Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
21549
Views
15
Helpful
15
Replies

ISE Failures - MAB instead of 802.1x

Go to solution
adam85491
Level 1
Level 1

‎02-15-2018 07:09 AM - edited ‎02-21-2020 10:45 AM

Hello,

 

I've been struggling with an issue in our ISE deployment for months. Basically, we are trying to restrict wired network access for computers by looking for 802.1x and then authorizing if the CA issuer for the machine cert is our internal CA.

 

Here's what the Authentication Policy looks like:

 

802.1x: if Wired_802.1X & Allowd Protocols (EAP-TLS) & Default: Use 8021x_Seq 

 

Authorization Policy:

 

Domain Computer: If 'Any' and EAP_TLS_CA_Issuer (our CA) then PERMIT_ALL_PROFILE

 

I've uploaded images of these policies as well.

 

What is happening is randomly Win7 and Win10 clients are not using dot1x authentication (which would use their PC name as the username) and instead are using their MAC address as the username and matching the MAB rule (which will fail). These PCs tend to do this in the morning and after a half hour or so, they start working again. I've noticed successful authentication, then the user shuts down or reboots and there is failures overnight and into the next business day. I've attached a copy of an authentication where you can see it bounce between MAB and dot1x.

 

What can be causing this? The interface config is below:

 

switchport
switchport trunk allowed vlan 1
switchport mode access
switchport access vlan xxx
switchport voice vlan yyy
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize vlan xxx
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
storm-control broadcast level 0.50
storm-control multicast level 0.50
spanning-tree portfast edge

 

This is a 6880 switch running 15.2.1.SY5

 

i'm only starting to get familiar with ISE so this could be an incorrect config on the ISE or switch side, but we have 1000+ endpoints and only see this happening to a few people per week. It seems random and I haven't found anything in common as far as Windows versions go. It's affected HP desktops and laptops, but I haven't yet kept track of NIC driver versions to see if maybe something is going on there.

 

TAC has me check the adapter settings in windows and for GPOs and a valid certificate on the machine. Each time I do so, everything looks normal. We've gotten packet captures but only of successful authentication. Our local resource has to reboot the PC to get a full capture and by the time we do this, the reboot seems to have fixed the issue (it doesn't always, usually the user reboots a few times before we get our resource to them and the issue persists...just bad luck it seems on our end).

I may not have included all of the information needed to solve this. Please let me know if I need to add more. I'm searching everywhere and see suggestions like missing hotfixes for Win7 or machine password timeouts, but not sure that's my answer at this time.

 

I'd appreciate any help on this.

 

Adam

2 people had this problem
Labels:
Preview file
12 KB
Preview file
5 KB
Preview file
23 KB
Preview file
33 KB
0 Helpful
15 Replies 15

Go to solution
edondurguti
Level 4
Level 4
In response to Octavian Szolga

‎02-25-2018 09:55 PM

Hi, I suggest disabling wake on LAN if you're not using, actually disable all the power options on the NIC, seems like there's an issue with 802.1x and the power feature on windows machines.

I have disabled this for the entire company (your windows admins can do this via gpo/sccm)

From the Device Manager, right-click on the NIC and disable power options (all of them, not just wake on LAN) This saved me a lot of pain.

 

image.png

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents