Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1377
Views
0
Helpful
1
Replies

Laptop and Desktop taking over 20 minutes to authenticate to network.

Anthony O'Reilly
Level 3
Level 3

‎04-09-2021 01:52 AM

Hi,

 

I have two ISE virtual appliance (2.7 Patch 2).

 

NAC is currently being deployed on the network as we are at a Proof Of Concept stage and the network is OPEN.

 

Desktops:

 I have the following configured on the desktops:

   wired auto config service started

   dot1x configured on the nic

 

I have the network interface configured with 


template PORT-AUTH-TEMPLATE
dot1x pae authenticator
mab
access-session control-direction in
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber INT-AUTH-POLICY

!
interface GigabitEthernet1/0/34
description ### User Access Port ###
switchport access vlan 623
switchport mode access
switchport voice vlan 723
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
priority-queue out

access-session host-mode multi-domain
mls qos trust device cisco-phone
mls qos trust cos
dot1x timeout tx-period 60
dot1x max-reauth-req 3
auto qos voip cisco-phone
storm-control broadcast level 30.00 25.00
storm-control action shutdown
storm-control action trap
source template PORT-AUTH-TEMPLATE
spanning-tree portfast edge
spanning-tree bpduguard enable
service-policy input AutoQoS-Police-CiscoPhone

 

The sequence of the test is as follows:

1. Apply GPO for wired auto config and dot1x to the desktop.

2. Restart desktop GPO is applied

3. Desktop takes about 15-20minutes to authenticate, the desktop only authenticates when the dACL has been applied.

4. Disable NIC card on desktop and re-enable it, Desktop authenticates immediately

5. Log out of desktop.

6. Log back in, desktop takes about 15-20minutes to authenticate, the desktop only authenticates when the dACL has been applied.

 

I want to quicken this up so that it authenticates immediately as the current config will not be satisfactory when the network is CLOSED.

 

Any ideas? Do I need to configure, port bounce?

policy set.jpg

2.JPG

  

 

0 Helpful
1 Reply 1

thomas
Cisco Employee
Cisco Employee

‎05-13-2021 01:57 PM

Authentication should happen in << 15 seconds!

15 minutes means something is terribly wrong.

No ISE errors or logs or timing information is included so hard to know what part of the authentication is taking so long.

If you look at the Authentication Details in the LiveLog it should tell you any errors and the timings for dependencies like Active Directory.

0 Helpful
Customers Also Viewed These Support Documents