05-28-2013 06:01 AM - edited 03-10-2019 08:28 PM
Hi Guys,
i have a ISE works fine using 802.1x but we have a strange behavior when the client just logoff the windows machine, after the client login again, the machine does not authenticate and stuck as a message " not possible to authenticate". Then I need to take off the cable machine and put again, after this everything works fine.
This happens just using logoff windows.
could someone help me about it?
thanks a lot
05-28-2013 01:26 PM
Need more detail.. What Config have you got on the switchport and what authentication Config have you got on the Client?
05-28-2013 01:36 PM
Hi Rik,
I am using this configuration.
interface GigabitEthernet3/33
switchport access vlan 22
switchport mode access
switchport voice vlan 23
ip access-group ACL-DEFAULT in
logging event link-status
authentication event fail action next-method
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
qos trust device cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQos-4.0-Cisco-Phone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
the client are using the NAC Agent the way to perform a posture.
If i take off the cable and put again, everything works fine, but if the client try to logoff and after a time login again, the NIC Card can not be authenticated.
thanks a lot
05-28-2013 02:22 PM
so its MDA that means a PC is connected behind the phone. If I'm not wrong the CDP Enhancement for Second Port Disconnect working fine when we plug/unplug the cable but when a user logoff it doesn't (only if we are using cisco phones). In order to clear the sessions switch need to detect link state for devices connected behind IP phones.
Are we using 802.1x or MAB on the windows PC's?
Can we also look at the debugs when clients are unable to authenticate.
show authentication session interface
debug dot1x all
Jatin Katyal
- Do rate helpful posts -
06-05-2017 08:24 AM
Hi Jatin,
I was looking for some information on the forum and am having exactly the problem that you put in your post, users have the PC is connected behind the ip phone. Some users lose authentication, and only come back when plug/unplug the cable.
How you managed to solve this problem.
Thank you.
Fernando Silva
05-28-2013 02:27 PM
And have you got Machine Authentication enabled on the Clients?
07-14-2020 11:03 PM
Hello,
Has anyone got a solution to this problem,
Its affecting almost all of my clients' regardless of whatever ise version i'm using
07-15-2020 06:54 AM
On Windows, when a user is logged in, the computer is in the "user state" and sends user credentials. When a user logs off, the computer switches to "machine state" and sends machine credentials. If your supplicant is configured to do machine OR user authentication, then make sure the machine is passing authentication and getting enough access to reach AD domain controllers. When you are having this issue, do a "show authentication sessions interface X details". See what it shows there. If it shows Authorized, then make sure that the ACL applied (if any) is allowing connection to domain controllers.
07-15-2020 10:12 PM
Hello,
No ACL is applied, and the supplicant is using 802.1x user authentication only.
this problem happens only when the user logoff and then back in, when they login the network adapter card shows authentication failure and the show authentication command on the switch also gives a result of authentication failed.
until you unplug the computer cable and plug it again.
This happens regardless of the switch model, supplicant windows version and ise version.
Please advise.
07-16-2020 07:29 AM
Since you are configured to do user authentication only, the computer cannot authenticate to the switch once the user logs out. Change your supplicant to do machine or user and in your policies, just allow basic access for Domain Computer. That allows the computer to authenticate when the user is not logged in and can get GPO's and do user authentication if cached credentials aren't being used.
You can also SPAN the switchport and grab a capture of what is happening in that scenario. Sounds like you can recreate it very easily.
07-16-2020 09:46 AM
This is very helpful and it makes alot of sense let me do that thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide