01-27-2018 10:06 PM - edited 02-21-2020 10:44 AM
We are using ISE 2.2 patch 5 and AnyConnect 4.5 NAM module as the supplicant for 802.1x authentication. We are using Cisco 3850x switch with 16.6.1 Everest code.
We have run into a weird issue: When a laptop (WIN 10) is undocked and docked back, wireless adapter gets disabled (which is expected behavior) and the wired adapter takes over, but instead of doing dot1x again, the port does MAB and gets on the default VLAN (ISE policy is configured to put all devices doing MAB on default switch port VLAN and is redirected to a guest portal). We then go the NAM module, select the wired profile which fires the supplicant and puts the PC on correct network doing dot1x authentication.
Has anyone else using the AnyConnect NAM module seen this issue? I did read a discussion about windows supplicant having same issue and disabling fast-reconnect solved the issue. We have tried this with the NAM module too and it does not resolve the issue. We have IP device tracking enabled too.
Any information on this would be really appreciated. I haven't been able to search any bugs related to this too.
01-28-2018 12:09 AM
M.
01-28-2018 01:36 PM
This is exactly the link I referred in the discussion. We have tried disabling fast reconnect in the AnyConnect NAM profile, but it does not help.
Any other options to try?
02-01-2018 09:05 PM
From the Device Manager, disable all power options (hopefully you don't use Wake on Lan).
It's important that you disable all of the options not just wake on lan.
02-06-2018 09:52 AM
Hi @edondurgut
Wake on LAN was disabled. So we unchecked that option of 'Allow computer to..' in the power management settings. Rebooted the PC and still no luck. PC still does MAB and falls on the default VLAN of the port.
02-09-2018 06:17 AM
So, we tried that and that did not help. Also, wake-on-lan was disabled. We had a TAC case open for this and realized that the the priority was set incorrectly. We had configured the ports with a policy. The port was not set to do dot1x and MAB simultaneously.
policy-map type control subscriber ISE-POLICY-TEST2
event session-started match-all
10 class always do-until-failure
10 authenticate using mab priority 20
20 authenticate using dot1x priority 10
30 authenticate using webauth parameter-map WEBAUTH_DEFAULT priority 30
event authentication-failure match-first
10 class ALL_FAILED do-until-failure
10 authentication-restart 60
event authentication-success match-all
10 class DOT1X do-until-failure
10 terminate mab
20 terminate webauth
20 class MAB do-until-failure
10 terminate webauth
event agent-found match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
We applied this through the policy and then it worked. Thank you for all your insights!
02-25-2018 10:03 PM
Cool, glad you got it working, do you still see multiple auth from the PCs?
Like always trying MAB first?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide