cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

5895
Views
0
Helpful
8
Replies

PXE boot with dot1x

Hi guys.

We have dot1x ISE BASED. Solution running for a customer. Everything seems to work fine. Now they have a new requirement for clients with PXE boot. These are the laptops with no image on them. Atleast when they connect to the network. These laptops connect behind the ip phone as customer is using VoIP solution.

The problem I am facing is that when is configure dot1x authentication order dot1x mab. The PXE boot fails as it times out. If I configure dot1x authentication order mab dot1x. The PXE boot works fine. But in logs I end up with unnecessary logs that ISE tries to authenticate phone with mab but failed then tried dot1x. This means unnecessary logs and traffic in network.

Which timer or what should I configure so that the PXE boot works fine and phone uses dot1x ..

Has anyone seen that or any ideas ?

Thanks a lot.

Sent from Cisco Technical Support iPad App

8 REPLIES 8
Beginner

Re: PXE boot with dot1x

Does your client use WinPE for deployment? I have this same issue right now with PXE timing out, and we're working on it this way:

http://support.microsoft.com/kb/972831

I haven't found any way to tweak the timers to help this problem, but I'd be interested to know if anyone else has.

PXE boot with dot1x

Did you ever get your issue figured out?

Beginner

PXE boot with dot1x

We got PXE boot working with authentication order dot1x mab by setting

dot1x timeout tx-period 1

on the switchports (after a lot of experimentation)

Phaon

Cisco Employee

Re: PXE boot with dot1x

You might even try something like this on your swichport config.

authentication order mab dot1x
authentication priority dot1x mab

dot1x timeout tx-period 5 (I usually use somewhere between 5-10 for this setting)

This will allow MAB to happen first.  Just make sure your endpoint doesn't match another policy and your default authorization policy is set to deny access.  This should work unless your default is being used to default to a central web auth or something else.

I wouldn't advise dropping the "dot1x timeout tx-period" much below 5 as you may cause timeouts on your 802.1x configured supplicants and unnecessary retries.  Just my opinion.

Re: PXE boot with dot1x

I have had problems with IAB (critical auth) when setting the following configuration:

authentication order mab dot1x

authentication priority dot1x mab

Now I might be doing something wrong but as I understand it when critical auth recovery occurs it reauths using the first method and then stops. The drama with this is that all 802.1x clients must manually connect and reconnect to the port or they are subject to MAB..

Highlighted
Beginner

Re: PXE boot with dot1x

dot1x timeout tx-period 1 helped me!

 

dot1x timeout tx-period 5 was also working but takes a little bit more time..... 

 

Thank you

Everyone's tags (1)
Beginner

Re: PXE boot with dot1x

Everything working for PXE. We are about to venture down this road. Just curious how you are handling pcs out of the box?

Auth-fail vlan? Guest vlan? Dedicate ports for initial imaging??

Sent from Cisco Technical Support iPhone App

Beginner

Re: PXE boot with dot1x

That's sort of how I think I'm going to do it. Going to use dot1x open. Oh pxe booting.

Sent from Cisco Technical Support iPhone App