Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1493
Views
5
Helpful
3
Replies

ISE 2.7

balbaletabrez
Level 1
Level 1

‎02-02-2021 01:50 AM

I have recently deployed Cisco ISE 2.7 in my organization.
I have configured EAP-MSchapv2 as inner method and PEAP as outer authentication method.
Authenticators are also configured with below configuration. All authenticators are from 3850 model, having IOS XE 16.6.4, 16.08.01, 03.06.06E.

 

We use windows native supplicant for endpoints. about 75 endpoints have been joined and work perfectly.
but some of them have problems while logging.

and the switch display below message
$SESSION_MGR-5-FAIL: Switch 1 R0/0: smd: authorizaiton failed or unapplied for client (PC MAC) on interface g1/0/23

then the computer fall to unauthorized state.

 

 

 

CONFIGURATION:

 

global configuration
--------------------
aaa group server radius RadSVR
server name ISE1
server name ISE2

ip radius source-interface vlan 5
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3

radius server ISE1
address ipv4 192.168.50.10 auth-port 1812 acct-port 1813
key $$Not2Secur3$$

radius server ISE2
address ipv4 192.168.60.10 auth-port 1812 acct-port 1813
key $$Not2Secur3$$

Dot1x pea authenticator


inter g1/0/1
switchport mode acc
switchport access vlan 1
switchport host
authentication event server dead action authorize vlan 1
authentication event server dead action authorize vlan voice
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pea authenticator
dot1x timeout tx-period 10

0 Helpful
3 Replies 3

Marcelo Morais
VIP
VIP

‎02-02-2021 04:08 AM

Hi @balbaletabrez ,

 please share the Operations > RADIUS > Live Logs > Details, of the Endpoints that AuthZ failed.

 

 

0 Helpful

ahollifield
VIP
VIP

‎02-02-2021 04:53 AM

 Is this only on certain switches?  I've seen this log before when ISE returns an attribute that the switch doesn't like.  Most of the time this comes down to out of date switch code or an incorrect authz result.  What is your authentication result for these clients within ISE?  

hslai
Cisco Employee
Cisco Employee
In response to ahollifield

‎02-03-2021 10:33 PM

This could also be due to the client OS and the client supplicant.

0 Helpful
Customers Also Viewed These Support Documents