04-11-2018 12:40 AM
Hi
I have a client that is using Windows 10 machines. The machine onboards without any issues, but every week or so the machine does not send the user authentication and wants to onboard again. Where do I look to get this resolved.
ISE version 2.2
Switch 3850
3CPL on the ports
policy-map type control subscriber ISE-PORTS-Configuration
event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event agent-found match-all
10 class always do-all
10 authenticate using dot1x
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
event violation match-all
10 class always do-all
10 restrict
event authentication-failure match-all
10 class AAA-DOWN do-all
10 authorize
20 activate service-template CRITICAL
30 terminate dot1x
40 terminate mab
20 class DOT1X-FAILED do-all
10 authenticate using mab
04-12-2018 01:48 PM
Not clear what is meant by "onboards every two days"--Actually goes through some type of onboarding flow, or simply loses connectivity?
General troubleshooting prior to opening case with Microsoft and possibly Cisco TAC:
- Are other clients working as expected?
- Is issue isolated to specific Windows version, or switch, switch model, version, or config?
- What is triggering event for endpoint to restart auth? CoA? Session timeout? Other?
- Is there a periodic event that correlates to the 2 day period such as session timer or other?
- Does logoff /login resolve? Reboot resolve? Plug/unplug of device?
- Is PC behind phone which may interfere with communications?
Craig
04-13-2018 01:00 AM
Does logoff /login resolve? Reboot resolve? Plug/unplug of device? Yes this does work.
User auth does not happen and then hits default rule to onboard.
04-14-2018 05:09 PM
Please take a look at the comment posted by edondurguti at How To: Universal IOS Switch Config for ISE.
04-17-2018 11:35 PM
Not a helpful post the below was used
How To: Universal 3850 Wired Class-based Policy Language (C3PL) Configuration for ISE
04-17-2018 11:37 PM
Hi
It seems the user disconnects from the port goes home and tomorrow morning when he plugs his PC back no authentication happens. For the moment looks like Windows 10 Machines.
04-18-2018 03:57 AM
It will be difficult to troubleshoot,especially with such limited info.
Still not clear what "onboard" exactly means whether simple connection to network or transition to BYOD flow. Many questions unanswered and the one that was answered about reboot/disconnect is later conflicted. For example, you earlier state that unplug/plug of device works, but then say that user disconnect/reconnect may result in no auth.
By saying "it looks like Windows 10 machines", does that mean all other Windows clients are working as expected?
When user disconnects, does switch properly reflect auth status via 'show auth status int <interface>'? Is session cleared at switch? Does ISE considered session still connected? Again, if connecting to intermediate phone switch, then that too can complicate signals to switch.
You can also try responses to Windows 10 connectivity such as following: https://social.technet.microsoft.com/Forums/en-US/bc0a05a4-c62d-41a2-9ea3-79b589829a7e/windows-10-8021x-wired-authentication-issue?forum=win10itpronetworking
04-18-2018 11:08 PM
Hi Thanks for the reply
Below link tried still an issue.
You can also try responses to Windows 10 connectivity such as following: https://social.technet.microsoft.com/Forums/en-US/bc0a05a4-c62d-41a2-9ea3-79b589829a7e/windows-10-8021x-wired-authentication-issue?forum=win10itpronetworking
I am looking for assistance on the c3pl configuration rather than looking at the Machine issue now. I might have left some stuff out from the normal way of configuration.
Here is the updated C3PL configuration. I need verification that the below is either good or need some adjustments.
policy-map type control subscriber ISE-PORTS-Configuration
event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event authentication-failure match-all
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
30 authentication-restart 30
10 class AAA-DOWN do-all
10 authorize
20 activate service-template CRITICAL
30 terminate dot1x
40 terminate mab
20 class DOT1X-FAILED do-all
10 authenticate using mab
20 authentication-restart 30
40 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-all
10 authenticate using dot1x
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
event violation match-all
10 class always do-all
10 restrict
authentication periodic
authentication timer reauthenticate server
access-session host-mode multi-domain
access-session control-direction in
access-session port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
service-policy type control subscriber ISE-PORTS-Configuration
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide