11-16-2018 09:22 AM
Hello, I'm working on an ISE deployment and I have couple of issues that I'm encountering. Maybe someone have see similar issues before.
1-All of a sudden certain windows machines stop doing dot1x and revert to MAB until a GPO update is forced, or sometimes removing dot1x from the port and putting it back.
2-Remote desktop only work with machine authorization after the user logs in. I've seen that the only way to get user authorization after the remoting in is by using the anyconnect NAM module. Is that accurate or is there a way to get this working right.
3-ISE is profiling the cisco 3800 APs as Cisco Access Points only and not a specific model. Is that ok?
We're on ISE 2.2 patch 4 with all win10 pcs.
Thanks
Solved! Go to Solution.
11-16-2018 09:44 AM
For #1 it sounds like there is an issue with your GPO setup. You shouldn't see devices revert back to MAB (unless they are in hibernation or rebooting).
For #3 that is normal because the CDP attributes are wrong in the Cisco profile for the 2802i APs. Look at the CDP attributes retrieved for the AP and compare them to the Cisco profile. You will see the error. You can modify then Cisco profiles if you want to. In most cases, you don't really care about the specific model of AP outside of asset tracking.
11-16-2018 10:47 AM
To help us all out in the future please don't post a list of questions that are unrelated to each other. This doesn't help those answering or in the future it won't help those researching same issues. Its best to search for each issue then post appropriate subject and message when you don't find what you need. A couple of these already have answers as well in the community. Google search works well first and then if you don't find something then search the community directly.
if you have follow up questions it would be nice to split those into a new thread to keep clean and on-point.
@paul did a great job summarizing some of these and i am going to add onto that
1-All of a sudden certain windows machines stop doing dot1x and revert to MAB until a GPO update is forced, or sometimes removing dot1x from the port and putting it back.
PAUL > For #1 it sounds like there is an issue with your GPO setup. You shouldn't see devices revert back to MAB (unless they are in hibernation or rebooting).
2-Remote desktop only work with machine authorization after the user logs in. I've seen that the only way to get user authorization after the remoting in is by using the anyconnect NAM module. Is that accurate or is there a way to get this working right.
JAK > correct NAM is a stable way to do this. This is not an ISE question but an anyconnect question or general windows
https://community.cisco.com/t5/policy-and-access/dot1x-and-remote-desktop-connections/td-p/403708
3-ISE is profiling the cisco 3800 APs as Cisco Access Points only and not a specific model. Is that ok?
PAUL > For #3 that is normal because the CDP attributes are wrong in the Cisco profile for the 2802i APs. Look at the CDP attributes retrieved for the AP and compare them to the Cisco profile. You will see the error. You can modify then Cisco profiles if you want to. In most cases, you don't really care about the specific model of AP outside of asset tracking.
11-16-2018 09:44 AM
For #1 it sounds like there is an issue with your GPO setup. You shouldn't see devices revert back to MAB (unless they are in hibernation or rebooting).
For #3 that is normal because the CDP attributes are wrong in the Cisco profile for the 2802i APs. Look at the CDP attributes retrieved for the AP and compare them to the Cisco profile. You will see the error. You can modify then Cisco profiles if you want to. In most cases, you don't really care about the specific model of AP outside of asset tracking.
11-16-2018 10:47 AM
To help us all out in the future please don't post a list of questions that are unrelated to each other. This doesn't help those answering or in the future it won't help those researching same issues. Its best to search for each issue then post appropriate subject and message when you don't find what you need. A couple of these already have answers as well in the community. Google search works well first and then if you don't find something then search the community directly.
if you have follow up questions it would be nice to split those into a new thread to keep clean and on-point.
@paul did a great job summarizing some of these and i am going to add onto that
1-All of a sudden certain windows machines stop doing dot1x and revert to MAB until a GPO update is forced, or sometimes removing dot1x from the port and putting it back.
PAUL > For #1 it sounds like there is an issue with your GPO setup. You shouldn't see devices revert back to MAB (unless they are in hibernation or rebooting).
2-Remote desktop only work with machine authorization after the user logs in. I've seen that the only way to get user authorization after the remoting in is by using the anyconnect NAM module. Is that accurate or is there a way to get this working right.
JAK > correct NAM is a stable way to do this. This is not an ISE question but an anyconnect question or general windows
https://community.cisco.com/t5/policy-and-access/dot1x-and-remote-desktop-connections/td-p/403708
3-ISE is profiling the cisco 3800 APs as Cisco Access Points only and not a specific model. Is that ok?
PAUL > For #3 that is normal because the CDP attributes are wrong in the Cisco profile for the 2802i APs. Look at the CDP attributes retrieved for the AP and compare them to the Cisco profile. You will see the error. You can modify then Cisco profiles if you want to. In most cases, you don't really care about the specific model of AP outside of asset tracking.
11-16-2018 11:44 AM
Thanks guys, I will double check the GPO setup and update the thread.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide