Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
242
Views
0
Helpful
0
Replies

Windows 7 Authentication Failures in Monitor Mode on ISE 1.2

mark373737
Level 1
Level 1

‎03-20-2015 03:48 AM - edited ‎03-10-2019 10:34 PM

Hi Support,

I have a configuration whereby most of my Windows endpoints are not running DOT1x yet. We eventually intend to authenticate them via AD and looking to push out the Windows DOT1x client to all live users soon. Currently users are getting network access due to the fact that all ports have "authentication open" set and the default Authz policy is set to Permit Access (we arent using MAC address endpoint tables to allow MAB etc)

I now have my first test group of users using DOT1x and they match a specific AuthZ policy I have added that checks for their specific AD group on the AD. All is fine.

However I have just added DOT1x to a second test group of users who currently do NOT have any specific matching AuthZ policy (they are on the same AD server but in a diffferent group which I have not defined a policy for yet), and I was expecting they would still join using the default Authz policy. However they do not and on closer observation using "ipconfig" their adapter displays "Media Unauthenticated". I researched this and found that the Windows endpoint can set this condition if you disable the "Fallback to Unauthorized Network" check-box in their dot1x settings. Now I could easily check this box but don't understand why I need to as I surely should be hitting the Default AuthZ policy. However when I debug the switch port I am getting the following:

%DOT1X-5-FAIL: Authentication failed for client (xxxxxxxxxxx) on Interface Gi2/0/26 AuditSessionID 0A540201000064AD8FC27A96

This appears to suggest my AuthC is failing (rather than AuthZ or is the word Authentication a bit vague here?), so here is my question:

1. My AuthC DOT1X policy looks at the Identity Source Sequence that includes the AD server that contains specific groups for BOTH my first test group and my second test group. Users from my first  and second test group seem to be hitting this AuthC rule according to ISE.

2. My AuthZ policy contain a specific policy for my first test group ONLY, but the final Default Rule is set to Permit Access. From the ISE persepctive ALL users in my second test group are actually successfully getting this policy. The Authentication Troubleshooting page shows them getting the DOT1X AuthC policy and the Default Rule AuthZ policy. However the message in the switch debug suggests a failure and with my Windows DOT1x client settings as above, the adapter is therefore effecitvely disabled.

3. All this is occuring in Monitor mode, which I thought was harmless provided I dont give additional attributes (VLAN, ACL) to the profiles!

Very confused!

All help welcome

 

Mark

 

 

 

 

 

 

 

 

 

 

 

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents