cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1008
Views
2
Helpful
2
Replies

ISE Wired Guest Fallback Authorization for Non-domain Machines

TerenceLockette
Level 1
Level 1

Hello all,

I have implemented EAP chaining using the AnyConnect NAM module for domain-joined machines which is working as expected.  What is not working is when I attempt to connect a non-domain computer to a port configured for dot1x and mab.  The machine never connects and I don't even see the attempts in the logs.  The non-domain machine does not have AnyConnect installed and would be equivalent to an employee bringing a personal machine into the office and connecting it to the wired network (ie no AnyConnect or Internal Certs).  I feel like I'm missing something but can't figure it out.  Here are some screen shots of my policy set:

terencelockettenercnet_0-1679778217428.png

terencelockettenercnet_1-1679778368202.png

Here is the switchport configuration:

interface GigabitEthernet1/0/1
switchport mode access
switchport nonegotiate
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpduguard enable

 

I have played around with the config from ISE and the switch port by changing some settings around to see if I can get it to work but all has failed.  For instance, in ISE, I've tried changing the order of the AuthC and AuthZ rules.  On the switch, I've changed the authentication order and priority parameters around but to no avail.  Any assistance in the right direction would be greatly appreciated.  Feel free to ask for any additional information.

Thanks!