After deploying ISE , I'm encountering some problem with the few desktop users as the authentication is very slow (1-3 hours) when they connect LAN cable to their desktop.
Is this the probelm with ISE? How can i troubleshoot this? Sometimes i need to continuous restart the desktop to get authenticated to LAN network. ( Ie; to get the proper domain network, I usually get "network 3" or "network 1" instead of getting abc.com (<-- Just an example)
This problem is only with few desktop users. Most of the desktop works fine.
Is this the problem with domain controller ?
or dot1x Authentication issue ( But ISE shows Authentication success)?
"network 3" or "network 1" instead of getting abc.com
I guess you are not deploying all workstations using central deployment (images /domain-policies)
-> you need to manually configure on those clients that "network 3" and "network 1" (IP-subnets) are also used for known corporate networks and this is not a public or home network.
or you have not added them to active directory sites and services
What is the exact version of ISE (including patch level)?
I use 18.104.22.168 with 8 patches.
Whao. That is old & buggy. Y'sure you don't want to upgrade to something more recent?
All I can say is ISE didn't mature until 2.1 and we didn't deploy ISE until it 2.0.
However, I've never seen or heard of anyone taking an hour to login.
You may need to check DNS, verify your end devices get the correct suffix when an IP address is assigned from the DHCP server. If you have a firewall that does AD/LDAP authentication for internet services, also verify that this is successful once connected to the network.
Upgrading from 1.2 to 2.x is a major update, you might consider rather starting up a new ISE node/s and migrate your current nodes over to the new ones to mitigate any risk. The most stable release out at the moment is 2.2.
1) This problem is only with few desktop users
That is the user sometimes get Network 3 or network 2 instead of getting abc.com and take long time to get abc.com or i need to restart the device several times to get abc.com.
-> can you drill this down to specific brand/model/hw-version/OS of the workstation?
I suggest checking the network drivers + configuration on the clients
dot1x should be the first method used when connecting to the network
2) you've given little information about your network and ISE setup
do you use a guest or quarantine vlan? before assigning the corporate vlan after authorization?
3) It looks to me like these clients do not receive IP-address from dhcp-server,
but reuse an address previously assigned at another network while the lease-time is still valid
-> start from the bottom!
- when displaying "network3"does this client have a correct ip-address
- is this acquired from the correct dhcp server?
- are other dhcp information correct?