This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hoping someone out there may be able to help us figure out a nagging issue with our ISE deployment.
We are running ISE 2.4 along with 802.1x/MAB authentication for our Win 10 machines and Shoretel phones. We run 2960 switches at the access layer and use a GPO for our supplicant settings. All PCs use the same GPO.
We use low impact mode for enforcement - we run monitor mode before transitioning a switch into low impact mode.
The problem we have is that whenever we deploy a new batch of machines to the network the newly imaged machines always have problems with ISE and authenticating with 802.1x. What I see on the live logs during this time are MAB failures but no dot1x traffic at all. It's as if the machine is not sending dot1x traffic. I have verified that the PCs have their group policy for ISE, the appropriate certificates, and that the Wired auto config service is running.
What we end up having to do with most of the new machines, is to leave the port in monitor mode and then an hour or two later, once is shows as authorized, turn on low impact mode for the port.
The odd thing is that once the machine is authorized, we don't see issues any more.
Also, the issue does not happen for every single new pc, but I would say 75% of them.
Appreciate any ideas on how to troubleshoot this one!
We are not using IBNS/service templates - we use static port configs.
Here is typical port config:
switchport access vlan 100
switchport mode access
switchport voice vlan 20
ip access-group ISE_ACL in
authentication event fail action next-method
authentication event server dead action authorize vlan 20
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
authentication timer inactivity server dynamic
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 3
spanning-tree portfast edge
For supplicant config:
I know you said you verified it, but the symptoms sound to me like group policy is taking some time to fully load onto the new machines after being imaged. I would look at client side logs to see if it has any entries for why it is not attempting dot1x auth.