Hi all,

I have a strange one for you.

We have deployed a two-node ISE 2.7 Patch 6 cluster. We have deployed NAC successfully about 7 months ago. We have a few issues now and again but all is working well.

Recently there are a number of desks where NAC has stopped working regardless of who uses that desk. NAC works for the users on other desks without any problems. When the go back to the "Desk X", they don't get any connectivity.

On the ISE logs, I can see the user when user logged in at Desk 1 @ 09:25 (see screen shot "NAC1.jpg") successfully and got network access. When the user went to "Desk X", I can see entries in ISE at 09:52, 09:59, 10:05, these three entries shows a successful authentication with a session, however on the users laptop it states that there is no internet. The three entries is where we tried to eliminate the docking station, network cables and the switchport as a root cause.

Troubleshooting steps at Desk X:

• User logged in at this desk at 09:52 using the docking station, no internet. ISE reports successful authentication with a session. User is patched into switchport Gi3/0/4.
• User logged in at this desk at 09:59 using no docking station, no internet. ISE reports successful authentication with a session. User is patched into switchport Gi3/0/4.
• Moved patch cable from switchport Gi3/0/4 on STACK3 to Gi3/0/9 (same config) on same switch. The switch thinks that there is nothing connected

GigabitEthernet3/0/4 is up, line protocol is down (notconnect)

  Hardware is Gigabit Ethernet, address is 00bc.6094.2404 (bia 00bc.6094.2404)

  Description: ### User Access Port ###

• Move cable from Gi3/0/4 to Gi3/0/9, same issue

GigabitEthernet3/0/9 is up, line protocol is down (notconnect)

  Hardware is Gigabit Ethernet, address is 00bc.6094.2409 (bia 00bc.6094.2409)

  Description: ### User Access Port ###

• Removed NAC config, port came up and User logged in successfully, no issues with switchport or cabling.
• Added NAC config, port came up and User logged in and successfully authenticated and logged into the network.

Switch config:

!
template PORT-AUTH-TEMPLATE
dot1x pae authenticator
mab
access-session host-mode multi-domain
access-session control-direction in
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber INT-AUTH-POLICY
!
!
interface GigabitEthernet3/0/9
description ### User Access Port ###
switchport access vlan XX
switchport mode access
switchport voice vlan YY
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
dot1x timeout tx-period 60
dot1x max-reauth-req 3
auto qos voip cisco-phone
storm-control broadcast level 30.00 25.00
storm-control action shutdown
storm-control action trap
source template PORT-AUTH-TEMPLATE
spanning-tree portfast edge
spanning-tree bpduguard enable
service-policy input AutoQoS-Police-CiscoPhone
end

Regardless of what user uses that desk, it will not work. A fix for this is to remove NAC and re add it.

The switch is a 2960X-48FPD-L and is a member of a stack which has 3 switches in it. The software version is: 15.2(4)E6. 

This is occurring randomly across desks across numerous sites for the customer.

Any ideas?