cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
603
Views
10
Helpful
3
Replies

ISE Deployment Issues

NETAD
Level 4
Level 4

Hello, I'm working on an ISE deployment and I have couple of issues that I'm encountering. Maybe someone have see similar issues before. 

 

1-All of a sudden certain windows machines stop doing dot1x and revert to MAB until a GPO update is forced, or sometimes removing dot1x from the port and putting it back. 

 

2-Remote desktop only work with machine authorization after the user logs in. I've seen that the only way to get user authorization after the remoting in is by using the anyconnect NAM module. Is that accurate or is there a way to get this working right. 

 

3-ISE is profiling the cisco 3800 APs as Cisco Access Points only and not a specific model. Is that ok? 

 

We're on ISE 2.2 patch 4 with all win10 pcs. 


Thanks 

2 Accepted Solutions

Accepted Solutions

paul
Level 10
Level 10

For #1 it sounds like there is an issue with your GPO setup.  You shouldn't see devices revert back to MAB (unless they are in hibernation or rebooting).

 

For #3 that is normal because the CDP attributes are wrong in the Cisco profile for the 2802i APs.  Look at the CDP attributes retrieved for the AP and compare them to the Cisco profile.  You will see the error.  You can modify then  Cisco profiles if you want to.  In most cases, you don't really care about the specific model of AP outside of asset tracking.

View solution in original post

Jason Kunst
Cisco Employee
Cisco Employee

To help us all out in the future please don't post a list of questions that are unrelated to each other. This doesn't help those answering or in the future it won't help those researching same issues. Its best to search for each issue then post appropriate subject and message when you don't find what you need. A couple of these already have answers as well in the community. Google search works well first and then if you don't find something then search the community directly.

 

 

if you have follow up questions it would be nice to split those into a new thread to keep clean and on-point.

 

@paul did a great job summarizing some of these and i am going to add onto that

 

1-All of a sudden certain windows machines stop doing dot1x and revert to MAB until a GPO update is forced, or sometimes removing dot1x from the port and putting it back.

PAUL > For #1 it sounds like there is an issue with your GPO setup.  You shouldn't see devices revert back to MAB (unless they are in hibernation or rebooting). 

 

2-Remote desktop only work with machine authorization after the user logs in. I've seen that the only way to get user authorization after the remoting in is by using the anyconnect NAM module. Is that accurate or is there a way to get this working right. 

JAK > correct NAM is a stable way to do this. This is not an ISE question but an anyconnect question or general windows 

https://community.cisco.com/t5/vpn-and-anyconnect/remote-desktop-to-dot1x-authenticated-machine-throws-internal/td-p/3471895

https://community.cisco.com/t5/policy-and-access/dot1x-and-remote-desktop-connections/td-p/403708

 

3-ISE is profiling the cisco 3800 APs as Cisco Access Points only and not a specific model. Is that ok? 

PAUL > For #3 that is normal because the CDP attributes are wrong in the Cisco profile for the 2802i APs.  Look at the CDP attributes retrieved for the AP and compare them to the Cisco profile.  You will see the error.  You can modify then  Cisco profiles if you want to.  In most cases, you don't really care about the specific model of AP outside of asset tracking.

View solution in original post

3 Replies 3

paul
Level 10
Level 10

For #1 it sounds like there is an issue with your GPO setup.  You shouldn't see devices revert back to MAB (unless they are in hibernation or rebooting).

 

For #3 that is normal because the CDP attributes are wrong in the Cisco profile for the 2802i APs.  Look at the CDP attributes retrieved for the AP and compare them to the Cisco profile.  You will see the error.  You can modify then  Cisco profiles if you want to.  In most cases, you don't really care about the specific model of AP outside of asset tracking.

Jason Kunst
Cisco Employee
Cisco Employee

To help us all out in the future please don't post a list of questions that are unrelated to each other. This doesn't help those answering or in the future it won't help those researching same issues. Its best to search for each issue then post appropriate subject and message when you don't find what you need. A couple of these already have answers as well in the community. Google search works well first and then if you don't find something then search the community directly.

 

 

if you have follow up questions it would be nice to split those into a new thread to keep clean and on-point.

 

@paul did a great job summarizing some of these and i am going to add onto that

 

1-All of a sudden certain windows machines stop doing dot1x and revert to MAB until a GPO update is forced, or sometimes removing dot1x from the port and putting it back.

PAUL > For #1 it sounds like there is an issue with your GPO setup.  You shouldn't see devices revert back to MAB (unless they are in hibernation or rebooting). 

 

2-Remote desktop only work with machine authorization after the user logs in. I've seen that the only way to get user authorization after the remoting in is by using the anyconnect NAM module. Is that accurate or is there a way to get this working right. 

JAK > correct NAM is a stable way to do this. This is not an ISE question but an anyconnect question or general windows 

https://community.cisco.com/t5/vpn-and-anyconnect/remote-desktop-to-dot1x-authenticated-machine-throws-internal/td-p/3471895

https://community.cisco.com/t5/policy-and-access/dot1x-and-remote-desktop-connections/td-p/403708

 

3-ISE is profiling the cisco 3800 APs as Cisco Access Points only and not a specific model. Is that ok? 

PAUL > For #3 that is normal because the CDP attributes are wrong in the Cisco profile for the 2802i APs.  Look at the CDP attributes retrieved for the AP and compare them to the Cisco profile.  You will see the error.  You can modify then  Cisco profiles if you want to.  In most cases, you don't really care about the specific model of AP outside of asset tracking.

Thanks guys, I will double check the GPO setup and update the thread.