Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
94
Views
0
Helpful
5
Replies

Issues with Device Authentication on ISE: Intermittent Disconnections

t-musin
Level 1
Level 1

‎01-29-2025 08:06 PM - edited ‎01-29-2025 08:10 PM

We are experiencing unstable connectivity between endpoint devices and Cisco ISE. Random disconnections occur at unpredictable times, and standard troubleshooting methods (shut/no shut, removing port-security) do not resolve the issue. The only temporary solution is to remove the ISE configuration from the port, after which connectivity is restored. Additionally, authentication failures are observed, where devices (PCs or phones) fail to authenticate depending on the configured mode (multi-auth or multi-domain). Help me understand the problem

Preview file
3 KB
Preview file
4 KB
0 Helpful
5 Replies 5

ahollifield
VIP
VIP

‎01-30-2025 03:58 AM

Is there a network problem?  Is the AAA server alive from the NAD prospective?  What is the NAD?  Wired or wireless?

https://community.cisco.com/t5/security-documents/how-to-ask-the-community-for-help/ta-p/3704356

0 Helpful

t-musin
Level 1
Level 1
In response to ahollifield

‎01-30-2025 04:13 AM - edited ‎01-30-2025 04:15 AM

No network problems,

If I understand the meaning of the word NAD correctly, we are using Cat9300 for user connection

Communication with the radius server is available. The problem is solved by removing the ISE configuration from the port

0 Helpful

ahollifield
VIP
VIP
In response to t-musin

‎01-30-2025 04:36 AM

My guess is either a supplicant issue or a switch configuration issue. How did you configure the supplicant on the endpoint?

https://www.ise-support.com/cisco-ise-nad-configuration-templates/
0 Helpful

Dustin Anderson
VIP Alumni
VIP Alumni

‎01-30-2025 06:54 AM - edited ‎01-30-2025 06:55 AM

By your logs, port security is shutting the ports down. Not sure why as you have max3 and it only has 2 stored. On the other hand with 802.1x and MAB you probably don't need port security as it would be a nightmare to manage if PCs move around.

 

Now, there are many ways to do it, but this is what we do.

1, Set an ACL on the port that grants minimal access needed to authenticate. Block everything else.

2, If ISE authenticates, send down a dACL that will replace the restrictive one for more access.

 

Another note since you are doing MAB, on 3850 and 9300 if you reverse the commands it will do MAB and 802.1x at the same time instead of waiting for the 802.1x timer to run out before doing MAB.

authentication order mab dot1x
authentication priority dot1x mab

 

 

Nov  6 15:59:36: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/18, changed state to up
Nov  6 16:00:15: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (0025.8416.ee01) with reason (No Response from Client) on Interface Gi1/0/18 AuditSessionID 000000000001721B01218909
Nov  6 16:01:58: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/18, putting Gi1/0/18 in err-disable state
Nov  6 16:01:58: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet1/0/18, new MAC address (80e8.2c27.63cb) is seen.AuditSessionID  lwiwiHH^D(^K<[S
Nov  6 16:01:58: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (80e8.2c27.63cb) with reason (No Response from Client) on Interface Gi1/0/18 AuditSessionID 000000000001721C01231D59
Nov  6 16:01:59: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/18, changed state to down 

 

0 Helpful

MHM Cisco World
VIP
VIP

‎01-30-2025 06:58 AM

Remove port secuirty 

Then share 

Show authentication session interface x/x detail 

MHM

0 Helpful
Customers Also Viewed These Support Documents