Dot1x NAC reauthentication issue

Similar Messages

• NAC Agent Issue

  Hi
  I have implemented Cisco NAC for remote VPN users. As part of this they go through 3 checks:
  1. Antivirus installation check
  2. Antivirus definition check
  3. File check
  I have configured the definition check to remediate via internal update servers if 30 days or more out of date.
  The issue I'm seeing is that the end user recieves the following Cisco Agent error during the remediation process (while in the temporary role):
  "The remediation you are attempting is reporting an access denied error. This is usually due to a privilege issue. Please contact your system administrator."
  The definition update happens in the background though (I have allowed the required access through the NAC server) and once complete places the user in the correct role. Therefore It's no so much an issue, just a misleading message displayed to the user.
  Has anyone seen this before or know where this is configure?
  Kind Regards
  Terry

  Hi Faisal,
  I am still having this problem.
  Even though the agent displays that error message, the AV still updates in the background. The problem then is that the agent fails to realise that the definitions are then fully up to date and does not re-check posture automaticly. therefore i am having to disconnect and re-connect the network cable for the agent to realise that I am not fully compliant.
  Is there anything that i can do to make this posture / remediation process, automatic and seemless?
  Mario

• Dot1x session timeout issue

  Hi
  currently we have an issue with our new dot1x authenticated WLAN. The clients get disconnected when the session timeout expires. As I have discussed with TAC the session timeout forces the client to reauth against RADIUS but should not disassoc him (for non-dot1x-SSIDs it will actually disassoc you by design)
  Each time a client is ejected the following message is produced:
  May 10 09:59:20 xxx *Dot1x_NW_MsgTask_0: May 10 09:59:21.014: %DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:848 Received EAPOL-key M2 msg has invalid information when mobile is in START  state - invalid secure bit; KeyLen 24, Key type 1, client xxx
  A workaround is either to:
  a) Disable session timout (but we need to check for revoked certs)
  b) Switch from WPA2 to WPA(1)
  So far I've tested with:
  - Win7 and Centrino 6205 (newest driver)
  - Same laptop and some random Realtek USB-Stick
  - Same laptop complete new and blank Windows install (without McAfee HIPS & AV) and both NICs
  - Also an ancient LAP1231, currently this is a 3502
  The interesting part is that we don't seem to have any issues with Ubuntu and Android clients and also an iPad seems to work fine. We are currently running 7.0.240.0, but I also tested with 7.4.103.6 (dev release). The ACS is runnign 5.2 and acknowledges the client fine during reassoc, but for some reason the controller disconnects him.
  There are no strange messages in the Windows event log. Do you have any idea what is causing this? A collegue of mine is facing the same issue at a differen company. TAC seems to be stumped, unfortunatly.

  After some months of playing with TAC we found the issue: It was wrong of TAC to suggest inceasing the EAPOL-Key Timeout. Actually you have to lower this timeout, because it initiates the retransmission of the EAPOL-key request.
  It looks like Win7 changed the behavior somehow (Win XP works fine) and has a more aggressive timeout. Also the first try always fails for some reason still unknown. When the timeout is to large Win 7 diassocs before the controller has a chance to retransmit. I have lowerd the value to 400ms and increased the repeat count which keeps the clients stable again.
  Case is still going on to find out why the first try to reauth fails, something with invalid MIC in M2? My current EAP settings are:
  EAP-Identity-Request Timeout (seconds)........... 5
  EAP-Identity-Request Max Retries................. 3
  EAP Key-Index for Dynamic WEP.................... 0
  EAP Max-Login Ignore Identity Response........... enable
  EAP-Request Timeout (seconds).................... 5
  EAP-Request Max Retries.......................... 3
  EAPOL-Key Timeout (milliseconds)................. 400
  EAPOL-Key Max Retries............................ 4
  EAP-Broadcast Key Interval....................... 3600
  This also got me thinking about the other timeouts and I decreased those as will. Take the EAP-Identity-Request Timout. If you set it to 30 seconds and the first packet ist lost somehow than the client needs to wait 30 seconds for auth, that does not make sense.
  https://supportforums.cisco.com/docs/DOC-12110

• NAC Agent issues

  Hi guys,
  We are encountering several problems with regards to the NAC Agent. We are deploying AD SSO and for some reason, on the same switch other hosts are performing SSO correctly and others are being prompted for a user name and password by the NAC agent even though the hosts are all logging in the same domain. Do you guys have any idea on how to go about this problem?

  Hi Guys,
  I have deployed  NAC as  OOB REAL IP gateway mode and it is working fine over LAN.
  Once I enabled the L3 functionality to connect remote site after that local user is being certified through WEB LOGIN.
  But NAC pop up is not reflecting to supply the username and password.
  A problem occured when stoping the NAC agent services" Agent has been terminated due to unexpected error. please restart your machine."
  Note- No ACL is configured till yet
  I have perform following task to fix it;-
  1. Restared NAC agent services.
  2.Checked proxy settings.
  Could you please help me out to resolve this issue?
  Thanks & Regards,
  Azeem Khan

• NAC Design Issue

  Dear All,
  We will use CAS 1 for Local users (wired/wireless) as L2 OOB virtual GW.
  We will use CAS 2 for VPN users as L3 In-band virtual GW with VPN router.
  Now we have one remote site connecting to our ASA DMZ and other remote sites connecting to our WAN router to access our resources.
  So can I use existing CAS1 or 2 for these two entry points?

  just for clarification, i attached a quick sketchup. is this somewhat the topology you had in mind?
  If so then you should be able to use CAS 2 for the ASA and WAN router. The NAC agents installed in the remote locations should have a discovery host in the trusted network and you have to force the incoming traffic through the CAS. But it should be possible as far as i can see.
  Only thing to keep in mind is the 1Gbit throughput limit on the CAS, depending on the amount of traffic coming from remote sites and VPN users it may or may not be an issue.

• Reauthentication Issue

  Hello,
  We have our controller 5508 running with 7.5 firmware. But now we face user just getting disconnected and asking for reauthentication regardless of any timer settings. It creates lot of issues. When at 7.4 there was no issue.
  My Session timer is 36000 and idle timer is 18000
  But still every 20-30 minutes we have to reauthenticate. Strange !!
  Any help ...

  Prasan,
  Can you post your show WLAN is the issues with all clients of have you been able to isolate it to a specific device, certain AP or site, or radio band?
  Sent from Cisco Technical Support iPhone App

• ISE dot1x and MAB issues

  I am trying to set my ISE to attempt dot1x before mab. If I set up the switchport to try mab first, then ISE does its job and assigns the proper vlan. However, when I set the port up to do dot1x first, the port reverts to the default vlan 1. I am able to manually assign the proper vlan on the port and ISE does not interfere, but that kind of defeats the purpose. The port is on a 4506 and below is the port config. Any direction would be greatly appreciated.
  interface GigabitEthernet5/7
   description 1-151
   switchport mode access
   switchport block unicast
   switchport voice vlan 68
   ip arp inspection limit rate 60
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action authorize vlan 40
   authentication event server dead action authorize voice
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order mab dot1x
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication timer inactivity 3600
   authentication violation restrict
   mab
   snmp trap mac-notification change added
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
   spanning-tree bpduguard enable
  end

  Recently i have implemented in one of our customer, find the below switch configuration.
  aaa new-model
  aaa authentication dot1x default group radius local
  aaa authorization network default group radius local
  aaa authorization auth-proxy default group radius
  aaa accounting delay-start all
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting network default start-stop group radius
  aaa server radius dynamic-author
   client <ISE IP ADDRESS> server-key 7 10471A1C25141B1F0F
  aaa session-id common
  ip device tracking probe use-svi
  ip device tracking
  ip admission name Testing_ISE proxy http inactivity-time 10 list ISE_ALLOWED
  epm logging
  dot1x system-auth-control
  spanning-tree mode rapid-pvst
  spanning-tree loopguard default
  spanning-tree portfast bpduguard default
  spanning-tree extend system-id
  spanning-tree uplinkfast
  spanning-tree backbonefast
  spanning-tree vlan 1-1005 priority 8192
  port-channel load-balance src-dst-ip
  vlan internal allocation policy ascending
  interface ran GigabitEthernet X/X
   description "Connected to test PC for ISE testing"
   switchport access vlan x
   switchport mode access
   switchport voice vlan x
   authentication event fail action next-method
   authentication event server dead action authorize vlan 107
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication timer inactivity 180
   authentication violation protect
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  ip http server
  ip http secure-server
  ip access-list extended ISE_REDIR
   deny   udp any any eq bootpc
   deny   udp any any eq bootps
   deny   udp any any eq domain
   deny   ip any host <ISE IP ADDRESS> log
   permit tcp any any eq www
   permit tcp any any eq 443
   deny   ip any any log
  ip access-list extended ISE_ALLOWED
   permit ip any host <ISE IP ADDRESS>
  logging esm config
  snmp-server community string RO
  snmp-server community public RO
  snmp-server community ise RO
  snmp-server trap-source Vlan250
  snmp-server enable traps mac-notification change move threshold
  snmp-server host <ISE IP ADDRESS> version 2c ise  mac-notification
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host <ISE IP ADDRESS> auth-port 1812 acct-port 1813 key 7
  141E010E2C07233F27
  radius-server vsa send accounting
  radius-server vsa send authentication
  Create a Authentication policy in ISE and allow ISE_REDIR ACL.

