06-14-2022 12:59 AM
Hello,
We have a wired 802.1x (EAP-TLS) problem using Cisco ISE(RADIUS) and Aruba switches(Authenticators).
Time after time 3-5 users try to connect, but authentication fails (even though they used to connect successfully before). It takes 1hour till they connect successfully. I try to do port-bounce and etc - does not help. Always the same (1hour period till they connect successfully after first fail).
Is there a 1hour timeout somewhere till they can retry to connect?
Any suggestions?
Solved! Go to Solution.
06-17-2022 03:03 AM
From cisco community, the event explain why you hold for 1 hr before try auth again.
"""5434 Endpoint conducted several failed authentications of the same scenario:
The reason for it is that "Client suppression mechanism is enabled by default to protect ISE from DoS/DDoS attack. Logic of this mechanism is to check if the client had multiple failed authentication in specified time interval, after this ISE blocks this client for specified time interval.
You can disable this feature in Administration > System > Settings > Radius, Suppress Anomalous Clients. You can change the settings like how long a client should be blocked etc."""
06-14-2022 02:13 AM - edited 06-14-2022 02:13 AM
what you see in the ISE Live Logs when the connection fails ?
verify the config :
http://www.labminutes.com/sec0209_ise_20_3rd_party_nad_aruba_mab_dot1x_2
06-14-2022 09:52 AM
there are many many timeout
can I see
show auth session for failed user interface
06-15-2022 04:37 AM
Thank you @balaji.bandi @MHM Cisco World for replies.
At the moment we turned off 802.1x on all ports. I will update you later with information you asked for.
Balaji, those 2 commands are missing in my config:
aaa accounting update periodic 1
aaa accounting network start-stop radius
And to give you more understanding - this problem occurs usually when users close down the screen (laptop enters sleep mode). After they wake up laptop - it is without successful authentication and authorization for 1 hour. Port bounce does not help.
06-17-2022 01:44 AM
Hi, @balaji.bandi @MHM Cisco World ,
We migrated one switch, but 802.1x problem have not appeared yet. Similar problem happened to MAB auth.
During migration one device didn't have Identity Group Assignment in ISE, so it's MAB failed. After I assigned device to a group - port bounces didn't help. After one hour - successful MAB. I attached screenshots. Any suggestions?
06-17-2022 03:03 AM
From cisco community, the event explain why you hold for 1 hr before try auth again.
"""5434 Endpoint conducted several failed authentications of the same scenario:
The reason for it is that "Client suppression mechanism is enabled by default to protect ISE from DoS/DDoS attack. Logic of this mechanism is to check if the client had multiple failed authentication in specified time interval, after this ISE blocks this client for specified time interval.
You can disable this feature in Administration > System > Settings > Radius, Suppress Anomalous Clients. You can change the settings like how long a client should be blocked etc."""
06-18-2022 02:37 AM
@MHM Cisco World thank you for your answer,
Shame I couldn't find this community topic.
We are migrating switches back to wired 802.1x. If the problem will not occur again (random 60min timeouts for users) - I will mark your answer as a solution.
06-18-2022 08:14 AM
Don't worry,
we all face same in some point.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide