Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
804
Views
0
Helpful
6
Replies

Wired 802.1X - with shared account?

Go to solution
MikeMoss
Level 1
Level 1

‎02-13-2024 11:29 AM

I previously posted an issue of getting Wired ISE and 802.1X working properly with Windows Native Supplicant. That issue was resolved and the deployment of Wired ISE is coming along nicely.

I now have a new issue that popped up recently...

  • Components:
    • Wired 802.1X
    • ISE 3.2
    • Windows native supplicant (Windows 11 22H2)
    • TEAP (EAP-TLS) / EAP-Chaining
    • Cisco Catalyst 9200 series switches

There is about 200+ users on Wired ISE right now. All 200+ are working just fine. I can see them authenticating in ISE and the EAP-Chaining is good (User and Machine successful).

On top of these 200 users, i have about 20 conference rooms. Each with identical settings as everyone else. The only difference here is these conference rooms all share a single windows domain account and just about everyone knows the password to this account. This is giving me issues. Of the 20 rooms, i have set up about 5 so far - and only 1 is working properly. All others fail EAP and end up authenticating over MAB. I checked certificates/chain/SAN (machine and user), TEAP settings, no Cisco Anyconnect installed, user is in domain security group, etc.

The switchport config is identical to all other user. The Live Logs show a couple different errors. The 2 that seem to appear the most are:

11515 Supplicant declined inner EAP method selected by Authentication Policy but did not proposed another one; inner EAP negotiation failed

5440 Endpoint abandoned EAP session and started new

I can upload the full live logs, switch config, auth policies, etc if anyone thinks it will help. But like i said all this works just fine on everyone else's account. And thought someone may have an idea just be the description.

 

TY!

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MikeMoss
Level 1
Level 1

‎02-21-2024 09:20 AM

Hi all

I just wanted to give an update that the issue here has been solved. This was not an ISE issue at all. Turns out the previous Network Engineer who has not been with the company for more than 2 years now created a User Level GPO and assigned that GPO policy to the shared user account. Unbeknownst to me this GPO was attempting to deploy 802.1X Settings using PEAP. Whereas the settings i created and deployed where using TEAP. These were causing conflicts between the two and depending which ones were actually getting set properly, authentication would or would not work.

I removed his legacy PEAP GPO settings and restarted the troubled workstations and now everything is OK in the world again.

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
MikeMoss
Level 1
Level 1

‎02-13-2024 02:11 PM

Just a quick update on this.

I still have no idea what the issue is/was. But as a last resort i pulled one of the troubled conference room machines and gave it to our helpdesk team. They performed a full factory reset, rejoined the domain and let all gpo policies apply to the device - including the 802.1x settings i created. Once everything was applied the machine immediately authenticated properly using both my username AND the shared conference room account that i mentioned in the original post.

So this fixed it - but I still wish i knew what the root cause was. I have plenty more 'broken' conference room machines - guess ill grab another and keep trying find the issue. 

 

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to MikeMoss

‎02-14-2024 04:46 AM

Can i see the policy set of ISE you use

MHM

0 Helpful

Go to solution
MikeMoss
Level 1
Level 1
In response to MHM Cisco World

‎02-14-2024 06:57 AM

Hello. Sure...

 

MikeMoss_0-1707922583274.png

There are more defined rules under that that are all the similar. At the very bottom (not pictured) are some MAB rules for printers, cameras, and some random IoT devices (not  pictured).

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to MikeMoss

‎02-14-2024 06:11 AM

When the helpdesk team did the factory reset on that device, did they upgrade its firmware by any chance?

0 Helpful

Go to solution
MikeMoss
Level 1
Level 1
In response to Aref Alsouqi

‎02-14-2024 06:59 AM

Hello

 

Honestly im not sure - i dont believe they did, but i could be wrong. Ill ask.

 

0 Helpful

Go to solution
MikeMoss
Level 1
Level 1

‎02-21-2024 09:20 AM

Hi all

I just wanted to give an update that the issue here has been solved. This was not an ISE issue at all. Turns out the previous Network Engineer who has not been with the company for more than 2 years now created a User Level GPO and assigned that GPO policy to the shared user account. Unbeknownst to me this GPO was attempting to deploy 802.1X Settings using PEAP. Whereas the settings i created and deployed where using TEAP. These were causing conflicts between the two and depending which ones were actually getting set properly, authentication would or would not work.

I removed his legacy PEAP GPO settings and restarted the troubled workstations and now everything is OK in the world again.

 

0 Helpful
Customers Also Viewed These Support Documents