cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6004
Views
0
Helpful
10
Replies

ISE 802.1x and Windows Logoff

danielnunes
Level 1
Level 1

Hi Guys,

i have a ISE works fine using 802.1x but we have a strange behavior when the client just logoff the windows machine, after the client login again, the machine does not authenticate and stuck as a message " not possible to authenticate". Then I need to take off the cable machine and put again, after this everything works fine.

This happens just using logoff windows.

could someone help me about it?

thanks a lot

10 Replies 10

Richard Atkin
Level 4
Level 4

Need more detail.. What Config have you got on the switchport and what authentication Config have you got on the Client?

Hi Rik,

I am using this configuration.

interface GigabitEthernet3/33

switchport access vlan 22

switchport mode access

switchport voice vlan 23

ip access-group ACL-DEFAULT in

logging event link-status

authentication event fail action next-method

authentication host-mode multi-domain

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication violation restrict

mab

snmp trap mac-notification change added

snmp trap mac-notification change removed

dot1x pae authenticator

dot1x timeout tx-period 10

qos trust device cisco-phone

spanning-tree portfast

spanning-tree bpduguard enable

service-policy input AutoQos-4.0-Cisco-Phone-Input-Policy

service-policy output AutoQos-4.0-Output-Policy

the client are using the NAC Agent the way to perform a posture.

If i take off the cable and put again, everything works fine, but if the client try to logoff and after a time login again, the NIC Card can not be authenticated.

thanks a lot

so its MDA that means a PC is connected behind the phone. If I'm not wrong the CDP Enhancement for Second Port Disconnect working fine when we plug/unplug the cable but when a user logoff it doesn't (only if we are using cisco phones). In order to clear the sessions switch need to detect link state for devices connected behind IP phones.

Are we using 802.1x or MAB on the windows PC's?

Can we also look at the debugs when clients are unable to authenticate.

show authentication session interface

debug dot1x all

Jatin Katyal
- Do rate helpful posts -

~Jatin

Hi Jatin,

I was looking for some information on the forum and am having exactly the problem that you put in your post, users have the PC is connected behind the ip phone. Some users lose authentication, and only come back when plug/unplug the cable.

How you managed to solve this problem.

Thank you.

Fernando Silva

Richard Atkin
Level 4
Level 4

And have you got Machine Authentication enabled on the Clients?

Hello,

 

Has anyone got a solution to this problem,

 

Its affecting almost all of my clients' regardless of whatever  ise version i'm using

On Windows, when a user is logged in, the computer is in the "user state" and sends user credentials.  When a user logs off, the computer switches to "machine state" and sends machine credentials.  If your supplicant is configured to do machine OR user authentication, then make sure the machine is passing authentication and getting enough access to reach AD domain controllers.  When you are having this issue, do a "show authentication sessions interface X details".  See what it shows there.  If it shows Authorized, then make sure that the ACL applied (if any) is allowing connection to domain controllers.

Hello,

 

No ACL is applied, and the supplicant is using 802.1x user authentication only.

this problem happens only when the user logoff and then back in, when they login the network adapter card shows authentication failure and the show authentication command on the switch also gives a result of authentication failed.

until you unplug the computer cable and plug it again.

 

This happens regardless of the switch model, supplicant windows version and ise version.

 

Please advise.

Since you are configured to do user authentication only, the computer cannot authenticate to the switch once the user logs out.  Change your supplicant to do machine or user and in your policies, just allow basic access for Domain Computer.  That allows the computer to authenticate when the user is not logged in and can get GPO's and do user authentication if cached credentials aren't being used.

You can also SPAN the switchport and grab a capture of what is happening in that scenario.  Sounds like you can recreate it very easily.

This is very helpful and it makes alot of sense let me do that thanks.