06-28-2019 06:49 AM
Hi Guys,
I am encountering an issue in my environment with ISE. We have deployed machine AND user authentication using MAR only. Every morning, my users have no issues connecting to the network either wired or wireless but after lunch time, I observed that some of endpoints that came from sleep/hibernate mode cannot authenticate anymore. Based on the logs, I noticed that ISE is not seeing that the endpoint have not successfully authenticated hence giving the deny profile. The behavior is not the one the we expected because the endpoint had undergone machine authentication in the morning.
So far, what I did is to change the MAR aging time from the default 5 hours to 9 hours but the issue is still the same.
Thanks for the help.
06-28-2019 09:05 AM
Can you post the details of the deny that ISE is sending? Suggest looking into whether MAR is the cause of deny or something else is in play. In general Windows native supplicant doesn't do well after hibernation and may fail to do 802.1X authentication thus the failure.
06-28-2019 09:21 AM
Hi @howon ,
Thanks for the feedback. Unfortunately, I cannot provide screenshot as per our policy.
But the phrase below is the one I noticed.
"ISE has not confirmed locally previous successful machine authentication for user in Active Directory"
The setup of my authorization policy is when the machine passed it will go to a QVLAN then when user is pass AND WasMachineAuthenticated = True then assign the user VLAN.
Based on my understanding in the log, ISE can't confirm if machine auth is successful hence it goes to my default deny profile.
How to resolve this issue?
Thanks
06-28-2019 06:15 PM
When experiencing the issue, if the user disconnects the interface and reconnect back, does it successfully connect with MAR? Also, can you post interface configuration and result of 'show authentication session interface Gig x/y/z detail' when experiencing the issue?
07-01-2019 04:26 AM
Hi @howon
Thanks for the feedback. We observed it in wireless connection only because most of the time the endpoint is connected via wireless. They need to reboot the machine for the authentication to work again.
thanks
07-01-2019 02:53 PM
You might need this -- Enable MAR Cache Distribution
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: