Wireless 802.1x Authentication with ISE & windows supplicant stopped working

cherie13653 · ‎12-04-2019

I have configured ISE for wireless 802.1x authentication for a client. The WLC is a 5508 running version 8.3.150. ISE is version 2.4 Patch 8.

We had been testing Windows 10 and 7 laptops with the windows native supplicant. We performed successful testing with machine authC and then disabled machine authC rule and tested user authC.

We decided to use Machine authentication so non-corporate devices couldn't connect to the internal SSID.

A few weeks ago it all stopped working. Our test user attempts to connect to the SSID and his laptop constantly shows 'connecting'. ISE live logs show a successful authentication, but the repeat counter increments every few seconds. When you look at the client mac address on the controller, it shows it is associated with the SSID, but the ip address is 0.0.0.0 and the state is ‘802.1x REQD’ The user never gets network access. We have attempted this with Windows 10 and Windows 7 laptops, attempting first machine authentication when that was unsuccessful, we tried user authentication and had the same results.

Layer 2 security on the SSID is WPA + WPA2 using AES encryption on WPA2 policy and 802.1x for key management.

Cisco has published a bug for this. The condition is using WPA2. The work around is to use WPA, but that does not fix the issue. Cisco TAC is telling me it a Microsoft problem. Attached is a debug file from the WLC

Has anyone run into this and how did you resolve it?

Jaderson Pessoa · ‎12-04-2019

Could you share your policy to this SSID on ISE?

Normally it is wrong configuration or controller is not registered at RADIUS.

Jaderson Pessoa
*** Rate All Helpful Responses ***

cherie13653 · ‎12-05-2019

The configuration on the WLC and ISE did not change. It was working up until a few weeks ago and then stopped. We see what looks like successful authentication on ISE. If we set up an internal test user in the ISE user database and test authentication on the CLI of the WLC it is successful. It's like there is a problem between the windows supplicant and the WLC. The repeat counter on ISE for successful authentications keeps incrementing every few seconds while the WLC and windows supplicant seem to be stuck.

cherie13653 · ‎12-05-2019

The authentication rule in the policy is the default rule and the identity source sequence is AD then internal ISE database.

The authorization rule is the the computer is in AD Domain Computers, the authorization profile is a permit all.

patoberli · ‎12-05-2019

Is by any chance the certificate not anymore valid?
Have you tried to reboot the ISE?

cherie13653 · ‎12-05-2019

I did try rebooting ISE. The certificates were just issued a few months ago and are valid until June of 2021.

Jaderson Pessoa · ‎12-05-2019

Are you able to share WLC and ISE configuration?

Jaderson Pessoa
*** Rate All Helpful Responses ***

cherie13653 · ‎12-06-2019

As mysteriously as it stopped working, it started working again today. Our client had patches from microsoft pushed to his laptop yesterday and now the windows 10 devices that were not working for the last 2 - 3 weeks are now working. So are the windows 7 laptops.

patoberli · ‎12-08-2019

Just for documentation, could you ask which patches he had installed previously (the clients previous patch cycle) and which ones he has installed now?