Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
827
Views
0
Helpful
7
Replies

ISE Wired 802.1X problèm

kingstdz
Level 1
Level 1

‎07-24-2023 07:29 AM

Hi

we have deployed ISE cisco with policy Wired for 802.1X with nam profile, after inject cable computer connect and success in anyconnect, after few second working fine, all trafic in browser internet are reset connection, and local network normaly sometimes it is bloqued too, i disable network and enable the connection return working and repeat block.

i have verified ACL is normal, please if any help to fix it.

thanks

0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎07-24-2023 07:33 AM

@kingstdz

Please provide the switchport configuration and provide the output of "show authentication session interface x/y/z detail" after the connection is reset.

Have you check the switch logs for any obvious output?

0 Helpful

kingstdz
Level 1
Level 1
In response to Rob Ingram

‎07-24-2023 11:48 PM

Hi sorry for late

in port:

Current configuration : 812 bytes
!
interface GigabitEthernet1/0/3
switchport access vlan 42
switchport mode access
switchport voice vlan 200
device-tracking
authentication event fail action next-method
authentication event server dead action authorize vlan 42
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
end

from show auth:

No sessions match supplied criteria.

Runnable methods list:
Handle Priority Name
13 5 dot1x
4 5 dot1xSup
5 10 webauth
3 15 mab

i used nam to create profile configuration.xml, my friend have suggested to me to update firmware of SW 9200 to new i not yet do it.

if you have any suggestion i will apreciate it thanks

 

0 Helpful

RockstarWiFi
Level 1
Level 1
In response to kingstdz

‎07-26-2023 11:30 AM

This is a 9200 switch, your using IBNS1, you should be using IBNS v2.0 Look up Wired Access Deployment Guide here https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 
I recommend using Interface Templates (Defined Globally) for IBNS2. You will need a service policy, there's templates in the guide above to get you rolling. 
 
0 Helpful

ahollifield
VIP
VIP

‎07-26-2023 11:16 AM

Why are you using NAM at all?  

0 Helpful

kingstdz
Level 1
Level 1
In response to ahollifield

‎07-27-2023 12:12 AM - edited ‎07-27-2023 12:14 AM

hi thanks; i will use it for posture

i doubt authentication timer reauthenticate server because the pc connect after reauth without any message it disconnect i guess

0 Helpful

MHM Cisco World
VIP
VIP

‎07-27-2023 11:57 AM

authentication timer reauthenticate server <<- show auth session interface let see this value

0 Helpful

kingstdz
Level 1
Level 1
In response to MHM Cisco World

‎08-10-2023 01:16 AM

 

sorry, i have jumped to IBNS 2.0 work fine, but still i have sometimes error connection reset in browser until refresh connection lan

Interface: GigabitEthernet1/0/3
IIF-ID: 0x15D179F8
MAC Address: 040e.3c22.8d79
IPv6 Address: fe80::d855:2e5:396b:32f0
IPv4 Address: 10.xxxxx
User-Name: domain\user
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: 3600s (server), Remaining: 948s
Timeout action: Reauthenticate
Common Session ID: 9701B70A00000108DE542A70
Acct Session ID: 0x0000008c
Handle: 0x13000086
Current Policy: XXXX


Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecured

Server Policies:
Session-Timeout: 3600 sec
Vlan Group: Vlan: 30
ACS ACL: xACSACLx-IP-DACL_IT-64ba2d3b


Method status list:
Method State
dot1x Authc Success
mab Stopped

----------------------------------------

Interface: GigabitEthernet1/0/3
IIF-ID: 0x12CEEE9D
MAC Address: 549f.c629.8f4d
IPv6 Address: Unknown
IPv4 Address: 10.xxxxx
User-Name: 54-9F-C6-29-8F-4D
Status: Authorized
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Common Session ID: 9701B70A00000109DE542B88
Acct Session ID: 0x0000008b
Handle: 0x0e000087
Current Policy: xxxx

how i can return to legacy without loose config and how to fix this disconnexion and reconnexion 

thanks

0 Helpful
Customers Also Viewed These Support Documents