Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
987
Views
0
Helpful
2
Replies

Win 7 PC looses communication when NAC is enabled

allanc16
Level 1
Level 1

‎09-02-2020 08:38 AM

Hello,

 

Looking to see if you can provide some thoughts about the following. We are rolling out authentication on the wire via ISE. We have first enabled monitoring on switch ports to gather visibility of devices and then whatever is doing MAB we are adding it to the database (ISE) and then all other corporate machines will be doing dot1x using a machine certificate on this case due to being Win7. 

During our implementation at the site everything went well except for one machine which it is using static IP (Changed to DHCP for tshoot purposes but same issue). When we enabled NAC enforcement ISE reported PC authenticated but the PC lost connectivity. This is the only PC at the site with Win 7 so we couldn´t test with another one. Some more information:

Model No: C9300L-24P-4X     

IOS: 16.12.02  

Port No: Gi1/0/10

Port Config(it’s in open mode now):

switchport mode access

switchport voice vlan XXX

authentication periodic

authentication timer reauthenticate server

access-session control-direction in

access-session port-control auto

mab

dot1x pae authenticator

dot1x timeout tx-period 5

spanning-tree portfast

service-policy type control subscriber DOT1X-DEFAULT


ISE version 2.4.0.357

Installed Patches 7,9,12
Product Identifier (PID) SNS-3595-K9

PC info
OS Name Microsoft Windows 7 Enterprise
Version 6.1.7601 Service Pack 1 Build 7601
0 Helpful
2 Replies 2

Colby LeMaire
VIP Alumni
VIP Alumni

‎09-02-2020 09:20 AM

What does "show auth sess int gx/y detail" show?  Does it show authorized?  Does that output show an IPv4 address?  Are you using dACLs?

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎09-02-2020 03:46 PM

There's not really enough information on the problem you're seeing to provide any meaningful assistance.

From your switch configuration, you're using the legacy IBNS framework. With the Cat9300, you should really be using the IBNS 2.0 framework with the best-practice configuration as per the ISE Secure Wired Access Prescriptive Deployment Guide. It provides important enhancements over the legacy IBNS framework.

Also, Windows 7 reached End of Support by Microsoft in Jan 2020. Continuing to use this OS should be considered a very high risk.

Win7 also had lots of supplicant issues with 802.1x. This is an old document (as is anything related to Winy7), but here are some hotfixes you should ensure have been applied if you're attempting to use 802.1x.

https://robert.penz.name/555/list-of-ieee-802-1x-hotfixes-for-windows-7/ 

 

0 Helpful
Customers Also Viewed These Support Documents