cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2389
Views
0
Helpful
12
Replies

some computers are not authenticated successfully with ISE and join Guest vlan

Hi,

 

We have deployed ISE in a company and set workstations for computer authentication. When workstations pass authentication they are placed in Data VLAN (5), if they fail then they should be placed in Guest VLAN (50). WiredAutoConfig service as well as supplicant is set with gpo so all workstations have the same settings.

ISE's certificate is signed by our internal CA and workstations also have imported CA in their Trusted CA list.

The problem is that few workstations are placed in Guest VLAN. Previously on those workstations we got a pop-up window as below. When clicked 'connect' the workstations were placed correctly in Data VLAN (5). We do not get this security alert anymore on those machines and they just join Guest VLAN which is not want we want.

Most of the workstations however, are authenticated successfully.

 

Pop-up

 

switchports configuration:

 

 switchport access vlan 5
 switchport mode access
 switchport voice vlan 6
 authentication event fail action next-method
 authentication event server dead action authorize vlan 5
 authentication event server dead action authorize voice
 authentication event no-response action authorize vlan 50
 authentication event server alive action reinitialize 
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication violation replace
 mab
 mls qos trust dscp
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 spanning-tree bpduguard enable 

 

Authentication log from ISE;

 

 

 

 

Has anyone experienced similar situation?

 

1 Accepted Solution

Accepted Solutions

I am assuming the domain machines have the root ca certificate checked under the "Protected EAP Properties" window?

View solution in original post

12 Replies 12

nspasov
Cisco Employee
Cisco Employee

Can you post screen shots of the supplicant's configurations? 

I don't have access to either DC nor domain joined computers at the moment, but the configuration is default for computer authentication as below

 

 

 

 

I am assuming the domain machines have the root ca certificate checked under the "Protected EAP Properties" window?

I will double check tomorrow if it is. But let's assume that is not checked; why would some machines be authenticated normally and others not?

Yes, please check and let me us know. Also, if you get the warning message please click on the "Details" button and post a screen shot from that output as well. 

A couple of things to note:

- A machine would get that warning message if: The supplicant is not configured to trust the specific CA Certificate that was used to sign the ISE certificate AND if the option "Do not prompt user to authorize new servers or trusted certification authorities" is NOT checked. So let's start here and verify those settings. 

- Your ISE logs indicate that the session stops/fails during the establishment of the EAP tunnel. This would further indicate that the client is not trusting the ISE certificate or more specifically the CA that signed the ISE cert.

 

Thank you for rating helpful posts!

Sorry for late reply and thank you for your quick answers,

I have no direct access to workstations, so all have to be confirmed by other IT staff. So far it looks like the change of selecting CA in the supplicant configuration fixed the problems. I will mark your answer as Correct Answer once we are 100% certain about it.

 

Marek.

Hi Marek. Was your issue resolved?

Yes, thank you!

You are welcome! Glad I could help! :)

If you could also help regarding the issue described in my new post that would be awesome too! :)

I can try...what is the link to the thread?

Hi,

I have same issue.

But i don't understand supplicant configuration:

I look in properties and snip the configuration is correct or not ?

The check of Validate server certificate is check 

Connect to these servers is check:

ise-lab.cnsys.bg

Trusted Root Certificate looks good

jaguar

But i have not check for :

Do not prompt user to authorize new servers or trusted certification authoritiesCapture2.PNG

This is my configuration from LAB

I will check Configuration with my customer where  the issuers is happening.

Thank you.