• Guest Nac & WLC issues

  Hello,
  I have Guest Nac Appliance & WLC 5508, but I want to know,
  1.  IF CAN I USE THE SAME USERNAME AND PASWORD AUTHENTICATED IN GUEST NAC  IN 3 DEVICES? example: Lap Top, MAC, Iphone.
  2. How many usernames can be stored in Guest Nac: NAC3310-GUEST-K9??
  Thanks a lot

  Hi,
  1. Don't see a problem with that, or perhaps I'm not understanding the question right?
  2. No limit in the software, so as many as you like, until your database fills up your hard drive.
  Faisal

• NAC Remediation issue

  Hi,
  I made a requirement for AV update, NAC detects the infected client and launch the AV (Trend micro client) so he can update his AV but after that NAC shows unknown result in CCA and does not show any message regarding successful remediation.
  (Traffic is allowed towards AV server)
  Any idea?

  Hello,
  Here are the links to the Windows and MacOS supported AV/AS on NAC 4.8.2:
  http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/WinAV-AS-vers86.pdf
  http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/MacOSXAV-AS-ver9.pdf
  Regards.

• NAC license issue

  I am trying to setup a CCA CAM server, but the initial web page which instructs to install the license file isn't working. Has anyone else had trouble installing licenses on these machines? If so, any tips would be greatly appreciated.
  Thanks

  I had the same problem and ended up opening a TAC case.
  The problem is the licensing is not very intuitive, and is tied to the MAC address you enter. In fact, I'd call it counter-intuitive. When you enter the MAC during the licensing you tie that license to that MAC and none other.
  If you've got problems with the license, it just may be the only way to resolve is through a TAC case or direct contact with Cisco Licensing.
  When I had the problem they needed to reset the license and were very helpful in walking me through the process.
  If you can ping and not connect, check your DNS entry. If the DNS entry is not made (or wrong), you could face connection issues, because the pages are called by the CAM software by server name and not IP.
  HTH

• Dot1x guest-vlan issues with windows XP

  Hi,
  I have dot1x setup on a 3560. I basically have 3 vlans configured.
  All ports are in vlan "guest (vlan 10)" by default. The authenticated "AUTH" vlan is pushed by the radius server after successful authentication. And finally I have a guest/auth-fail vlan for non-dot1x capable machines.
  Everything works fine except that when I connect windows XP machine which is not on the domain then I am not assigned to a guest vlan. The port stays in unauthorized state and a "show interface" output shows that the port is up but line protocol is down.
  It works sometimes but other times it doesnt.
  Is there a trick to it. Also I read an article on ciscos website which was specific to XP and dot1x i.e. the switches waits ~ 180 seconds and you need to plug the cable in/out of the switch to make it to work...I havent tried this yet but anybody has any better ideas then this technique.
  I have the standard config:
  int fa0/1
  dot1x port-control auto
  dot1x guest-vlan 10
  dot1x auth-fail vlan 10
  I am thinking of tweaking the "quite period" and the switch-to-client retransmission timeout values.
  Note: Like I mentioned earlier. After successful authentication corporate clients are put in the correct vlan. Its just the "guest" vlan piece which is not working.
  Thoughts? pointers? Comments?

  OK, first WRT the documentation reference:
  Not entirely accurate. If a host fails to respond to the authenticator, the port remains in the connecting state for [tx-period (max-reauth-req + 1)] seconds. A login window even appearing on an XP machine is dependent on the configuration (usually only occurs with MD5). Not sure about the unplugging cables stuff at all ;-). This certainly shouldn't be in there though, since that's not really a workaround for anything. It is correct in saying that 1X-capable hosts should not be placed in the Guest-VLAN. It's also correct in explaining the quiet period during the HELD state after a failed authentication attempt. However, the rest is completely dependent on the Microsoft supplicant. The Microsoft supplicant gives up on 1X entirely after it fails 3 times in a row. No other supplicants do this AFAIK. Since it gives up on 1X, then that explains why the port would be "stuck" in a connecting state. Not sure if this is just trivia or what though in context to the reference.
  WRT your configuration:
  If you're interested in having 1X timeout any quicker than it does now (see formula above) then the only timers/values you need to bother with are tx-period and/or max-reauth-req. supp-timeout is for non-EAP control packets. The quiet-period is how long the port is in a HELD state when it fails authentication.
  Does this help?

• DRAC/ILO on Nac 3355 issue

  Anyone know how to setup drac on this server ?

  Hello James,
  How do you made your install ? Using KVM or Serial port ?
  I had same problems with serial install : I was imaging (1.1.4) some appliance (3315 & 3395) at the same time with one PC/console cable that I plug & unplug from one appliance to another for following the install progress. But on several appliance, I was not prompt for the admin & user database passwords.
  The result was the same than you : The appliance booted, but ISE application was not installed.
  I have got no problems the next time when I have try to reimage the appliance with serial cable but WITHOUT UNPLUG IT from the begining to the end ! The database users/admin DB password were asked and the install was successfull on all my appliances.
  Also you have to check the system time/date/timezone in the BIOS setting of Appliance as describe on the hardware install guide.
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_install_guide.html
  Have you check the MD5 or your ISO ?
  Hope you'll able to finish properly your install.

• NAC CCA - Designated Period

  Hello,
  I'm running a NAC solution (L2 OOB VG). I'm fine tuning the CCA section configuration on the CAM. I've selected 'audit' for my enforce type in the Requirements section, because I want to see all the reports whether my users are certified or not. Is it possible to configure the CAM to give my users a designated period (lets say 2wks) to get everything updated to get there PCs certified, if not they would be lock from getting access to the internal network?
  -K

  I think this Release Notes for Cisco NAC Appliance (Cisco Clean Access), clear your doubts for NAC/CCA issues.

• How to authenticate a Non domain member laptop with AAA

  Dear all,
  I do have problem in resolving issue for AAA, the scenario is like if a user connect his laptop with a cisco Switch, and the computer is not a member of domain, we do like to allow internet and get an ip from DHCP server only to those users who;s computers are member of active directory. do let me know how is it possible? support will be appreciated.
  Regards
  Ibrahim

  Hi Ibrahim,
  Do you use CiscoSecure ACS?
  If so, this is possible, using AAA/dot1X on the switch and configuring ACS to authenticate against Active Directory.
  There are lots of configuration examples available here:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_configuration_examples_list.html
  Specifically the wired dot1x; nac: ldap integration with acs; cisco secure acs for windows with eap-tls machine authentication.
  Although some of these are for wireless, I can't see why the principle can not be applied to wired.
  Also there are posts on the learning network:
  https://learningnetwork.cisco.com/thread/2221
  https://learningnetwork.cisco.com/thread/12897
  Regards, Ash.

• Cisco NAC server hang issue

  Hi All Cisco NAC Experts,  I am currently experiencing a Cisco NAC NAC3315-SVR hang issue.
  The issue was already happened for few time on the same server and the symptom when NAC server hung includes no response to ICMP ping, no response to SSH request, no response for access request to CAS management page via https, HA pair was detected down from its HA neighbor and triggered failover to secondary CAS.
  The CAS server was recovered after manually power cycle the hardware. 
  After went through the attachment CAS logs, I found all the services and logging service were stopped when the issue happening but unfortunately there is no any suspicious activity was logged down before or during the issue happening.
  I have also tried to search on Cisco Bug Toolkit but no similar case was found, I believe it was not caused by software bug due to the software version 4.8.1 is running in my company for years and only one CAS server having the issue.
  That will be great if any one can help me out for the same.
  Thanks,
  Eric

  Hi Bro
  This could be a problem with the certificate in that Cisco NAC appliance itself. My suggestion is to redo the certificate generation between the CAS CAM and CA Server. If this still doesn’t work, it could also be due to overload/broadcast storm on the LAN portion. This can be verified via Wireshark.
  If all else fail, then a hardware swap would seem like the next best thing.