cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1219
Views
0
Helpful
6
Replies

ISE 2.2 - Wired Guest with Dot1x enabled on Native supplicant

sampathss
Cisco Employee
Cisco Employee

Hello,

Performing Wired Guest. On switch, authentication order is mab dot1x, priority is dot1x mab. 

Dot1x is enabled on the Native supplicant on the end user PC.

 

Only wired guest is required to be done for this PC. Wired guest redirect works fine, user gets to portal and get access to internet. MAB is all good at this point.

But after few minutes, Dot1x authentication gets triggered automatically. Looks like the supplicant is sending the EAPol-START as it's configured with dot1x. 

Dot1x configuration cannot be turned off from the end user PC as per the policy, but want to do only guest. Can this be achieved from the switch? There is not dedicated switch or ports just for guest access. Some times, corp endpoints will be connected to that switchport and do dot1x.

 

Thanks

Sampath

6 Replies 6

Mike.Cifelli
VIP Alumni
VIP Alumni
Can you share your switchport configs? Are you pushing re-auth timers via switch configs OR via ISE authz policy?

Jason Kunst
Cisco Employee
Cisco Employee

I have asked our SME to take a look as well

 

@mnagired 

mnagired
Cisco Employee
Cisco Employee

Hi,

We could just do MAB on the port for Guest access, but you also mentioned there are times when a Corp Endpoint will get connected so we definitely need dot1x active on the port and with dot1x active in case it receives EAPoL packet from the endpoint, it definitely restarts dot1x.

 

Is your switch using IBNS1.0(Legacy style) or 2.0 style configs?

Another options i can think of is using some kind of interface macros to configure the port for Guest access and revert after link down..

Would also like to take a look at port config and/or what ISE is sending back for any timers for what Mike said earlier. There should be a way (for example) to re-auth for MAB even though pri might be 1X first, but need to know what's driving the supplicant to do this. Also, what type of supplicant?

This is with Windows Native supplicant. Switches are using the legacy style. No re-auth timers are sent from the ISE.

 

At this point we have asked them to use a dedicated switch just for wired guest instead of doing both dot1x and mab on the same switch port. 

 

Thank you.

Hi ,
I think this is the better approach because i don't see how the switch will differentiate between corporate clients and guests since dot1x is enabled on all endpoints.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: