04-18-2013 03:22 AM - edited 03-10-2019 08:19 PM
Hi guys.
We have dot1x ISE BASED. Solution running for a customer. Everything seems to work fine. Now they have a new requirement for clients with PXE boot. These are the laptops with no image on them. Atleast when they connect to the network. These laptops connect behind the ip phone as customer is using VoIP solution.
The problem I am facing is that when is configure dot1x authentication order dot1x mab. The PXE boot fails as it times out. If I configure dot1x authentication order mab dot1x. The PXE boot works fine. But in logs I end up with unnecessary logs that ISE tries to authenticate phone with mab but failed then tried dot1x. This means unnecessary logs and traffic in network.
Which timer or what should I configure so that the PXE boot works fine and phone uses dot1x ..
Has anyone seen that or any ideas ?
Thanks a lot.
Sent from Cisco Technical Support iPad App
04-18-2013 10:51 AM
Does your client use WinPE for deployment? I have this same issue right now with PXE timing out, and we're working on it this way:
http://support.microsoft.com/kb/972831
I haven't found any way to tweak the timers to help this problem, but I'd be interested to know if anyone else has.
11-07-2013 09:13 PM
Did you ever get your issue figured out?
11-10-2013 03:20 PM
We got PXE boot working with authentication order dot1x mab by setting
dot1x timeout tx-period 1
on the switchports (after a lot of experimentation)
Phaon
01-13-2014 07:47 PM
You might even try something like this on your swichport config.
authentication order mab dot1x
authentication priority dot1x mab
dot1x timeout tx-period 5 (I usually use somewhere between 5-10 for this setting)
This will allow MAB to happen first. Just make sure your endpoint doesn't match another policy and your default authorization policy is set to deny access. This should work unless your default is being used to default to a central web auth or something else.
I wouldn't advise dropping the "dot1x timeout tx-period" much below 5 as you may cause timeouts on your 802.1x configured supplicants and unnecessary retries. Just my opinion.
01-14-2014 02:20 PM
I have had problems with IAB (critical auth) when setting the following configuration:
authentication order mab dot1x
authentication priority dot1x mab
Now I might be doing something wrong but as I understand it when critical auth recovery occurs it reauths using the first method and then stops. The drama with this is that all 802.1x clients must manually connect and reconnect to the port or they are subject to MAB..
06-04-2019 03:32 AM
dot1x timeout tx-period 1 helped me!
dot1x timeout tx-period 5 was also working but takes a little bit more time.....
Thank you
01-13-2014 06:47 PM
Everything working for PXE. We are about to venture down this road. Just curious how you are handling pcs out of the box?
Auth-fail vlan? Guest vlan? Dedicate ports for initial imaging??
Sent from Cisco Technical Support iPhone App
01-13-2014 08:51 PM
That's sort of how I think I'm going to do it. Going to use dot1x open. Oh pxe booting.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide