Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4614
Views
10
Helpful
2
Replies

ISE High Repeat Counts

graeme.walker
Level 1
Level 1

‎02-25-2019 03:07 AM - edited ‎03-08-2019 07:14 PM

Hi,

 

I've noticed a quirky issue within our ISE console and the repeat counter.

 

Our system has been running fine with just the odd issue we can easily resolve (mainly phones being unable to drop the session behind then from laptops).

However, we noticed that if a building connectivity is dropped back to the core network switch, all devices that are use a MAB rule to authenticate (phones and printers) from that switch stack experience high repeat counts for a day or two, which then drops down to "normal".  Laptops and PCs which are using a certificate to authenticate are fine.

 

Does anyone know why this could happen?  To me, it appears as though the switch is queing up authentication requests and the ISE console is just taking time to "catch up" with this.

 

Switch IOS version: 15.2(2)E7

ISE Version: 2.4.0.357

Installed Patches: 2

 

I can provide some more information if needed to help identify the issue.

 

Cheers,

Graeme

 

0 Helpful
2 Replies 2

Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-25-2019 05:26 AM

The repeat counter will increment when there are authentication requests that have been repeated with no change in 24 hours. Do you have a re-authentication timer configured in your authz profiles OR manually deployed on your switchports? If you do, this may be the reason as to why you are seeing the repeat counter increment.

HTH!

graeme.walker
Level 1
Level 1
In response to Mike.Cifelli

‎02-26-2019 02:24 AM

Thanks Mike,

 

From what I can see it is configured on each individual port:

Current configuration : 814 bytes
!
interface GigabitEthernet3/0/48
 description Standard User/Voice Port
 switchport mode access
 switchport voice vlan 10
 authentication control-direction in
 authentication event fail action next-method
 authentication event server dead action authorize
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity server
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout quiet-period 1800
 dot1x timeout tx-period 5
 dot1x max-req 1
 dot1x max-reauth-req 1
 spanning-tree portfast
end

 

The issue I am having is when a switch stack has a loss of connectifity back to the ISE server (which is rare but has happened after some fiber repatching), that stack seems to run slow and devices have continuous repeat attempts just from devices connected to that stack hitting MAB rules.  The stacks in other buildings are fine.

 

I have reset the repeat counter and will monitor this - I've also asked for the stack in question to be reloaded but that is like asking for blood...

 

Cheers,

Graeme

 

0 Helpful
Customers Also Viewed These Support Documents