02-09-2016 08:51 PM - edited 03-10-2019 11:28 PM
Hi All
We are implementing an ISE (1.4) and have come across the following issues regards to authentication order and a session termination after posture compliant. We got mab, dot1x as authentication order (authentication priority is set to dot1x, mab). We have configured re-authentication in switch ports. Windows supplicant uses any-connect NAM (ver 4.2) for dot1x and posture. During re-authentication, either any-connect NAM or switch does not initiate a eapol start and switch authorizes the session to MAB, where-as when having dot1x and mab as the authentication order switch generates eapol start. The switches are 3750 (15.0(2)SE8).
Any possibility we could force the switch/NAM agent to sent a eapol start during re-auth?
Regarding the issue with posture, once posture become compliant for an endpoint (after dot1x authentication passes) following a manual session termination from ISE for a endpoint, switch creates a new session in ISE and switch changes the port status to posture unknown. The AC ise posture client still shows posture complaint status in the endpoint. It seems to not knowing about the session termination. During session termination NAM agent does a re-auth however posture component remain unchanged as "compliant".
Anyone have experience this behavior?.
Thanks in advance.
Regards
GA
Solved! Go to Solution.
02-14-2016 10:58 AM
Hi Gaj-
I had similar issue in the past and used the following attribute to fix it:
AVPair attribute termination-action-modifier=1
Give that a go and let us know if you are still having issues.
Thank you for rating helpful posts!
02-15-2016 08:38 AM
I have not seen any issues when using that attribute. I had deployed it for two different customers in the past.
Thank you for rating helpful posts!
02-14-2016 10:58 AM
Hi Gaj-
I had similar issue in the past and used the following attribute to fix it:
AVPair attribute termination-action-modifier=1
Give that a go and let us know if you are still having issues.
Thank you for rating helpful posts!
02-14-2016 03:43 PM
Hi Neno,
Thanks for the feedback. Yes, We did implemented last week and doing further testing.
Based on your past deployment any particular issues you have experienced (if any) when using this av pair with MAB, DOT1x authentication order?
Regards
GA
02-15-2016 08:38 AM
I have not seen any issues when using that attribute. I had deployed it for two different customers in the past.
Thank you for rating helpful posts!
06-02-2018 07:41 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide