10-07-2012 05:10 AM - edited 03-10-2019 07:38 PM
Hello group,
I am facing a strange problem with my ISE deployment.
In test environment I have used ISE from version 1.0 to the latest. Currenty what I have is 1.1.1 wit latest patch.
I have configured dot1x and central web authentication for WIRED guest with ISE. In the test environment I am using WS-C3750G-48PS with C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE6, RELEASE SOFTWARE (fc1) IOS.
Everything is working as expected. To give a brief,
dot1x is working perfect with active directory authentication.
if an end station is not having a dot1x capability, it will fail back to webauth.
In webauth, both guest and domain users can login, according to the identity group, domain user will have normal access and guest will have internet only access.
In any case if the dot1x is failing, the user will be redirected to webauth, then again the same authorization is given as per the user role.
All this configuration works great with the test environment. But when I move on to production, where I have the only change in the access switch, things will get weird.
I have WS-C3750E-48PD switch stacks in production. There is no ipservice image for 3750E, . There are only ipbase and univeral image for 3750E and universal is not supporting dot1x configurations in interface so I am using ipbase image. And I tried from 12.2.55(SE6) to 15.0.3-SE(ED) images and copied the configurations from my test environment to this production and things are going weird.
Sometimes I will get the webauth working. But then everything will just stop working, I wont get a redirection page to ise, nothing. If I give a switch reboot, the things will again work good for sometime then again goes for a toe. The most weird is that I won't get a clue in my ISE box, no authentication logs nothing.
Can anybody help me out.
My switch config (general ) is attached here.
10-07-2012 11:04 AM
Hi,
Can you run a debug radius authentication on the switch and compare the failed vs. success sessions. How may switches do you have in the stack? Based on your configuraiton you are using local webauth and not central webauthentication.
I would suggest moving away from local webauthentication and have seen that you can not serve as many connections since it done locally on the switch (there is a number of 16 but i can not find it.
Also are you users using IE, or are they using mozilla, have you tested the behavior between the browsers to see if one works over the other (i know the smartscreen settings in IE can cause some issues).
Thanks,
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide