cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1412
Views
5
Helpful
3
Replies

ISE 2.7

balbaletabrez
Level 1
Level 1

I have recently deployed Cisco ISE 2.7 in my organization.
I have configured EAP-MSchapv2 as inner method and PEAP as outer authentication method.
Authenticators are also configured with below configuration. All authenticators are from 3850 model, having IOS XE 16.6.4, 16.08.01, 03.06.06E.

 

We use windows native supplicant for endpoints. about 75 endpoints have been joined and work perfectly.
but some of them have problems while logging.

and the switch display below message
$SESSION_MGR-5-FAIL: Switch 1 R0/0: smd: authorizaiton failed or unapplied for client (PC MAC) on interface g1/0/23

then the computer fall to unauthorized state.

 

 

 

CONFIGURATION:

 

global configuration
--------------------
aaa group server radius RadSVR
server name ISE1
server name ISE2

ip radius source-interface vlan 5
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3

radius server ISE1
address ipv4 192.168.50.10 auth-port 1812 acct-port 1813
key $$Not2Secur3$$

radius server ISE2
address ipv4 192.168.60.10 auth-port 1812 acct-port 1813
key $$Not2Secur3$$

Dot1x pea authenticator


inter g1/0/1
switchport mode acc
switchport access vlan 1
switchport host
authentication event server dead action authorize vlan 1
authentication event server dead action authorize vlan voice
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pea authenticator
dot1x timeout tx-period 10

3 Replies 3

Hi @balbaletabrez ,

 please share the Operations > RADIUS > Live Logs > Details, of the Endpoints that AuthZ failed.

 

 

 Is this only on certain switches?  I've seen this log before when ISE returns an attribute that the switch doesn't like.  Most of the time this comes down to out of date switch code or an incorrect authz result.  What is your authentication result for these clients within ISE?  

This could also be due to the client OS and the client supplicant.