Solved: Windows 8 and 10 authentication failed

Akaffou Aristide Akaffou · ‎02-01-2018

Hi,

I have authentication problem with windows 8 and 10 clients in ISE 2.2.

Windows 8 and windows 10 clients can not have access to the network at the first authentication. We must lockout and unlock to have access to the network. I used external identity store which is Active Directory.

I have made ISE 2.2 downgrade to ISE 2.1 and ISE 2.2 upgrade to ISE 2.3, but I am still have the same issue. I have contacted tac but they told me it is a windows issue but I am not sure about it because wiindows 8 and 10 clients works in other offices.

Please can you help me?

Best Regards,

Aristide AKAFFOU

Rob Ingram · ‎02-05-2018

Yes, it's important that a windows computer's time is in sync, for instance you'll be using certificates and if you time/date is incorrect on the windows client you won't be able to validate the certificate. You need to resolve those Windows errors before attempting 802.1x authentication.

Are you in dot1x closed mode? The error messages you provided indicated that the computer cannot communicate with the domain.

View solution in original post

marce1000 · ‎02-05-2018

- Sure ! This is a must as RJI relies ; note also however that this also applies to the complete authenticationg infrastructure (from switch -> ise -> identity store).. They all must have a correct timezone and working NTP setup.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

Akaffou Aristide Akaffou · ‎02-09-2018

Hi all,

I have resolved the issue

Firstly I have configured native supplicant profile on cisco ISE.

Secondly, I uncheck "Enable single sign-on for this network" in the supplicant windows configuration. Finally all is work fine now.

Best Regards,

Aristide AKAFFOU

View solution in original post

thomas · ‎10-11-2018

I highly recommend that you review the steps and configurations in our ISE Wired Access Deployment Guide . There is a specific section for Configuring Microsoft Windows and Apple OS X Devices for 802.1X

View solution in original post

marce1000 · ‎02-01-2018

- what's in the live logs, then,for the first auth attempt from the particular windows server

- for ise2.2. upgrade to the latest patch level

- >TAC says it's a windows issue : well if they say that, then they must earn their money and and also explain to you what the windows issue is (nice to ask!)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Akaffou Aristide Akaffou · ‎02-01-2018

Hi marce1000,

In live logs, we have error 5411: supplicant stop responding.

Now I don't think it is an upgrade issue. We used all the version.

Tac don't say anymore to help to resolve the issue.

Best Regards

marce1000 · ‎02-02-2018

- Then you need to look at possible issues concerning the supplicant; 1) which software-vendor is it ? 2) is it certfied to be compatible with cisco-ise+win8-10 ? 3) are there any patches for it , possibly helping to resove this issue? 4) Can you contact the supplicant software-vendor and report this issue ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Akaffou Aristide Akaffou · ‎02-02-2018

Hi,

I have configured windows 10 and 8 clients for authentification and I used Cisco NAC agent and cisco anyconnect network access manager.

Can you please tell me more about windows supplicant?

Best Regards,

Aristide

marce1000 · ‎02-02-2018

- I am only talking about the Cisco NAC Agent then; same reasoning applies; isthe version you are using compatible with win8 or win10 (check release notes, version info and or contact CISCO).

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Akaffou Aristide Akaffou · ‎02-02-2018

Thanks for your reply.

In the release they use Cisco NAC agent version 4.9.5.8, 4.9.5.7, 4.9.5.6. But I used NAC agent version 4.9.5.10. Do you think this is a issue?

Best Regards,

Aristide

marce1000 · ‎02-02-2018

- It think the only way to find out, is to remove the existing agent from a windows-test-host; install one of those working releases and check if it works (then).

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Akaffou Aristide Akaffou · ‎02-05-2018

Hello,

Thanks marce, I made all of this changes about cisco nac agent version, and i have made also windows 10 update, but I encountered the same issue.

Best Regards,

Aristide AKAFFOU

marce1000 · ‎02-05-2018

- Check your windows hosts's eventlog (app, system,...) ; look for errors (if any) concerning the supplicant (software) around the timeframe, that ISE says in the live-logs, that it is no longer responding

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Akaffou Aristide Akaffou · ‎02-05-2018

Hi,

You can see in attached the windows live logs about the issue.

Best regards,

Aristide

marce1000 · ‎02-05-2018

- I am worried about the NTP error ; time sync is crucial also for do1x and ise. Make sure the windows host has a valid and working/usable NTP source.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Akaffou Aristide Akaffou · ‎02-05-2018

Hi marce,

So I have to configure ntp server for the windows clients?

Rob Ingram · ‎02-05-2018

Yes, it's important that a windows computer's time is in sync, for instance you'll be using certificates and if you time/date is incorrect on the windows client you won't be able to validate the certificate. You need to resolve those Windows errors before attempting 802.1x authentication.

Are you in dot1x closed mode? The error messages you provided indicated that the computer cannot communicate with the domain.

Akaffou Aristide Akaffou · ‎02-05-2018

Hi RJI,

Thanks for your reply. I am not in closed mode.

Best regards,

Aristide