cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1032
Views
0
Helpful
5
Replies
Beginner

ISE 802.1x and Windows Logoff

Hi Guys,

i have a ISE works fine using 802.1x but we have a strange behavior when the client just logoff the windows machine, after the client login again, the machine does not authenticate and stuck as a message " not possible to authenticate". Then I need to take off the cable machine and put again, after this everything works fine.

This happens just using logoff windows.

could someone help me about it?

thanks a lot

5 REPLIES 5
Enthusiast

ISE 802.1x and Windows Logoff

Need more detail.. What Config have you got on the switchport and what authentication Config have you got on the Client?

Beginner

Re: ISE 802.1x and Windows Logoff

Hi Rik,

I am using this configuration.

interface GigabitEthernet3/33

switchport access vlan 22

switchport mode access

switchport voice vlan 23

ip access-group ACL-DEFAULT in

logging event link-status

authentication event fail action next-method

authentication host-mode multi-domain

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication violation restrict

mab

snmp trap mac-notification change added

snmp trap mac-notification change removed

dot1x pae authenticator

dot1x timeout tx-period 10

qos trust device cisco-phone

spanning-tree portfast

spanning-tree bpduguard enable

service-policy input AutoQos-4.0-Cisco-Phone-Input-Policy

service-policy output AutoQos-4.0-Output-Policy

the client are using the NAC Agent the way to perform a posture.

If i take off the cable and put again, everything works fine, but if the client try to logoff and after a time login again, the NIC Card can not be authenticated.

thanks a lot

Cisco Employee

ISE 802.1x and Windows Logoff

so its MDA that means a PC is connected behind the phone. If I'm not wrong the CDP Enhancement for Second Port Disconnect working fine when we plug/unplug the cable but when a user logoff it doesn't (only if we are using cisco phones). In order to clear the sessions switch need to detect link state for devices connected behind IP phones.

Are we using 802.1x or MAB on the windows PC's?

Can we also look at the debugs when clients are unable to authenticate.

show authentication session interface

debug dot1x all

Jatin Katyal
- Do rate helpful posts -

~Jatin Katyal
Beginner

Hi Jatin,I was looking for

Hi Jatin,

I was looking for some information on the forum and am having exactly the problem that you put in your post, users have the PC is connected behind the ip phone. Some users lose authentication, and only come back when plug/unplug the cable.

How you managed to solve this problem.

Thank you.

Fernando Silva

Enthusiast

ISE 802.1x and Windows Logoff

And have you got Machine Authentication enabled on the Clients?