cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3652
Views
0
Helpful
7
Replies

Wired 802.1x using ISE and Aruba switches

Pakellmute
Level 1
Level 1

Hello,

 

We have a wired 802.1x (EAP-TLS) problem using Cisco ISE(RADIUS) and Aruba switches(Authenticators).
Time after time 3-5 users try to connect, but authentication fails (even though they used to connect successfully before). It takes 1hour till they connect successfully. I try to do port-bounce and etc - does not help. Always the same (1hour period till they connect successfully after first fail).
Is there a 1hour timeout somewhere till they can retry to connect?
Any suggestions?



1 Accepted Solution

Accepted Solutions

From cisco community, the event explain why you hold for 1 hr before try auth again.

"""5434 Endpoint conducted several failed authentications of the same scenario:

The reason for it is that "Client suppression mechanism is enabled by default to protect ISE from DoS/DDoS attack. Logic of this mechanism is to check if the client had multiple failed authentication in specified time interval, after this ISE blocks this client for specified time interval.

You can disable this feature in Administration > System > Settings > Radius, Suppress Anomalous Clients. You can change the settings like how long a client should be blocked etc."""

View solution in original post

7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

there are many many timeout 
can I see 
show auth session for failed user interface 

Pakellmute
Level 1
Level 1

Thank you @balaji.bandi @MHM Cisco World  for replies.
At the moment we turned off 802.1x on all ports. I will update you later with information you asked for.
Balaji, those 2 commands are missing in my config:
aaa accounting update periodic 1
aaa accounting network start-stop radius

And to give you more understanding - this problem occurs usually when users close down the screen (laptop enters sleep mode). After they wake up laptop - it is without successful authentication and authorization for 1 hour. Port bounce does not help.

Pakellmute
Level 1
Level 1

Hi, @balaji.bandi @MHM Cisco World ,
We migrated one switch, but 802.1x problem have not appeared yet. Similar problem happened to MAB auth.
During migration one device didn't have Identity Group Assignment in ISE, so it's MAB failed. After I assigned device to a group - port bounces didn't help. After one hour - successful MAB. I attached screenshots. Any suggestions?

 

 

From cisco community, the event explain why you hold for 1 hr before try auth again.

"""5434 Endpoint conducted several failed authentications of the same scenario:

The reason for it is that "Client suppression mechanism is enabled by default to protect ISE from DoS/DDoS attack. Logic of this mechanism is to check if the client had multiple failed authentication in specified time interval, after this ISE blocks this client for specified time interval.

You can disable this feature in Administration > System > Settings > Radius, Suppress Anomalous Clients. You can change the settings like how long a client should be blocked etc."""

Pakellmute
Level 1
Level 1

@MHM Cisco World thank you for your answer,
Shame I couldn't find this community topic.
We are migrating switches back to wired 802.1x. If the problem will not occur again (random 60min timeouts for users) - I will mark your answer as a solution.

Don't worry, 
we all face same in some point.