Windows 10 Random Disconnections

dimi.kard · ‎02-21-2025

Hello,

We've got our setup with cisco ise (version 3.2.0.542), and cisco switches C100 (15.2(7)E4,) and eap-tls as the authentication method for users & computers and on the other hand mab for "dumb" devices. Computers are mix of 10 & 11(windows latest version), strange behavior is sometimes not so often users get disconnected from network. When check logs on ise i can see they got rejected cause they end up matching mab policy with final result being rejected.

Workaround i found was to set the switch interface on open mode and then close mode and the device works for some time. Firstly i've had bigger number of how often user got disconnected from the network, we've noticed that the timeout action on switch ports was equal to terminate, we've changed this to reauthenticate every 12 hours on the authorization profiles in ise and now we've noticed disconnections every three or more days but again from different users. The problem appears while the users are working on their computers and then suddenly loose network access. Radius-idle timeout is set to 3600 secs and Radius-Reauth timer is set on 43200 secs. Does anyone have any idea why this keeps happening? Also, i got a debug from switch when the problem appeared again today.

Thanks

Arne Bier · ‎02-23-2025

Is your Windows 802.1X supplicant set to Machine Authentication only?

To be honest, if the Authorized session timeout expires, then a re-auth should take care of the connection continuity.

Post your show running config of a typical NAC enabled interface, as well as

show run | section radius
show run | in aaa

The ISE Authorization Profile might also benefit from this Cisco AVPair "termination-action-modifier=1" (which tells the switch to use the previously successful Auth Method (e.g. if 802.1X was successful, then use 802.1X on next re-auth too, and don't waste time with MAB)

e.g. something like this (with a larger session timeout of course ...)

dimi.kard · ‎02-24-2025

Hello Arne,

I attached the output for you.

Thanks in advance

dimi.kard · ‎02-24-2025

Hello,

Sorry, i forgot interface concig.

Regards

Arne Bier · ‎02-25-2025

The config looks good.

Have you tried those Cisco AVPair modifications in ISE that I mentioned?

Ultimately, the behaviour of 802.1X supplicants is not in the network's control - the endpoints must do the right thing - the switch just reacts to every EAPOL request it gets from the supplicant, and does what it's told to do.

I have never worked with C100 switches - is that the latest recommended version of code?

It's good to see you have some redundancy in your aaa server group (3 PSNs) - if those PSNs are all equal candidates for this use case (latency is good etc.) then I would HIGHLY recommend the IOS load balancing feature (if the C100 IOS supports it) - I have been using this for over a year now and it's fantastic and reliable - you will start loading your PSNs evenly, and that means improved latency and fairness.

aaa group server radius RADIUS-GROUP
  load-balance method least-outstanding

The feature starts working straight away - if you have ISE 3.2+ you can check your PSN utilisation with the Log Analytics feature - take a screenshot of that loading before you enable load balance feature. And then check again in a month's time - you will be amazed.

ahollifield · ‎02-26-2025

Just as an FYI: https://www.microsoft.com/en-us/windows/end-of-support?r=1

Arne Bier · ‎02-26-2025

As if people need reminding of that ... and to be clear, Oct 2025 is not the end of Windows 10 support. It's the end of free Windows 10 support. Paid Windows 10 support continues for private individuals for another 1 year, and for companies, they get a few more years, where the costs sky rocket with every year. This is not an excuse to stay on Windows 10 and I am not advocating that. But Microsoft has also made some very unreasonable hardware requirements (especially the mercurial minimum CPU list) to force new hardware purchases - most of this equipment is still very capable of running Windows 10. Users should make their own decision when it's time to move off Windows/OSX/Linux etc. when they can't tolerate the pain involved.

If there is an upgrade path from Windows 10 to Windows 11 on the existing hardware then users should of course make use of that opportunity. There are also techniques (with the help of Microsoft supplied workarounds) to install Windows 11 on officially non-supported hardware. This might buy the user more time until MS decide to cut off the patches for those whose hardware doesn't meet the spec. Probably not something large enterprises will do anyway.

One should also be cautious of the Windows updates version - each version (e.g. 22H2, 23H2, 24H2 etc) has its own end of life date - so even if you are "on Windows 11" it doesn't mean you're going to get security updates during Windows 11 lifespan - you MUST upgrade the feature releases to get all the security updates.

Leo Laohoo · ‎02-26-2025

Is this using a Lenovo/Dell USB-C dock?

dimi.kard · ‎02-27-2025

Hello @Arne Bier ,

I'll give it a try on the advanced cisco-avp-pair and i'll let you know if it works. Thanks again for the tips you were really helpful, windows 10 will be migrated soon to 11 via SCCM. @Leo Laohoo no, they are not using a Dock station.

Regards

dimi.kard · ‎03-06-2025

Hello,

After one week of applying the change on Authorization profiles @Arne Bier mentioned (avp value) things seem to work smooth, not even a user until now has complained about disconnections. I'll monitor for one more week and i'll mark the answer as a solution. Again @Arne Bier thanks a lot.

Regards

Arne Bier · ‎03-06-2025

That's good to know. And by the way, did you try the load balancing command under the aaa group? Unrelated to your issues, but it's highly recommended, since you listed 3 PSNs and if you wanted to load them evenly, then that's how you'd do it. The benefits of loading your PSNs evenly is improved RADIUS processing times (less latency) because you have more than one PSN doing the work. I'd say, the only "downside" of load balancing is that you lose determinism. But you get over that quickly. If you need to packet capture a flow, then you simply run 3 concurrent tcpdumps, instead of 1. ISE allows that. The efficiency benefit outweighs this small downside.