cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
945
Views
2
Helpful
3
Replies

Best Practice to suppress rejected user

csco11552159
Level 5
Level 5

Hi,

I just wonder if there this a best practice to suppress rejected users to keep restarting authentication process.

we haven't change default "quiet-period" yet, looking for if there are some better way to do that.

we have seen 2 type flooding by endpoints:

1) some devices have 802.1x enabled but failed 802.1x authentication, then keep re-start dot1x authentication process.

2) some devices doesn't have 802.1x authentication enabled and passed MAB, but still keep restarting the authentication. 

thank you.

1 Accepted Solution

Accepted Solutions

kthiruve
Cisco Employee
Cisco Employee

Hi Chao,

Here is the deck that discusses best practices end to end for 802.1x that includes flooding, failure suppression etc.,

https://www.slideshare.net/kuches/piw-ise-best-practices-62037002

Thanks

Krishnan

View solution in original post

3 Replies 3

kthiruve
Cisco Employee
Cisco Employee

Hi Chao,

Here is the deck that discusses best practices end to end for 802.1x that includes flooding, failure suppression etc.,

https://www.slideshare.net/kuches/piw-ise-best-practices-62037002

Thanks

Krishnan

thank you very much.

it seems we have to change every single switches ports configuration.

You can also review Live session BRKSEC-3699 @ On-Demand Library - Cisco Live Global Events where I cover this topic in some depth.  Be sure to access the Reference version of presentation.

I cover the topics as to what can be done from endpoint to ISE and parts in between.

1) some devices have 802.1x enabled but failed 802.1x authentication, then keep re-start dot1x authentication process.

Craig: In this case, you want suppression and optionally Access-Reject to kick in, since that user will trigger excessive auth volume until they fix their 802.1X config. 

2) some devices doesn't have 802.1x authentication enabled and passed MAB, but still keep restarting the authentication. 

Craig: Devices that do not support 802.1X should not trigger reauth after successful MAB.  This sounds like another issue where client is actually trying 802.1X at machine or user level, or switch is set to short session reauth timer.

/Craig

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: