cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
451
Views
0
Helpful
1
Replies

Client connection aborts after any time on ISE authenticated port

Heiko Kelling
Level 1
Level 1

Hi,

I am currently testing a simple MAB authentication on a Cisco 2960 with firmware 15.0 (2) SE11. The authentication on test-port 2 works fine and the client can connect and ping to his gateway.

But after an indefinite period (sometimes 10 minutes, sometimes 18 minutes or ~30 Minutes) the Ping from the Win 10 client to the gateway stops. When the Ping has stopped the switch port is still up, the client still has his ip address, the "show authentication session"-command shows Authorized and everything seems to be fine. When the Ping stops the CLI of the switch shows no output (reauthentication or something) and the ISE shows nothing (Logical, because the switch performs no authentication).

 

My switch config:

Building configuration...

Current configuration : 4474 bytes
!
! Last configuration change at 23:31:09 UTC Thu Mar 4 1993 by xxxxxxx
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxx
!
username xxxxxxx secret 5 xxxxxxx
username xxxxxxx secret 5 xxxxxxx
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius
aaa authorization exec default group tacacs+ local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting commands 7 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
!
!
!
!
!
aaa session-id common
system mtu routing 1500
access-session template monitor
!
!
ip domain-name test.com
!
!
crypto pki trustpoint TP-self-signed-1899961600
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1899961600
 revocation-check none
 rsakeypair TP-self-signed-1899961600
!
!
crypto pki certificate chain TP-self-signed-1899961600
 certificate self-signed 01
xxxxxxx
dot1x system-auth-control
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
 description dot1x+mab
 switchport mode access
 authentication order mab
 authentication port-control auto
 mab
 dot1x pae authenticator
 spanning-tree portfast
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 ip address 192.168.126.163 255.255.255.0
!
ip default-gateway 192.168.126.254
ip http server
ip http secure-server
tacacs-server host 192.168.126.162 key xxxxxxx
tacacs-server timeout 1
tacacs-server directed-request
radius-server dead-criteria time 1 tries 1
radius-server host 192.168.126.162 auth-port 1812 acct-port 1813 key xxxxxxx
radius-server deadtime 1
!
!
!
vstack
!
line con 0
line vty 0 4
 transport preferred ssh
 transport input ssh
line vty 5 15
 transport preferred ssh
 transport input ssh
!
end
1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee
Would also recommend posting to the switching team for support and debug.

Here are the best practice for wired config with ISE (search on resources page)
https://community.cisco.com/t5/security-documents/identity-services-engine-ise-community-resources/ta-p/3621621#Resources


Make sure using code from ISE compatabiity matrix as well
https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html

View solution in original post

1 Reply 1

Jason Kunst
Cisco Employee
Cisco Employee
Would also recommend posting to the switching team for support and debug.

Here are the best practice for wired config with ISE (search on resources page)
https://community.cisco.com/t5/security-documents/identity-services-engine-ise-community-resources/ta-p/3621621#Resources


Make sure using code from ISE compatabiity matrix as well
https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: