12-14-2019 10:19 PM
Hi,
We are deploying ISE 2.6 with patch 2. We deployed one site to work with Anyconnect 4.5 and Anyconnect 4.7, it worked fine with EAP-FAST, AD and Posture (only Anyconnect 4.7). End customer needs time to upgrade Anyconnect 4.5 to 4.7, that is the reason to get work this way. In both scenarios, Anyconnect got authenticated against ISE and AD.
Now, with other end customer site with switches 2960S and 3560CX, both with Cisco suggested IOS version, it seems it isn't working. PCs have Anyconnect 4.5 and they work with a previous version, ISE 1.4. But when we change configuration in switches to works with ISE 2.6, dot1x doesn't work. Only works MAB for IP Phone profiling. Even when we tried to get PC authentication via MAB, first dot1x fails, MAB authenticates but then dot1x restarts process, MAB stops and PCs lost connection to network.
Debugin switches in second site, we realize that EAP process fails with following messages:
Dec 13 15:20:25.853: dot1x-ev:[705a.0f3c.77e4, Gi0/5] Dot1x authentication started for 0x8E000526 (705a.0f3c.77e4)
Dec 13 15:20:25.853: dot1x-ev:[705a.0f3c.77e4, Gi0/5] Sending EAPOL packet
Dec 13 15:20:25.853: dot1x-ev:[705a.0f3c.77e4, Gi0/5] Sending out EAPOL packet to MAC 705a.0f3c.77e4
Dec 13 15:20:36.095: dot1x-ev:[705a.0f3c.77e4, Gi0/5] Sending EAPOL packet
Dec 13 15:20:36.095: dot1x-ev:[705a.0f3c.77e4, Gi0/5] Sending out EAPOL packet to MAC 705a.0f3c.77e4
Dec 13 15:20:46.337: dot1x-ev:[705a.0f3c.77e4, Gi0/5] Sending EAPOL packet
Dec 13 15:20:46.337: dot1x-ev:[705a.0f3c.77e4, Gi0/5] Sending out EAPOL packet to MAC 705a.0f3c.77e4
Dec 13 15:20:56.578: dot1x-ev:[705a.0f3c.77e4, Gi0/5] Received an EAP Timeout
Logs from PC's DART bundle shows nothing at same time (the hour difference is by timezone from PC)
75130: MX52TID02: dic. 13 2019 08:20:24.058 +0700: %NAM-7-DEBUG_MSG: %[tid=12752]: Retrieving scan list from driver
75131: MX52TID02: dic. 13 2019 08:20:24.060 +0700: %NAM-7-DEBUG_MSG: %[tid=12752]: PortManagerImpl::updateScanList - ssidLength=504
134358: MX52TID02: dic. 13 2019 08:20:24.061 +0700: %NAMSSO-7-DEBUG_MSG: %[tid=14424]: waiting for cs...
134359: MX52TID02: dic. 13 2019 08:20:24.061 +0700: %NAMSSO-7-DEBUG_MSG: %[tid=14424]: cs entered
134360: MX52TID02: dic. 13 2019 08:20:24.061 +0700: %NAMSSO-7-DEBUG_MSG: %[tid=14424]: leaving cs...
75132: MX52TID02: dic. 13 2019 08:20:34.051 +0700: %NAM-7-DEBUG_MSG: %[tid=12752]: Retrieving scan list from driver
75133: MX52TID02: dic. 13 2019 08:20:34.052 +0700: %NAM-7-DEBUG_MSG: %[tid=12752]: PortManagerImpl::updateScanList - ssidLength=504
134361: MX52TID02: dic. 13 2019 08:20:34.052 +0700: %NAMSSO-7-DEBUG_MSG: %[tid=14424]: waiting for cs...
134362: MX52TID02: dic. 13 2019 08:20:34.052 +0700: %NAMSSO-7-DEBUG_MSG: %[tid=14424]: cs entered
134363: MX52TID02: dic. 13 2019 08:20:34.053 +0700: %NAMSSO-7-DEBUG_MSG: %[tid=14424]: leaving cs...
75134: MX52TID02: dic. 13 2019 08:20:34.066 +0700: %NAM-7-DEBUG_MSG: %[tid=12752]: PortManagerImpl::updateScanList - ssidLength=504
134364: MX52TID02: dic. 13 2019 08:20:34.066 +0700: %NAMSSO-7-DEBUG_MSG: %[tid=14424]: waiting for cs...
134365: MX52TID02: dic. 13 2019 08:20:34.066 +0700: %NAMSSO-7-DEBUG_MSG: %[tid=14424]: cs entered
134366: MX52TID02: dic. 13 2019 08:20:34.067 +0700: %NAMSSO-7-DEBUG_MSG: %[tid=14424]: leaving cs...
75135: MX52TID02: dic. 13 2019 08:20:44.055 +0700: %NAM-7-DEBUG_MSG: %[tid=12752]: Retrieving scan list from driver
75136: MX52TID02: dic. 13 2019 08:20:44.056 +0700: %NAM-7-DEBUG_MSG: %[tid=12752]: PortManagerImpl::updateScanList - ssidLength=504
134367: MX52TID02: dic. 13 2019 08:20:44.056 +0700: %NAMSSO-7-DEBUG_MSG: %[tid=14424]: waiting for cs...
134368: MX52TID02: dic. 13 2019 08:20:44.057 +0700: %NAMSSO-7-DEBUG_MSG: %[tid=14424]: cs entered
134369: MX52TID02: dic. 13 2019 08:20:44.057 +0700: %NAMSSO-7-DEBUG_MSG: %[tid=14424]: leaving cs...
In summary, to deploy second site we got backup configuration from first and then restored it in second, changed IP and ACL configuration to match second site, both are SNS 3595. In both sites, first were an ISE 1.4 server that were workign fine, when we deployed first site ISE 2.6 worked fine with all PCs with Anyconnect 4.5, but when deployed second site we got this errors. Even we tried with a PC with 4.7 and we got same error. NAM configuration file is same in both sites.
Is there a configuration that was not restored that doesn't allow to PC to get connection to network? Is there any switch configuration we missed from one site to other?
I'll thank you your help.
Solved! Go to Solution.
12-15-2019 10:06 AM
If not done already, please send the Cisco AnyConnect DART bundle to TAC for analysis.
In general, the switch configurations need no modification when upgrading ISE from 1.4 to 2.6, unless you are using some new features.
Field Notice: FN - 70357 - Cisco Identity Services Engine Fails to Authenticate Endpoints When Using EAP-FAST with TLS 1.2 - Software Upgrade Recommended - Cisco does not seem applicable to your issue because ISE 2.6 already has the fix.
12-15-2019 10:06 AM
If not done already, please send the Cisco AnyConnect DART bundle to TAC for analysis.
In general, the switch configurations need no modification when upgrading ISE from 1.4 to 2.6, unless you are using some new features.
Field Notice: FN - 70357 - Cisco Identity Services Engine Fails to Authenticate Endpoints When Using EAP-FAST with TLS 1.2 - Software Upgrade Recommended - Cisco does not seem applicable to your issue because ISE 2.6 already has the fix.
12-15-2019 10:10 AM
It looks like an issue on the PC side. Run a packet capture on the PC to ensure it is receiving the EAPOL frames from the switch. It looks like the switch is sending the EAPOL frames but the PC isn't responding so it times out. It could be the Windows firewall settings. Packet capture would confirm.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide