02-13-2024 11:29 AM
I previously posted an issue of getting Wired ISE and 802.1X working properly with Windows Native Supplicant. That issue was resolved and the deployment of Wired ISE is coming along nicely.
I now have a new issue that popped up recently...
There is about 200+ users on Wired ISE right now. All 200+ are working just fine. I can see them authenticating in ISE and the EAP-Chaining is good (User and Machine successful).
On top of these 200 users, i have about 20 conference rooms. Each with identical settings as everyone else. The only difference here is these conference rooms all share a single windows domain account and just about everyone knows the password to this account. This is giving me issues. Of the 20 rooms, i have set up about 5 so far - and only 1 is working properly. All others fail EAP and end up authenticating over MAB. I checked certificates/chain/SAN (machine and user), TEAP settings, no Cisco Anyconnect installed, user is in domain security group, etc.
The switchport config is identical to all other user. The Live Logs show a couple different errors. The 2 that seem to appear the most are:
11515 Supplicant declined inner EAP method selected by Authentication Policy but did not proposed another one; inner EAP negotiation failed
5440 Endpoint abandoned EAP session and started new
I can upload the full live logs, switch config, auth policies, etc if anyone thinks it will help. But like i said all this works just fine on everyone else's account. And thought someone may have an idea just be the description.
TY!
Solved! Go to Solution.
02-21-2024 09:20 AM
Hi all
I just wanted to give an update that the issue here has been solved. This was not an ISE issue at all. Turns out the previous Network Engineer who has not been with the company for more than 2 years now created a User Level GPO and assigned that GPO policy to the shared user account. Unbeknownst to me this GPO was attempting to deploy 802.1X Settings using PEAP. Whereas the settings i created and deployed where using TEAP. These were causing conflicts between the two and depending which ones were actually getting set properly, authentication would or would not work.
I removed his legacy PEAP GPO settings and restarted the troubled workstations and now everything is OK in the world again.
02-13-2024 02:11 PM
Just a quick update on this.
I still have no idea what the issue is/was. But as a last resort i pulled one of the troubled conference room machines and gave it to our helpdesk team. They performed a full factory reset, rejoined the domain and let all gpo policies apply to the device - including the 802.1x settings i created. Once everything was applied the machine immediately authenticated properly using both my username AND the shared conference room account that i mentioned in the original post.
So this fixed it - but I still wish i knew what the root cause was. I have plenty more 'broken' conference room machines - guess ill grab another and keep trying find the issue.
02-14-2024 04:46 AM
Can i see the policy set of ISE you use
MHM
02-14-2024 06:57 AM
Hello. Sure...
There are more defined rules under that that are all the similar. At the very bottom (not pictured) are some MAB rules for printers, cameras, and some random IoT devices (not pictured).
02-14-2024 06:11 AM
When the helpdesk team did the factory reset on that device, did they upgrade its firmware by any chance?
02-14-2024 06:59 AM
Hello
Honestly im not sure - i dont believe they did, but i could be wrong. Ill ask.
02-21-2024 09:20 AM
Hi all
I just wanted to give an update that the issue here has been solved. This was not an ISE issue at all. Turns out the previous Network Engineer who has not been with the company for more than 2 years now created a User Level GPO and assigned that GPO policy to the shared user account. Unbeknownst to me this GPO was attempting to deploy 802.1X Settings using PEAP. Whereas the settings i created and deployed where using TEAP. These were causing conflicts between the two and depending which ones were actually getting set properly, authentication would or would not work.
I removed his legacy PEAP GPO settings and restarted the troubled workstations and now everything is OK in the world again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide