Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6423
Views
5
Helpful
7
Replies

Reauthentication Problem in Endpoints Using Cisco ISE 1.1

sachpednekar
Level 1
Level 1

‎12-14-2012 06:33 AM - edited ‎03-10-2019 07:53 PM

Hi,

Can anyone suggest me if laptop/desktop goes on sleep mode or keep connected with interace configured for 802.1X for more than 12 hours it does not work or not connect to Exchange server, Cisco ISE console, office communicator...

for re authentication i need to restart PC/ Laptop or unplug and replug lan cable from it!

but before restartiong i am able to ping all DNS, DHCP, OCS, everything....

below is the interface configuration

sh running-config interface gigabitEthernet 3/0/19
Building configuration...

Current configuration : 909 bytes
!
interface GigabitEthernet3/0/19
description Access Ports
switchport access vlan 309
switchport mode access
ip access-group ACL-ALLOW in
no logging event link-status
power inline never
srr-queue bandwidth share 1 60 30 10
srr-queue bandwidth shape 10 0 0 0
priority-queue out
authentication control-direction in
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
mls qos trust dscp
dot1x pae authenticator
dot1x timeout tx-period 10
no cdp enable
spanning-tree bpduguard enable
spanning-tree guard loop
service-policy input access_in
ip dhcp snooping limit rate 20
end

Labels:
0 Helpful
7 Replies 7

Tarik Admani
VIP Alumni
VIP Alumni

‎12-14-2012 09:04 AM

Hi

When the machine is in the state can you issue a "show authentication sess interface gig 3/0/19" you should be able to see what state the client is in. Also do you see any events in the monitoring and reporting section in ISE at this time. I have seen that when a machine is locked this port stays up and you do not have to reauthenticate.

thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Peter Koltl
Level 7
Level 7
In response to Tarik Admani

‎12-15-2012 01:07 PM

debug radius

debug authentication all

What happens if you restart the Wired Autoconfiguration service?

0 Helpful

Tabish Mirza
Level 1
Level 1

‎01-18-2013 09:33 PM

Hi Sachin,

How did you solve this issue as I am getting same problem.

Please help me.

Thanks

Sent from Cisco Technical Support iPhone App

0 Helpful

sachpednekar
Level 1
Level 1
In response to Tabish Mirza

‎01-19-2013 09:30 AM

Hi Tabish,

I have made below changes on interface which are shown in bold letters!

In my configuration

authentication order was wrong

and you can give reauthenticatin timer reauthenticate through interface as well as through Server

In my configuration I have configured it to the ISE server.

authentication control-direction in

authentication event fail action next-method

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation restrict

mab

mls qos trust dscp

dot1x pae authenticator

dot1x timeout tx-period 10

if you need any more information please reply back and if possible send me interface configuration.

Thanks,

Sachin

Tabish Mirza
Level 1
Level 1
In response to sachpednekar

‎01-22-2013 10:27 AM

Hi Sachin,

Thanks for your prompt response. Here is the port configuration. My users are connected behind Cisco IP Phone & We are using CWA for wired guest as well.

interface GigabitEthernet0/1

switchport access vlan 120

switchport mode access

switchport voice vlan 121

authentication event fail action next-method

authentication event server dead action reinitialize vlan 120

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

dot1x pae authenticator

dot1x timeout tx-period 60

spanning-tree portfast

ip dhcp snooping limit rate 30

interface GigabitEthernet0/1

switchport access vlan 120

switchport mode access

switchport voice vlan 121

authentication event fail action next-method

authentication event server dead action reinitialize vlan 120

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

dot1x pae authenticator

dot1x timeout tx-period 60

spanning-tree portfast

ip dhcp snooping limit rate 30

Thanks

0 Helpful

sachpednekar
Level 1
Level 1
In response to Tabish Mirza

‎01-22-2013 04:05 PM

Hi

Change authentication order to dot1x mab



Sent from Cisco Technical Support iPhone App

0 Helpful

Naveen Kumar
Level 4
Level 4

‎09-07-2013 01:03 PM

Authentication order:

switch(config-if)# authentication order [dot1x | mab] | {webauth}

0 Helpful
Customers Also Viewed These Support Documents