10-23-2018 03:44 AM - edited 07-05-2021 09:21 AM
Hi All,
After deploying ISE , I'm encountering some problem with the few desktop users as the authentication is very slow (1-3 hours) when they connect LAN cable to their desktop.
Is this the probelm with ISE? How can i troubleshoot this? Sometimes i need to continuous restart the desktop to get authenticated to LAN network. ( Ie; to get the proper domain network, I usually get "network 3" or "network 1" instead of getting abc.com (<-- Just an example)
This problem is only with few desktop users. Most of the desktop works fine.
Is this the problem with domain controller ?
or dot1x Authentication issue ( But ISE shows Authentication success)?
Please Help!!
10-23-2018 06:20 AM
"network 3" or "network 1" instead of getting abc.com
I guess you are not deploying all workstations using central deployment (images /domain-policies)
-> you need to manually configure on those clients that "network 3" and "network 1" (IP-subnets) are also used for known corporate networks and this is not a public or home network.
or you have not added them to active directory sites and services
10-23-2018 08:19 AM
10-23-2018 02:41 PM
What is the exact version of ISE (including patch level)?
10-23-2018 08:24 PM
10-23-2018 09:08 PM
10-23-2018 09:29 PM
@Rickey369 wrote:
I use 1.2.1.198 with 8 patches.
Whao. That is old & buggy. Y'sure you don't want to upgrade to something more recent?
10-23-2018 09:49 PM
10-23-2018 09:50 PM - edited 10-23-2018 09:52 PM
All I can say is ISE didn't mature until 2.1 and we didn't deploy ISE until it 2.0.
However, I've never seen or heard of anyone taking an hour to login.
10-23-2018 09:52 PM
10-23-2018 09:56 PM
10-23-2018 11:28 PM
10-24-2018 12:13 AM
You may need to check DNS, verify your end devices get the correct suffix when an IP address is assigned from the DHCP server. If you have a firewall that does AD/LDAP authentication for internet services, also verify that this is successful once connected to the network.
Upgrading from 1.2 to 2.x is a major update, you might consider rather starting up a new ISE node/s and migrate your current nodes over to the new ones to mitigate any risk. The most stable release out at the moment is 2.2.
10-24-2018 01:20 AM
1) This problem is only with few desktop users
That is the user sometimes get Network 3 or network 2 instead of getting abc.com and take long time to get abc.com or i need to restart the device several times to get abc.com.
-> can you drill this down to specific brand/model/hw-version/OS of the workstation?
I suggest checking the network drivers + configuration on the clients
dot1x should be the first method used when connecting to the network
2) you've given little information about your network and ISE setup
do you use a guest or quarantine vlan? before assigning the corporate vlan after authorization?
3) It looks to me like these clients do not receive IP-address from dhcp-server,
but reuse an address previously assigned at another network while the lease-time is still valid
-> start from the bottom!
- when displaying "network3"does this client have a correct ip-address
- is this acquired from the correct dhcp server?
- are other dhcp information correct?
10-25-2018 10:10 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide