cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
803
Views
0
Helpful
3
Replies

New PCs to domain are delayed with their 802.1x authentication

NT_01
Level 1
Level 1

Hello.

 

Hoping someone out there may be able to help us figure out a nagging issue with our ISE deployment.

 

We are running ISE 2.4 along with 802.1x/MAB authentication for our Win 10 machines and Shoretel phones. We run 2960 switches at the access layer and use a GPO for our supplicant settings. All PCs use the same GPO.

 

We use low impact mode for enforcement - we run monitor mode before transitioning a switch into low impact mode.

 

The problem we have is that whenever we deploy a new batch of machines to the network the newly imaged machines always have problems with ISE and authenticating with 802.1x. What I see on the live logs during this time are MAB failures but no dot1x traffic at all. It's as if the machine is not sending dot1x traffic. I have verified that the PCs have their group policy for ISE, the appropriate certificates, and that the Wired auto config service is running.

 

What we end up having to do with most of the new machines, is to leave the port in monitor mode and then an hour or two later, once is shows as authorized, turn on low impact mode for the port. 

 

The odd thing is that once the machine is authorized, we don't see issues any more.

 

Also, the issue does not happen for every single new pc, but I would say 75% of them.

 

Appreciate any ideas on how to troubleshoot this one!

 

Fred

 

 

 

3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni
Are you able to share your native supplicant configs? Also, are you using IBNS with service templates, etc. Or are you using static port configurations. If possible please share those configs as well so the community can better assist you. Thanks.

Hi.

 

We are not using IBNS/service templates - we use static port configs.

 

Here is typical port config:

 

switchport access vlan 100
switchport mode access
switchport voice vlan 20
ip access-group ISE_ACL in
authentication event fail action next-method
authentication event server dead action authorize vlan 20
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 3
spanning-tree portfast edge

 

For supplicant config:

gpo-3.pnggpo-1.png

gpo-5.jpg

packetplumber9
Level 1
Level 1

I know you said you verified it, but the symptoms sound to me like group policy is taking some time to fully load onto the new machines after being imaged.  I would look at client side logs to see if it has any entries for why it is not attempting dot1x auth.   

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: