cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
24560
Views
15
Helpful
17
Replies

ISE Failures - MAB instead of 802.1x

adam85491
Level 1
Level 1

Hello,

 

I've been struggling with an issue in our ISE deployment for months. Basically, we are trying to restrict wired network access for computers by looking for 802.1x and then authorizing if the CA issuer for the machine cert is our internal CA.

 

Here's what the Authentication Policy looks like:

 

802.1x: if Wired_802.1X & Allowd Protocols (EAP-TLS) & Default: Use 8021x_Seq 

 

Authorization Policy:

 

Domain Computer: If 'Any' and EAP_TLS_CA_Issuer (our CA) then PERMIT_ALL_PROFILE

 

I've uploaded images of these policies as well.

 

What is happening is randomly Win7 and Win10 clients are not using dot1x authentication (which would use their PC name as the username) and instead are using their MAC address as the username and matching the MAB rule (which will fail). These PCs tend to do this in the morning and after a half hour or so, they start working again. I've noticed successful authentication, then the user shuts down or reboots and there is failures overnight and into the next business day. I've attached a copy of an authentication where you can see it bounce between MAB and dot1x.

 

What can be causing this? The interface config is below:

 

switchport
switchport trunk allowed vlan 1
switchport mode access
switchport access vlan xxx
switchport voice vlan yyy
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize vlan xxx
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
storm-control broadcast level 0.50
storm-control multicast level 0.50
spanning-tree portfast edge

 

This is a 6880 switch running 15.2.1.SY5

 

i'm only starting to get familiar with ISE so this could be an incorrect config on the ISE or switch side, but we have 1000+ endpoints and only see this happening to a few people per week. It seems random and I haven't found anything in common as far as Windows versions go. It's affected HP desktops and laptops, but I haven't yet kept track of NIC driver versions to see if maybe something is going on there.

 

TAC has me check the adapter settings in windows and for GPOs and a valid certificate on the machine. Each time I do so, everything looks normal. We've gotten packet captures but only of successful authentication. Our local resource has to reboot the PC to get a full capture and by the time we do this, the reboot seems to have fixed the issue (it doesn't always, usually the user reboots a few times before we get our resource to them and the issue persists...just bad luck it seems on our end).

I may not have included all of the information needed to solve this. Please let me know if I need to add more. I'm searching everywhere and see suggestions like missing hotfixes for Win7 or machine password timeouts, but not sure that's my answer at this time.

 

I'd appreciate any help on this.

 

Adam

17 Replies 17

Hi, I suggest disabling wake on LAN if you're not using, actually disable all the power options on the NIC, seems like there's an issue with 802.1x and the power feature on windows machines.

I have disabled this for the entire company (your windows admins can do this via gpo/sccm)

From the Device Manager, right-click on the NIC and disable power options (all of them, not just wake on LAN) This saved me a lot of pain.

 

image.png

milos_p
Level 1
Level 1

Hi Adam and everyone,

I am hitting exactly the same problem, very rarely, but it keeps appearing every few days.

Did anyone find a root cause for this behavior?

Is it windows issue or switch/ISE issue?

 

Thanks,

Milos

milos_p
Level 1
Level 1

Just to update, maybe someone will find it useful.

What I noticed is that MAC address of affected computer is going to ISE rejected endpoints, effectively making it block for 1h (by default), making ISE to send ACCESS-REJECT message right away, without any kind of logging, which is exactly what I am seeing in packet capture and no logs in ISE. Also switch is not reporting 802.1x auth in "show auth sessions" making me think initially that computer is trying MAB auth, but actually, that's not the case, just it is getting rejected and 802.1x doesn't start from switch perspective.

My assumption is that client is having some auth problems due to windows/network adapter/driver at first place, then gets into rejected endpoints, making it being blocked for an hour at least, and then even that it is trying to authenticate and sending back 802.1x identity, it is getting rejected, as automatic response for rejected endpoints, with ACCESS-REJECT message.

If I clear endpoint from rejected ones, it will authenticate right away with proper 802.1x auth.

Issue is happening very rarely, and mostly it's on same windows hosts, it's not so random in general.