Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
322
Views
0
Helpful
1
Replies

Open authentication works initially, but then fails

Go to solution
Kjetil Fleten
Level 1
Level 1

‎07-01-2015 06:30 AM - edited ‎03-10-2019 10:52 PM

We are implementing ISE for a customer. For a start, we want to use open authentication on some ports. When I configure "authentication open" on a port, the port actually keeps to the data Vlan and I receive a DHCP address from this Vlan, while the authentication process continues. When the process is done (radius, mab) and the client is rejected, the port is changed to guest Vlan.  If I remove "authentication open", I'm blocked from start, so I can verify that the command makes a difference until the authentication process is done.

If authentication fails, I thaught the "authentication open" command would preserve vlan settings for a port ? Am I wrong ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎07-01-2015 10:25 AM

Hi Kjetil, 

Do you have the proper authorization rule in ISE? Remember that even though authentication is set to "open" you still must have an "open" authorization rule. This is usually done by configuring a "catch-all" rule at the bottom of your rule table. This rule would authorize any users/endpoints that did not match any of the other rules that you have configured in ISE.

I hope this helps!

 

Thank you for rating helpful posts!

View solution in original post

0 Helpful
1 Reply 1

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎07-01-2015 10:25 AM

Hi Kjetil, 

Do you have the proper authorization rule in ISE? Remember that even though authentication is set to "open" you still must have an "open" authorization rule. This is usually done by configuring a "catch-all" rule at the bottom of your rule table. This rule would authorize any users/endpoints that did not match any of the other rules that you have configured in ISE.

I hope this helps!

 

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents