Laptops on ISE 3.1 wired bring up wireless and wired and fail connecti

cgarringer · ‎09-06-2022

We are seeing an issue with laptops and docking stations. They start both connections and it causes ISE to fail authentication/posture. Has anyone found a way to have a laptop with both wired and wireless default to a preferred connection? It appears that the laptop is trying to authenticate to ISE with both and it causes a failure.

balaji.bandi · ‎09-06-2022

try troubleshooting tips: you can see on ISE Live logs what is the reason for failing. is this a new setup ? working one failing ?

https://community.cisco.com/t5/security-knowledge-base/how-to-troubleshoot-ise-failed-authentications-amp/ta-p/3630960

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Arne Bier · ‎09-06-2022

Hello @cgarringer

Couple of things

802.1X authentications are a result of deliberate configuration on the endpoint. If you don't want/need either wireless or wired 802.1X then you should disable the supplicant configuration on the PC for the medium that you don't want to have 802.1X auth.

But if you DO require both, then wired connections will automatically have a higher routing metric than wireless connections. This is sometimes referred to in Cisco documentation as administrative distance - the lower AD has preference over higher AD.

You can check this with the Windows (I assume you are a Windows user?) command line

route print

Lastly - I saw an article yesterday that discussed a related concept - the user wanted to disable the Wireless temporarily while the LAN was connected. Essentially you need to monitor the Windows Event Viewer and cause a contig change when event 15501 comes in - this is the event "network adapter has been connected".

cgarringer · ‎09-07-2022

Thanks, our AD group is looking at the wireless disabling link you sent. They think this would fix the issue