Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1914
Views
0
Helpful
4
Replies

Re-auth and switch port authentication order / session termination

Go to solution
Gaj Ana
Level 1
Level 1

‎02-09-2016 08:51 PM - edited ‎03-10-2019 11:28 PM

Hi All

We are implementing an ISE (1.4)  and have come across the following  issues regards to authentication order and a session termination after posture compliant. We got mab, dot1x as authentication order (authentication priority is set to dot1x, mab). We have configured re-authentication in switch ports. Windows supplicant uses any-connect NAM (ver 4.2) for dot1x and posture. During re-authentication, either  any-connect NAM or switch does not initiate a eapol start and switch authorizes the session to MAB, where-as when having dot1x and mab as the authentication order switch generates eapol start. The switches are 3750 (15.0(2)SE8).

Any possibility we could force the switch/NAM agent to sent a eapol start during re-auth?

Regarding the issue with posture, once posture become compliant for an endpoint (after dot1x authentication passes)  following a manual session termination from ISE for a endpoint, switch creates a new session  in ISE and switch changes the port status to posture unknown. The AC ise posture client still shows posture complaint status in the endpoint. It seems to not knowing about the session termination. During session termination NAM agent does a re-auth however posture component remain unchanged as "compliant".

Anyone have experience this behavior?.

Thanks in advance.

Regards

GA

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎02-14-2016 10:58 AM

Hi Gaj-

I had similar issue in the past and used the following attribute to fix it:

AVPair attribute termination-action-modifier=1

Give that a go and let us know if you are still having issues. 

Thank you for rating helpful posts!

View solution in original post

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Gaj Ana

‎02-15-2016 08:38 AM

I have not seen any issues when using that attribute. I had deployed it for two different customers in the past.

Thank you for rating helpful posts!

View solution in original post

0 Helpful
4 Replies 4

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎02-14-2016 10:58 AM

Hi Gaj-

I had similar issue in the past and used the following attribute to fix it:

AVPair attribute termination-action-modifier=1

Give that a go and let us know if you are still having issues. 

Thank you for rating helpful posts!

0 Helpful

Go to solution
Gaj Ana
Level 1
Level 1
In response to nspasov

‎02-14-2016 03:43 PM

Hi Neno,

Thanks for the feedback. Yes, We did implemented last week and doing further testing.

Based on your past deployment  any particular issues you have experienced (if any) when using this av pair with MAB, DOT1x authentication order?

Regards

GA

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Gaj Ana

‎02-15-2016 08:38 AM

I have not seen any issues when using that attribute. I had deployed it for two different customers in the past.

Thank you for rating helpful posts!

0 Helpful

Go to solution
sudheere
Level 1
Level 1
In response to nspasov

‎06-02-2018 07:41 AM

Hi..nspasov

I also face same issue. Could you advise, where should i use this attribute? Is it in posture unknown authorization profile?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents