Solved: ISE - Wired Dot1x EAP-TLS - Intermittent

cegsm · ‎02-08-2023

Hi

New to ISE and want to use it for Dot1x authentication of windows AD clients using computer certificates with a Cisco 2960X switch.

I've got this working and the live logs show success and always end with a 'Returned RADIUS Access-Accept'

My issue is that half of the time the client shows as failed authentication, often after being disconnected and reconnected, seems to work ok after most reboots. This happens even when the ISE logs showed success.

I'd be grateful for any help or suggestions on troubleshooting.

Thanks

Massimo Baschieri · ‎02-08-2023

Check Cisco Bug: CSCvv93417, if conditions are met, upgrading to latest release will do the trick

View solution in original post

Nancy Saini · ‎02-08-2023

Hi @cegsm

I would suggest checking below at the time of issue:

Authentication status of the endpoint on the network device.
IP connectivity on the client. Is it able to reach the network?
Any failed authentication request seen on the ISE server.
Check EAP, dot1x and RADIUS debugs on the network device.

Are clients connecting to the network via AnyConnect NAM or native supplicant?

Greg Gibbs · ‎02-08-2023

There is not enough information to provide any meaningful assistance for this issue. See How to Ask the Community for Help.

You should start by comparing your environment against the ISE Secure Wired Access Prescriptive Deployment Guide.

If you are new to ISE concepts, you might also want to review some of the relevant ISE Webinar training videos.

Massimo Baschieri · ‎02-08-2023

Check Cisco Bug: CSCvv93417, if conditions are met, upgrading to latest release will do the trick

cegsm · ‎02-09-2023

Hi Massimo

We were indeed on the affected version, after moving the test laptops to the master switch it works perfectly

Thanks very much !