Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1591
Views
5
Helpful
4
Replies

Wired 802.1x Issue

AbelBurgos5029
Level 1
Level 1

‎10-07-2020 05:53 AM

Hello everyone,

 

I have been working for a while on deploying 802.1x at work. It consists of the following:

 

- Windows 10 workstations (using native supplicant software)

- Cisco Switch 9300 16.12.2r (Authenticator)

- Cisco ISE (Physical appliance) 2.6.0.156 

 

Here is the issue:

I am able to login with anyone's credentials (does not matter the user it works) and it works: it authenticates against AD, Dacl is sent to switch and access is granted. But once I logout and try to login with different credentials (any credentials) it never authenticates. The NIC keeps saying "attempting to authenticate" but it never happens. 

 

The only way to get it to re-authenticate is by bouncing the switch port.

 

Any ideas!?

 

Thank you

Abel

 

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎10-07-2020 06:05 AM

Can you post your config on teh switch, what you see Logs in ISE when the fail attempt take place ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

AbelBurgos5029
Level 1
Level 1
In response to balaji.bandi

‎10-07-2020 07:55 AM

Switch Port Config:

 

description ______

Switchport access vlan X

Switchport mode Access

power inline never

authentication control-direction in

authentication event server alive reinitialize

authentication open

authentication order dot1x

authentication priority dot1x

authentication port-control auto

authentication periodic

authentication timer restart 10

dot1x pae authenticator

dot1x timeout tx-period 10

dot1x max-req 3

spanning-tree portfast

spanning-tree bdpufilter enable

spanning-tree bdpuguard enable

 

On the failed logs on ISE the logs says that the supplicant abandoned the session and started a new one

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to AbelBurgos5029

‎10-07-2020 09:44 AM

Hi,

>From your config, authentication open command is used which put the port in
monitor mode. This means that connectivity should be present regardless of
authentication status.

Coming to your point, can you confirm that coa is configured and working
properly? it doesn't seems kicking in hence your previous authentication
session still persists.

***** please remember to rate useful posts

AbelBurgos5029
Level 1
Level 1
In response to Mohammed al Baqari

‎10-07-2020 03:13 PM

Hello,

Even with the authentication open command, Once I log out of one session and try to login with different credentials, it just does not authenticates; it keeps saying "attempting to authenticate" but it never does until I bounce the port.

 

When it comes to CoA, I am not super familiar with it. Can you point me in the right direction on how to configure this? All I have configured so far is Dacl and it works well once the authentication process is completed the first time.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card