don't want anything allowed on via the default policy set. Honestly I wish Cisco would get rid of it as we have to disable it on every install.

View solution in original post

Surendra · ‎12-20-2018

Have you removed accounting as well from your network devices?

ISE evaluates the policies for accounting requests as well for the RADIUS probe to work. I am suspecting that this could increase the number of hit counts. On the other hand, ISE is slow to update the hit counters. They were increasing for the tests that you have done previously may be?

paul · ‎12-20-2018

If you are doing RADIUS keep-alive checks on the switch and haven't built a policy set to capture that you are probably seeing that. The live logs should tell you what is hitting the default policy set. I usually set the default policy set to Deny Access because I don't want anything allowed on via the default policy set. Honestly I wish Cisco would get rid of it as we have to disable it on every install.

Dustin Anderson · ‎12-20-2018

Hard to say without seeing configs, but it almost looks like it's trying dot1x, and since that isn't there hits the default. You can also check the default network access protocols and make sure Process Host Lookup is selected as that is MAB. If it's unchecked MAB isn't allowed.

thomas.gfeller · ‎06-20-2019

Hi

Same Problem here but with Wireless. Clients on Corporate SSID gets Authentiacted by the right Policy Set for Dot1x, but the Counter on the Default Policy Set is increaseing. Inside of the Default Policy Set no hits on AuthZ and AuthP Policy.

@davoodccnp Could you resolve this issue?

Regards

Thomas

Jason Kunst · ‎06-21-2019

I would recommend a tac case

Kalipso · ‎08-28-2019

Hi @thomas.gfeller

Did you find anything about your issue ?

I've the same problem with my default policies : hits on policy sets are increasing but 0 hit on authentication and authorization rules, and nothing on the live logs either.

Marie

thomas.gfeller · ‎08-28-2019

Hi Marie

No solution yet. Cisco TAC Case is still open.

Regards

Thomas

ffischer · ‎02-05-2020

same issue here. Any news on the TAC Case ?

network.gns · ‎02-16-2020

Hi

Still no solution for this problem.

Regards

Thomas

thomas.gfeller · ‎02-16-2020

Hi

The case is still open. Problem is still existing.

Regards

Thomas