Solved: Wired 802.1x using ISE and Aruba switches

Pakellmute · ‎06-14-2022

Hello,

We have a wired 802.1x (EAP-TLS) problem using Cisco ISE(RADIUS) and Aruba switches(Authenticators).
Time after time 3-5 users try to connect, but authentication fails (even though they used to connect successfully before). It takes 1hour till they connect successfully. I try to do port-bounce and etc - does not help. Always the same (1hour period till they connect successfully after first fail).
Is there a 1hour timeout somewhere till they can retry to connect?
Any suggestions?

MHM Cisco World · ‎06-17-2022

From cisco community, the event explain why you hold for 1 hr before try auth again.

"""5434 Endpoint conducted several failed authentications of the same scenario:

The reason for it is that "Client suppression mechanism is enabled by default to protect ISE from DoS/DDoS attack. Logic of this mechanism is to check if the client had multiple failed authentication in specified time interval, after this ISE blocks this client for specified time interval.

You can disable this feature in Administration > System > Settings > Radius, Suppress Anomalous Clients. You can change the settings like how long a client should be blocked etc."""

View solution in original post

balaji.bandi · ‎06-14-2022

what you see in the ISE Live Logs when the connection fails ?

verify the config :

https://community.cisco.com/kxiwq67737/attachments/kxiwq67737/4561-docs-security/6061/1/Integration_between_ISE_and_HPE-ArubaOS.pdf

http://www.labminutes.com/sec0209_ise_20_3rd_party_nad_aruba_mab_dot1x_2

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎06-14-2022

there are many many timeout
can I see
show auth session for failed user interface

Pakellmute · ‎06-15-2022

Thank you @balaji.bandi @MHM Cisco World for replies.
At the moment we turned off 802.1x on all ports. I will update you later with information you asked for.
Balaji, those 2 commands are missing in my config:
aaa accounting update periodic 1
aaa accounting network start-stop radius

And to give you more understanding - this problem occurs usually when users close down the screen (laptop enters sleep mode). After they wake up laptop - it is without successful authentication and authorization for 1 hour. Port bounce does not help.

Pakellmute · ‎06-17-2022

Hi, @balaji.bandi @MHM Cisco World ,
We migrated one switch, but 802.1x problem have not appeared yet. Similar problem happened to MAB auth.
During migration one device didn't have Identity Group Assignment in ISE, so it's MAB failed. After I assigned device to a group - port bounces didn't help. After one hour - successful MAB. I attached screenshots. Any suggestions?

MHM Cisco World · ‎06-17-2022

From cisco community, the event explain why you hold for 1 hr before try auth again.

"""5434 Endpoint conducted several failed authentications of the same scenario:

The reason for it is that "Client suppression mechanism is enabled by default to protect ISE from DoS/DDoS attack. Logic of this mechanism is to check if the client had multiple failed authentication in specified time interval, after this ISE blocks this client for specified time interval.

You can disable this feature in Administration > System > Settings > Radius, Suppress Anomalous Clients. You can change the settings like how long a client should be blocked etc."""

Pakellmute · ‎06-18-2022

@MHM Cisco World thank you for your answer,
Shame I couldn't find this community topic.
We are migrating switches back to wired 802.1x. If the problem will not occur again (random 60min timeouts for users) - I will mark your answer as a solution.

MHM Cisco World · ‎06-18-2022

Don't worry,
we all face same in some point.