Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2599
Views
8
Helpful
22
Replies

ISE causes infinity login Windows 10

Go to solution
guizerabc
Level 1
Level 1

‎12-31-2023 07:47 AM

I been having issues with ISE on my Lan, I will try to give as many details as I can.

The main issue is an Infinity Login on windows 10 for every user, but if I remove all the authentication config from the switch then it log in just fine. 

The desirable configuration on the ports is-> 

switchport mode access
switchport block unicast
switchport voice vlan 3
load-interval 30
authentication event fail action next-method
authentication event server dead action reinitialize vlan 5
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 8
storm-control broadcast level bps 20m
spanning-tree portfast
spanning-tree bpduguard enable

 

If I remove all the " authentication + dot1x " configs on the switch, the login goes fine.

The logs on ISE when we attempt to login with the desirable configuration pretty much it says that the authentication was successful. We already opened all the ACL. 

After attempting to login it creates an "Unknown account" profile locally on the workstation. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
guizerabc
Level 1
Level 1

‎01-02-2024 04:36 AM - edited ‎01-02-2024 05:43 AM

Can you drive me thru on how to disable those posture module ?  This is how it looks like right now.

 

 

Update: I had disabled the Posture Policy under Policy>Posture 

and also at the Client Provisioning Policy.

 

Both disabled and still same issue. About to look at the logs right now.

posture.JPG

View solution in original post

0 Helpful
22 Replies 22

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎12-31-2023 08:08 AM - edited ‎12-31-2023 08:09 AM

This hard to tell what went to wrong ?

how is your Windows 10 configured  - have Certificate  ?

You do not have Access vlan for Data - are you using default VLAN 1 here for Data ?

why do you need - switchport block unicast (is this requirement ?)

check the connected port information while authentication taking time :

show access-session interface gigabitEthernet 1/0/1 details

there is big guide to troubleshoot  - Windows 10 PC / Switch and ISE side ?

https://community.cisco.com/t5/security-knowledge-base/how-to-troubleshoot-ise-failed-authentications-amp/ta-p/3630960#toc-hId-737186778

check the deployment guide :

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
guizerabc
Level 1
Level 1

‎12-31-2023 08:33 AM - edited ‎12-31-2023 08:42 AM

Yes windows 10 has certificates, ISE is supposed to assign the correct VLAN ( in my case VLAN 5 )

block unicast is a requirement.

The authentication dot1x shows as  Authc Success 

Seems like the authentication process goes fine, have no clue why can't login 

Obs: Its also going to the correct VLAN ( 5 ) , it shows on the Server Policies portion.

0 Helpful

Go to solution
guizerabc
Level 1
Level 1

‎12-31-2023 09:17 AM

Outcome from show authent sess inter .... I covered some info on purpose and the VLAN 55 is correct. 

 

 

show authenctaction port 25.png

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to guizerabc

‎12-31-2023 10:26 AM

@guizerabc the output looks ok, except the short lifetimes, but I don't expect them to cause a problem with logging into windows.

Do you mean the problem is despite succesful authentication to the network via ISE the user can never actually login to windows?

What is the supplicant configuration on Windows 10? I assume it's deployed via GPO?.

Go to solution
guizerabc
Level 1
Level 1
In response to Rob Ingram

‎12-31-2023 11:23 AM - edited ‎12-31-2023 11:23 AM

 That is correct, despite successful authentication, can't login... Stays at the " welcome " sign spinning forever. Yes the supplicant configuration on Win 10 is deployed via GPO, not sure the exact configuration but i can check. Anything specific on how does that has to be ?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to guizerabc

‎12-31-2023 11:53 AM

@guizerabc Under normal circumstances I would not expect a problem logging into windows. Check the windows event logs at time of logging into the device for some clues.

Are you performing machine authentication and/or user authentication?

 

Go to solution
guizerabc
Level 1
Level 1
In response to Rob Ingram

‎12-31-2023 12:05 PM

I will check the logs right now. Its set to authenticate via User OR Computer.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to guizerabc

‎01-01-2024 01:57 AM

Can you confirm the below :

 ISE is supposed to assign the correct VLAN ( in my case VLAN 5 )

Vs 

I covered some info on purpose and the VLAN 55 is correct. 

can you also post the profile settings from ISE.

what is the ISE version ?

what switch model and IOS Code running ?

what AD Server ?

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to guizerabc

‎01-01-2024 02:01 PM

Is the dACL permissive enough ? Have you done a

show ip access-list XXXXX

 on the string that is shown after the ACL ACL ?

ArneBier_0-1704146478908.png

 

0 Helpful

Go to solution
guizerabc
Level 1
Level 1

‎12-31-2023 12:08 PM - edited ‎12-31-2023 12:13 PM

@Rob Ingram 

Found the error at the log. 

Error: Failed to get the user token; The system could not find the environment option that was entered.

Error: Couldn't retrieve user directory path.

Warning: Failed to get any user session after enumerating all sessions.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to guizerabc

‎12-31-2023 12:48 PM

@guizerabc

@guizerabc wrote:

Error: Couldn't retrieve user directory path.

Do you have GPO that sets a user directory path that is a network location? Perhaps this is unreachable because the computer does not get the correct IP address or the DACL prevents access and this has a knock on affect staling the login process?

Go to solution
guizerabc
Level 1
Level 1
In response to Rob Ingram

‎12-31-2023 01:19 PM - edited ‎12-31-2023 01:25 PM

Sorry, that was because was trying with an ADM account. Yes, we have a GPO that sets that. Now i have tried with a regular user account and the errors are Failed to find an active session.../ Failed to find session after enumerating each session...

and a Warning: Failed to obtain loggedin user Info, aborting discovery...

( i left the computer trying to log in for 10 min to collect the logs )

 

Update.

AT 16:05 I tried to log in.

16:05 we had Failed to find an active session...+  Failed to find session after enumerating each session... and a Warning: Failed to obtain loggedin user Info, aborting discovery...

16:07 the errors about the path and Failed to get user token appears.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎12-31-2023 03:31 PM

First happy new year 

Second you use multi-auth and then you use dead server event reinitialze vlan 5' I think this wrong you need to change it to authorize vlan 5 

Do this and monitor the auth/authz

MHM

0 Helpful

Go to solution
guizerabc
Level 1
Level 1

‎12-31-2023 03:58 PM

Happy new year!!! 

I did change the reinitialize for authorize, it didn't work =/

Error: Failed to find an active session...

Error: Failed to find session after enumerating each session...

Warning: Failed to obtain loggedin user info, aborting discovery...

0 Helpful
Customers Also Viewed These Support Documents