Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
849
Views
0
Helpful
2
Replies

Network connectivity problems with MAC authentication for zero clients on ISE

kelley.cox
Level 1
Level 1

‎05-17-2018 10:31 AM

First, let me explain a little about our setup.  We use Meraki switches at all of our sites, and we have a mix of zero clients, thin clients, desktops and laptops.  Typically, at a user workstation there is a VOIP phone with a computer port, so for each network jack we have one VOIP phone plugged in, then the computer/thin/zero client is plugged into the VOIP phone which acts as a switch.  We started deploying Cisco ISE a few months ago and besides the occasional authentication issue, everything has been working great.

I've just started having an issue at one of our remote sites weeks after applying the ISE policy with a couple of our Dell Wyse zero clients (5030 model).  We have several other sites that have the same model zero clients with the same firmware version, and we even have a few others at the same remote site that do not have an issue.  With 2 of the clients so far, they work fine until I apply the access policy for ISE.  After I apply the policy to the port the client is using, I can see in the ISE logs that authentication is granted (after adding the device to the endpoint list with MAC address) but for some reason the device no longer has network connectivity.  The device will not respond to pings or let the user log on.  Even after removing the access policy to apply ISE, the device will not work.  Sometimes if I play around with the physical setup (moving network cables to different switch ports, resetting the switch port, plugging the client directly into the wall instead of through the VOIP phone, etc.) I can get it working again, but other times I have to let the device sit for several hours before it will start working again.  Once it starts working again, any time the device is powered off the same issue happens again unless ISE is not enabled on the port.

All of our other devices use 802.1x to authenticate, but the zero clients can't do that as easily so we just set them up to do MAC authentication.  Has anyone seen this issue before or can anyone give me any suggestions to correct it?

0 Helpful
2 Replies 2

kvenkata1
Cisco Employee
Cisco Employee

‎05-17-2018 02:20 PM

Hi Kelley,

Based on the description of your problem (intermittent & isolated to a few devices), approaching Cisco TAC for resolution would be the best option. TAC will be able debug live when the Dell zero clients are having connectivity issues.

- Krish

0 Helpful

Craig Hyps
Level 10
Level 10
In response to kvenkata1

‎05-17-2018 03:48 PM

I suspect it is an authorization failure.  Check which attributes sent by ISE for matched policy.  If access device does not understand the authorization,  even if Access-Accept response, it can block access.  Changing ISE policy will do no good.  You would need to either send a successful CoA request, or bounce port/connection on Meraki.  Sounds like you are doing the latter to trigger a new session with ISE authorization.  If sending some access policy, trying changing to basic Access Accept response (Permit_Access).  If still issues, then recommend open case with Meraki to understand why it is rejected the policy.

0 Helpful
Customers Also Viewed These Support Documents