05-16-2018 04:54 PM - edited 02-21-2020 10:56 AM
Hi all, I am running into issues trying to use ISE with the ArubaOS-Switch (former Procurve devices.)
specifically, these switches do not have a concept like FlexAuth. They will send out MAB and 802.1x requests "at the same time" and often MAB will hit first. I have ISE configured to continue on MAB auth failure and to get restricted access if it isn't in endpoint store.
When a windows PC with the 802.1x supplicant configured for Machine auth is put on the network, the switch will send out a MAB auth and an 802.1x auth.
When this happens ISE handles it properly in that it will process the mab, then the 802.1x and succeed on 802.1x and assign the correct vlan. HOWEVER, the Process takes longer and when I look at the endpoint attributes and authentication I see it reporting auth type as MAD even though the live session shows 802.1x and the endpoints screen says MSCHAPv2.
So, I have 2 questions.
1: IS there any optimization I can do to ISE to get it to process the 802.1x faster? I assume a similar thing would happen if FlexAuth on a Cisco switch were configured for MAB before 802.1x with 802.1x being prioritized over MAB.
2: On the confusing endpoint attributes and other details. IS there some way to clean this up so that the out of date MAB session details are removed?
05-25-2018 01:50 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide