Recent upgrade ISE to 2.4 stopped authentication working

kticehurst · ‎07-16-2018

Have had an ISE deployment running for some time performing DOT1x wired authentication, authorisation and profiling. Had some issues with 3650 switches but traced that to them not running in install mode. Recently we have upgraded the ISE to 2.4.0.357 and now clients all fail authentication and are rejected. No policies have changed only the code version and patch. Anyone had any issues with 2.4 and 3650 switches ?

Craig Hyps · ‎07-16-2018

Recommend open TAC case to troubleshoot.

cjwolff · ‎07-17-2018

What did you find out about bundle vs install mode? I have quite a few issues with regard to profiling on 3650s with the latest 2.4p1.

Thanks,

C.

kticehurst · ‎07-17-2018

Hi Christopher, Had problems with 3650s in bundle mode where they would get stuck during posturing of the client. Would see switch authentication complete but never apply the redirect access list for the ISE posture check. Installled 3.6.6 in install mode and no problem.

Also found an issue with ISE 2.4 where if you are identifying network device as all locations but have that switch in a location sub group it will not match the profile set.

Damien Miller · ‎07-17-2018

I did run in to the sub group behavior you mentioned during an ACS to ISE migration. Switching from "in all locations" to "contains all locations" fixed it up though.