Re: ISE 2.4 and PC in sleep mode - URGENT

rshehov · ‎08-21-2019

HI all,

I hope everyone is doing well.

One of my health care customers is currently facing issue with ISE 2.4 in regards of authentication authorization when it comes down to PC coming back from sleep mode. Do we have recommendations, workaround in regards of this issue please ?

The customer is having Win7 and Win 10 devices connected to a switch or connected to IP phone.

Any input is greatly appreciated.

Thank you in advance.

Regards

Ross

Mike.Cifelli · ‎08-21-2019

Do you enforce re-auth timers? Have you thought about or looked into enabling wake on lan on your hosts?

rshehov · ‎08-22-2019

We are looking for long time so the timer option is not a valid option in this case.

Arne Bier · ‎08-21-2019

Can you please describe the problem in more detail?

Native Windows supplicant? And if so, how is it configured ? (User Auth only - or machine only, or both ?)

From memory I think this may be expected behaviour if you do machine auth only and the machine goes to sleep. Machine wakes up but does not perform machine auth, since it believes nothing has changed (verify state of that switch interface with the show access-session command). At the login screen the user logs on and doesn't get authenticated on the network, because machine auth is configured.

rshehov · ‎08-22-2019

Yep. We are using the Win 7 win 10 native supplicant here. Machine Auth :)

supporto rai · ‎08-22-2019

Hi,

I am afraid we need some more information

0)What kind of error do you see? Authentication error logged on ISE or timeout/no response error logged on the SWITCH?

1)Which is current native windows supplicant configuration in term of EAP methods and authentication type (Machine and user, machine only , user only)

2)Which are switches models/versions

3)How is the switch port configured?

4)Is MAR involved, if so with with timers?

5)Is the error in play only when the PC is connected to a phone? If yes which is the model of the phone?

Regards

MM

MambaRod16 · ‎02-21-2021

Hi all,

I am having the same authentication and authorization issue when it comes down to PC coming back from sleep mode.

When the PC is in sleep mode ISE tries to authenticate with the mac address of the PC which does not match any rule and ends in the deny implicit rule.

Machine wakes up but does not perform machine auth. At the login screen user logs on and doesn’t get authenticated on the network.

Do we have recommendations, workaround in regards of this issue please ?

Should I check something in the switch configuration?

marco.merlo · ‎02-22-2021

I think it's quite unlikely you are hitting one of these old MS bugs

kb980295 (https://mskb.pkisolutions.com/kb/980295)

https://support.microsoft.com/it-it/topic/802-1x-authentication-fails-after-you-connect-a-computer-to-a-network-in-windows-7-sp1-or-windows-server-2008-r2-sp1-14256ada-77ae-4496-01d7-85e442f7d120

but if the PC does not perform dot1x authentication after resume usually is a windows side issue.

Anyway in order to give a deeper look, some piece of information is missing

1)Which is current native windows supplicant configuration in term of EAP methods and authentication type (Machine and user, machine only , user only)

2)Which are switches models/versions

3)How is the switch port configured?

4)Is MAR involved, if so with with timers?

5)Is the error in play only when the PC is connected to a phone? If yes which is the model of the phone?

Regards

MM