Solved: Re: ISE causes infinity login Windows 10 - Page 2

guizerabc · ‎12-31-2023

I been having issues with ISE on my Lan, I will try to give as many details as I can.

The main issue is an Infinity Login on windows 10 for every user, but if I remove all the authentication config from the switch then it log in just fine.

The desirable configuration on the ports is->

switchport mode access
switchport block unicast
switchport voice vlan 3
load-interval 30
authentication event fail action next-method
authentication event server dead action reinitialize vlan 5
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 8
storm-control broadcast level bps 20m
spanning-tree portfast
spanning-tree bpduguard enable

If I remove all the " authentication + dot1x " configs on the switch, the login goes fine.

The logs on ISE when we attempt to login with the desirable configuration pretty much it says that the authentication was successful. We already opened all the ACL.

After attempting to login it creates an "Unknown account" profile locally on the workstation.

MHM Cisco World · ‎12-31-2023

Can I see last port config

MHM

guizerabc · ‎12-31-2023

Sure,

switchport mode access
switchport block unicast
switchport voice vlan 3
load-interval 30
duplex full
authentication event fail action next-method
authentication event server dead action authorize vlan 5
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 8
storm-control broadcast level bps 20m
spanning-tree portfast
spanning-tree bpduguard enable

MHM Cisco World · ‎01-01-2024

there are two session the auth and account, the auth timeout is from server and It OK for me
the account session timeout is so little
so can you remove below command

switch(config)# aaa accounting update periodic number <- or make it higher than the Server reauth timeout

MHM

hslai · ‎01-01-2024

...

Error: Failed to find an active session...
Error: Failed to find session after enumerating each session...
Warning: Failed to obtain loggedin user info, aborting discovery...

@guizerabc These messages seem from Cisco Secure Client (including AnyConnect) ISE posture module.

I would suggest disabling such posture checks for now to make the use case simpler to debug.

guizerabc · ‎01-02-2024

Can you drive me thru on how to disable those posture module ? This is how it looks like right now.

Update: I had disabled the Posture Policy under Policy>Posture

and also at the Client Provisioning Policy.

Both disabled and still same issue. About to look at the logs right now.

guizerabc · ‎01-02-2024

Great progress!!! I have found where the issue is.

If I " permit tcp, udp and ip any any " into Policy-> Authorization-> Downloadable ACLs : The infinity login is fixed!!!!

Now I need some help to get the logs from all the matches on those ACLs, I really don't know how to get that from ISE.

Once again, thank you guys so much!

Rob Ingram · ‎01-02-2024

@guizerabc you won't get the DACL log information from ISE, you will need to check the switch logs. You should determine what resources/networks the computers are allowed to access, then refine the DACL accordingly.

hslai · ‎01-02-2024

@guizerabc

Adding to what Rob said... Access switches could be limited in RAM so try using fewer ACEs if possible. Some switches might allow us to append the keyword log at the end of an ACE to log the hits as debug log or syslog from the switches.

When the client devices are in ISE posture unknown state, they need access to the Active Directory services, file services, DHCP and DNS services, and to ISE TCP ports 8905 and 8443 (or whatever configured for the ISE client provisioning portal). Below is the DACL we used in our lab:

permit udp any eq bootpc any eq bootps
permit tcp any host 10.1.100.21 eq 80
permit tcp any host 10.1.100.21 eq 443
permit tcp any host 10.1.100.21 eq 8443
permit tcp any host 10.1.100.100 eq 80
permit udp any host 10.1.100.10 eq domain
permit tcp any host 10.1.100.10 eq domain
permit tcp any host 10.1.100.10 eq 88
permit udp any host 10.1.100.10 eq 88
permit udp any host 10.1.100.10 eq ntp
permit tcp any host 10.1.100.10 eq 135
permit udp any host 10.1.100.10 eq netbios-ns
permit tcp any host 10.1.100.10 eq 139
permit tcp any host 10.1.100.10 eq 389
permit udp any host 10.1.100.10 eq 389
permit tcp any host 10.1.100.10 eq 445
permit tcp any host 10.1.100.10 eq 636
permit udp any host 10.1.100.10 eq 636
permit tcp any host 10.1.100.10 range 1024 65535
permit ip any any fragments
permit icmp any any

where 10.1.100.21 is the ISE PSN, 10.1.100.100 is the remediation server, and 10.1.100.10 is the AD domain controller.

After the client devices become ISE posture compliant, then we may either provide full access or some role-based access. We usually use TrustSec Security Groups for the latter.