09-02-2020 08:38 AM
Hello,
Looking to see if you can provide some thoughts about the following. We are rolling out authentication on the wire via ISE. We have first enabled monitoring on switch ports to gather visibility of devices and then whatever is doing MAB we are adding it to the database (ISE) and then all other corporate machines will be doing dot1x using a machine certificate on this case due to being Win7.
During our implementation at the site everything went well except for one machine which it is using static IP (Changed to DHCP for tshoot purposes but same issue). When we enabled NAC enforcement ISE reported PC authenticated but the PC lost connectivity. This is the only PC at the site with Win 7 so we couldn´t test with another one. Some more information:
Model No: C9300L-24P-4X
IOS: 16.12.02
Port No: Gi1/0/10
Port Config(it’s in open mode now):
switchport mode access
switchport voice vlan XXX
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast
service-policy type control subscriber DOT1X-DEFAULT
ISE version 2.4.0.357
09-02-2020 09:20 AM
What does "show auth sess int gx/y detail" show? Does it show authorized? Does that output show an IPv4 address? Are you using dACLs?
09-02-2020 03:46 PM
There's not really enough information on the problem you're seeing to provide any meaningful assistance.
From your switch configuration, you're using the legacy IBNS framework. With the Cat9300, you should really be using the IBNS 2.0 framework with the best-practice configuration as per the ISE Secure Wired Access Prescriptive Deployment Guide. It provides important enhancements over the legacy IBNS framework.
Also, Windows 7 reached End of Support by Microsoft in Jan 2020. Continuing to use this OS should be considered a very high risk.
Win7 also had lots of supplicant issues with 802.1x. This is an old document (as is anything related to Winy7), but here are some hotfixes you should ensure have been applied if you're attempting to use 802.1x.
https://robert.penz.name/555/list-of-ieee-802-1x-hotfixes-for-windows-7/
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide