ISE/802.1x - IP Conflict at 0.0.0.0?

Has anyone seen this issue?
We have Windows 7 clients running 802.1x that will pop up a message in the eventlog that there is an IP conflict with 0.0.0.0. This seems to cause an infinite loop of DHCP NACK and BAD_ADDRESS in the scope.
I am on code 1.1.1.268.
Thanks in advance.
-Ryan

Hello i have the same issue only on a windows7 computer (all other computers are windows7 WindowsXP and are working fine)
switches : 3750-X in version 15.0.1.SE2
dot1x activated on switches, not on computer
sometimes, a duplicate message IP 0.0.0.0 appear on the W7 computer, and it is not able to commmunicate after that, even it has a FIXED ip
This is not a real duplicate Ip, the MAC AMC that has taken the IP 0.0.0.0 is a4:4c:11:44:xx:xx (seems to be a cisco switch ....)
I have found at : http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750x_3560x/software/release/15.0_1_se/command/reference/cli1.html#wp9596478
that
The ARP probe default source IP address is the Layer 3 interface and 0.0.0.0 for switchports.
Since i have no IP for the user vlan on the 3750-x switch where ip device tracking is done, i assume this 0.0.0.0 Ip is viewed because of ARP probe requests sent by the switch ....
But we don't have the ip device tracking probe delay parameter on 3750 switches ... only seen on 4500
If anyone can confirm that ...
Perhaps adding an IP in the user vlan could be a workaround as it won't use 0.0.0.0 IP for arp probes ?
Ce message a été modifié par: Guillaume BARBEROT

Similar Messages

  • ISE 802.1x EAP-TLS machine and smart card authentication

    I suspect I know the answer to this, but thought that I would throw it out there anway...
    With Cisco ISE 1.2 is it possible to enable 802.1x machine AND user smart card  authentication simultaneously for wired/wireless clients (specifically  Windows 7/8, but Linux or OSX would also be good).  I can find plenty of  information regarding 802.1x machine authentication (EAP-TLS) and user  password authentication (PEAP), but none about dual EAP-TLS  authentication using certificates for machines and users at the same time.  I think I can figure out how to configure such a policy in ISE, but options seem to be lacking on the client end.  For example, the Windows 7 supplicant seems only able to present either a machine or user smart card certificate, not one then the other.  Plus, I am not sure how the client would know which certificate to present, or if the type can be specified from the authenticator.

    Hope this video link will help you
    http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls

  • Cisco ISE 802.1X Client Provisioning

    Hi,
    I have a requirement for ISE client provisioning for both Windows and mac. I have the following setup:
    1. 2 SSIDs, Guest and Employee
    2. Guest is open access
    3. Employee is 802.1x eap-peap (username/password)
    I was wondering if client local administrator privillege is required for 802.1x provisioning for windows client? I believe it is required for MAC OS however not too sure if it may be required for Windows?
    Example Employee A connect to Guest SSID and is redirect to the guest web portal. Upon login, they will be presented with the device registration portal. Upon being presented by the ISE on the supplication wizard, will they be requested for local administrator/domain admin privillege to install the supplicant wizard package/provisioning agent successfully?
    Any suggestion is appreciated.
    Thanks.

    Hi,
    Appreciate for the feedback.
    Thanks

  • Cisco ISE: 802.1x [EAP-TLS] + List of Applicable Hot-Fixes

    Dear Folks,
    Kindly suggest the list of all possible Hot-Fixes required for the Cisco ISE EAP-TLS solution... We have applied 9 HotFixes so far. But, still the connectivity is intermittent. Is there any list for all applicable Hot-Fixes?
    OS = Win 7 SP1 (32/64 Bit) and Win 8
    Thanks,
    Regards,
    Mubasher Sultan

    Hi Mubasher
    KB2481614:      If you’re configuring your 802.1x settings via Group Policy you’ll see      sometimes EAP-PEAP request from clients in your radius server log during      booting even if you’ll set EAP-TLS. This error happened in our case with      1/3 of the boots with some models. The error is caused by a timing problem      during startup. Sometimes the 802.1x is faster and sometimes the Group      Policy is, and if the 802.1x is faster than the default configuration is      taken, which is PEAP. Which lead to a EAP-NAK by the radius server.
    KB980295:      If an initial 802.1x authentication is passed, but a re-authentication      fails, Windows 7 will ignore all later 802.1x requests. This hotfix should      also fix a problem with computers waking up from sleep or hibernation –      but we’ve disabled these features so I can’t comment on them.
    KB976373:      This hotfix is called “A computer that is connected to an IEEE      802.1x-authenticated network via another 802.1x enabled device does not      connect to the correct network”. I can’t comment on this, as we’ve not      deployed 802.1x for our VoIP phones at this point.I would guess it is the      same for Windows 7 too. The linked article tells you to install the patch      and set some registry key to lower the value.
    KB2769121:      A short time ago I found this one: “802.1X authentication fails on a      Windows 7-based or Windows 2008 R2-based computer that has multiple      certificates”. At time of writing I’m not sure if it helps for something      in my setup. According to the symptoms list of the hotfix, it does not,      but maybe it helps for something else, as the one before does.
    KB2736878:      An other error during booting – this time it happens if the read process      starts before the network adapter is initialized. Really seems that they      wanted to get faster boot times, no matter the costs.
    KB2494172:      This hotfix fixes a problem if you’ve installed a valid and invalid      certificate for 802.1x authentication. The workaround is just deleting the      invalid certificate. I’m not sure at this point if it affects also wired      authentication.
    KB976210:This      problem occurs only during automated build processes and if you use an EAP      method which needs user interaction – as I don’t do that I can’t comment      on this hotfix.
    For more information please go through this link:
    http://robert.penz.name/555/list-of-ieee-802-1x-hotfixes-for-windows-7/
    Best Regards:
    Muhammad Munir

  • ISE 802.1x and Windows Logoff

    Hi Guys,
    i have a ISE works fine using 802.1x but we have a strange behavior when the client just logoff the windows machine, after the client login again, the machine does not authenticate and stuck as a message " not possible to authenticate". Then I need to take off the cable machine and put again, after this everything works fine.
    This happens just using logoff windows.
    could someone help me about it?
    thanks a lot

    Hi Rik,
    I am using this configuration.
    interface GigabitEthernet3/33
    switchport access vlan 22
    switchport mode access
    switchport voice vlan 23
    ip access-group ACL-DEFAULT in
    logging event link-status
    authentication event fail action next-method
    authentication host-mode multi-domain
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    authentication violation restrict
    mab
    snmp trap mac-notification change added
    snmp trap mac-notification change removed
    dot1x pae authenticator
    dot1x timeout tx-period 10
    qos trust device cisco-phone
    spanning-tree portfast
    spanning-tree bpduguard enable
    service-policy input AutoQos-4.0-Cisco-Phone-Input-Policy
    service-policy output AutoQos-4.0-Output-Policy
    the client are using the NAC Agent the way to perform a posture.
    If i take off the cable and put again, everything works fine, but if the client try to logoff and after a time login again, the NIC Card can not be authenticated.
    thanks a lot

  • About ISE 802.1X question!

    Today my colleagues and I deploy ISE found the following question.
    Sometimes, can have the user authentication and authorization success under the same interface, user authentication and authorization is not successful.If restart ISE will be normal.
    Why is that?
    Two ise ,Distributed Deployment,
    I test redundancy。I closed the main equipment,The following error:
    LOG:==============================================
    The normal time:
    6509-vss#show authentication sessions interface g1/9/36
                Interface:  GigabitEthernet1/9/36
              MAC Address:  0021.cc68.a63e
               IP Address:  172.30.60.11
                User-Name:  daiyue
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-auth
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  N/A
                  ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-51ef7db1
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC1E3C02000000410155DA40
          Acct Session ID:  0x0000006C
                   Handle:  0x73000041
    Runnable methods list:
           Method   State
           mab      Failed over
           dot1x    Authc Success
                Interface:  GigabitEthernet1/9/36
              MAC Address:  0026.2df8.a25f
               IP Address:  172.30.60.10
                User-Name:  daiyue
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-auth
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  N/A
                  ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-51ef7db1
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC1E3C02000000400154E52C
          Acct Session ID:  0x0000006D
                   Handle:  0x91000040
    Runnable methods list:
           Method   State
           mab      Failed over
           dot1x    Authc Success
    When there is a problem:
    6509-vss#
    Feb 27 2014 17:43:11: %DOT1X-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:43:11: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:43:11: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:43:11: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:43:11: %AUTHMGR-5-FAIL: Authorization failed for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:47:52: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0026.2df8.a25f) on Interface Gi1/9/36
    Feb 27 2014 17:47:52: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.2df8.a25f) on Interface Gi1/9/36
    Feb 27 2014 17:48:02: %DOT1X-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:48:02: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:48:02: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:48:02: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:48:02: %AUTHMGR-5-FAIL: Authorization failed for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:48:20: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:48:20: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    Feb 27 2014 17:48:25: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:48:25: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    Feb 27 2014 17:48:29: %DOT1X-5-SUCCESS: Authentication successful for client (0026.2df8.a25f) on Interface Gi1/9/36
    Feb 27 2014 17:48:29: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0026.2df8.a25f) on Interface Gi1/9/36
    Feb 27 2014 17:48:29: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.2df8.a25f| AuditSessionID AC1E3C020000004D01CCB640| AUTHTYPE DOT1X| EVENT APPLY
    Feb 27 2014 17:48:29: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.2df8.a25f| AuditSessionID AC1E3C020000004D01CCB640| AUTHTYPE DOT1X| EVENT IP-WAIT
    Feb 27 2014 17:48:30: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.2df8.a25f) on Interface Gi1/9/36
    Feb 27 2014 17:48:34: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:48:34: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    6509-vss(config-if)#
    6509-vss(config-if)#
    Feb 27 2014 17:48:49: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:48:49: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    Feb 27 2014 17:49:02: %AUTHMGR-5-START: Starting 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:49:13: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:49:13: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    Feb 27 2014 17:49:18: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:49:18: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    Feb 27 2014 17:49:21: %MAB-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:49:21: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:49:21: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:49:21: %AUTHMGR-5-START: Starting 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:49:23: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:49:23: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    6509-vss(config-if)#end
    6509-vss#show
    Feb 27 2014 17:49:27: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:49:27: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.authen
    6509-vss#show authentication
    Feb 27 2014 17:49:28: %SYS-5-CONFIG_I: Configured from console by consolese
    6509-vss#show authentication sessions int
    6509-vss#show authentication sessions interface g1/9/36
                Interface:  GigabitEthernet1/9/36
              MAC Address:  0021.cc68.a63e
               IP Address:  Unknown
                User-Name:  0021cc68a63e
                   Status:  Running
                   Domain:  DATA
           Oper host mode:  multi-auth
         Oper control dir:  both
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC1E3C020000004E01CCCA18
          Acct Session ID:  0x00000086
                   Handle:  0x7300004E
    Runnable methods list:
           Method   State
           mab      Failed over
           dot1x    Running
                Interface:  GigabitEthernet1/9/36
              MAC Address:  0026.2df8.a25f
               IP Address:  Unknown
                User-Name:  shenshu
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-auth
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  N/A
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC1E3C020000004D01CCB640
          Acct Session ID:  0x00000089
                   Handle:  0xB400004D
    Runnable methods list:
           Method   State
           mab      Not run
           dot1x    Authc Success
    LOG:============================================

    Please consider the order of authnetication method fail from here
    http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html#wp9000028

  • Cisco ISE: 802.1x Timers Best Practices / Re-authentication Timers [EAP-TLS]

    Dear Folks,
    Kindly, suggest the best recommended values for the timers in 802.1x (EAP-TLS)... Should i keep default all or change or some of them?
    Also, what do we need reauthentication timers? Any benefit to use it? Does it prompt to users or became invisible? and What are the best values, in case if we need to use it?
    Thanks,
    Regards,
    Mubasher
    My Interface Configuration is as below;
    interface GigabitEthernet1/34
    switchport access vlan 131
    switchport mode access
    switchport voice vlan 195
    ip access-group ACL-DEFAULT in
    authentication event fail action authorize vlan 131
    authentication event server dead action authorize vlan 131
    authentication event server alive action reinitialize
    authentication open
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    mab
    snmp trap mac-notification change added
    dot1x pae authenticator
    dot1x timeout tx-period 5
    storm-control broadcast level 30.00
    spanning-tree portfast
    spanning-tree bpduguard enable

    Hello Mubashir,
    Many timers can be modified as needed in a deployment. Unless you are experiencing a specific problem where adjusting the timer may correct unwanted behavior, it is recommended to leave all timers at their default values except for the 802.1X transmit timer (tx-period).
    The tx-period timer defaults to a value of 30 seconds. Leaving this value at 30 seconds provides a default wait of 90 seconds (3 x tx-period) before a switchport will begin the next method of authentication, and begin the MAB process for non-authenticating devices.
    Based on numerous deployments, the best-practice recommendation is to set the tx-period value to 10 seconds to provide the optimal time for MAB devices. Setting the value below 10 seconds may result in the port moving to MAC authentication bypass too quickly.
    Configure the tx-period timer.
    C3750X(config-if-range)#dot1x timeout tx-period 10

  • ISE - 802.1X - Loop not detected by spanning-tree

    Hello,
    I have recently implemented the 802.1X on switchs 3750-X running 15.0(2)SE IOS version.
    The spanning-tree bpdufilter and bpduguard are globally enabled on the switchs.
    A user has created a loop on the network by connecting its Cisco IP-Phone twice on the network : one wire connected normally from switch to the RJ-45 phone connector and the second wire that should be connected to the PC had also been connected to the switch !
    The loop created has not been detected by the switch !
    I have made several tests and re-created the problem 3 times on 4 (only one time, the loop has been detected by bpduguard  20 seconds after the port up).
    Notice that without 802.1X configured on the same switch port, the loop is quickly detected and ports are err-disabled shutdown.
    Switch port with 802.1X is following :
    interface GigabitEthernet1/0/9
    switchport access vlan 950
    switchport mode access
    switchport nonegotiate
    switchport voice vlan 955
    no logging event link-status
    authentication control-direction in
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 950
    authentication event server dead action authorize voice
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 10
    storm-control broadcast level 10.00
    storm-control multicast level 10.00
    spanning-tree portfast
    If I change the host-mode to multi-domain, a MAC violation restriction occurs and shutdown the port. But this is not the config I need.
    Is there any reason for spanning-tree not works properly with 802.1X ?
    Thanks,
    Olivier

    Hello Olivier
    When using bpdufilter, bpduguard and portfast all at the same time there are many things going on which are not well documented. Now when you add 802.1x to the mix then you really have no documentation. I had to do many labs on my own to finally have my configuration, and also discovered some bugs. According to my experience you shouldn't use bpdufilter and you should use bpduguard on the switchport not in the global config.
    Please read the following links about the differences between global and port bpdufilter, differences between global and port bpduguard, configuring bpduguard along with portfast , configuring bpdufilter along with portfast, and configuring bpduguard along with bpdufilter.
    http://aitaseller.wordpress.com/2010/01/17/bpdu-filter-vs-bpdu-guard-what-is-the-difference/
    http://costiser.wordpress.com/2011/05/23/subtle-difference-for-portfast-bpdufilter-used-together-globally-or-at-interface-level/
    https://learningnetwork.cisco.com/thread/21103
    http://blog.ipexpert.com/2010/12/06/bpdu-filter-and-bpdu-guard/
    Please rate if this helps

  • Cisco ip phones authenticate 802.1x with cisco ise 1.3

    Dear all,
    I want to configure cisco ise 1.3 with 802.1x , to authenticate cisco ip phones ( CUCM 10.5.2 ) with LSC certificate. 
    How I have to configure cisco ise authentication rules for 802.1x with cisco ip phones? Are there any configuration examples ? 
    Thanks

    following are ISE 802.1x  sample authentication rules..you can change the protocol (Policy -> policy elements - > results -> authentication and you can select the proctocal)

  • ISE 1.1 - 24492 Machine authentication against AD has failed

    We implement Cisco ISE 802.1X and Machine Authentication With EAP-TLS.
    Authentication Summary
    Logged At:
    March 11,2015 7:00:13.374 AM
    RADIUS Status:
    RADIUS Request dropped : 24492 Machine authentication against Active Directory has failed
    NAS Failure:
    Username:
    [email protected]
    MAC/IP Address:
    00:26:82:F1:E6:32
    Network Device:
    WLC : 192.168.1.225 :  
    Allowed Protocol:
    TDS-PEAP-TLS
    Identity Store:
    AD1
    Authorization Profiles:
    SGA Security Group:
    Authentication Protocol :
    EAP-TLS
     Authentication Result
    RadiusPacketType=Drop
     AuthenticationResult=Error
     Related Events
     Authentication Details
    Logged At:
    March 11,2015 7:00:13.374 AM
    Occurred At:
    March 11,2015 7:00:13.374 AM
    Server:
    ISE-TDS
    Authentication Method:
    dot1x
    EAP Authentication Method :
    EAP-TLS
    EAP Tunnel Method :
    Username:
    [email protected]
    RADIUS Username :
    host/LENOVO-PC.tdsouth.com
    Calling Station ID:
    00:26:82:F1:E6:32
    Framed IP Address:
    Use Case:
    Network Device:
    WLC
    Network Device Groups:
    Device Type#All Device Types,Location#All Locations
    NAS IP Address:
    192.168.1.225
    NAS Identifier:
    WLC-TDS
    NAS Port:
    4
    NAS Port ID:
    NAS Port Type:
    Wireless - IEEE 802.11
    Allowed Protocol:
    TDS-PEAP-TLS
    Service Type:
    Framed
    Identity Store:
    AD1
    Authorization Profiles:
    Active Directory Domain:
    tdsouth.com
    Identity Group:
    Allowed Protocol Selection Matched Rule:
    TDS-WLAN-DOT1X-EAP-TLS
    Identity Policy Matched Rule:
    Default
    Selected Identity Stores:
    Authorization Policy Matched Rule:
    SGA Security Group:
    AAA Session ID:
    ISE-TDS/215430381/40
    Audit Session ID:
    c0a801e10000007f54ffe828
    Tunnel Details:
    Cisco-AVPairs:
    audit-session-id=c0a801e10000007f54ffe828
    Other Attributes:
    ConfigVersionId=7,Device Port=32768,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=c0a801e10000007f54ffe828;30SessionID=ISE-TDS/215430381/40;,Airespace-Wlan-Id=1,CPMSessionID=c0a801e10000007f54ffe828,EndPointMACAddress=00-26-82-F1-E6-32,GroupsOrAttributesProcessFailure=true,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.1.225,Called-Station-ID=e0-d1-73-28-a7-70:TDS-Corp
    Posture Status:
    EPS Status:
     Steps
    11001  Received RADIUS Access-Request
    11017  RADIUS created a new session
    Evaluating Service Selection Policy
    15048  Queried PIP
    15048  Queried PIP
    15048  Queried PIP
    15048  Queried PIP
    15004  Matched rule
    11507  Extracted EAP-Response/Identity
    12500  Prepared EAP-Request proposing EAP-TLS with challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12502  Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
    12800  Extracted first TLS record; TLS handshake started
    12805  Extracted TLS ClientHello message
    12806  Prepared TLS ServerHello message
    12807  Prepared TLS Certificate message
    12809  Prepared TLS CertificateRequest message
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12571  ISE will continue to CRL verification if it is configured for specific CA
    12571  ISE will continue to CRL verification if it is configured for specific CA
    12811  Extracted TLS Certificate message containing client certificate
    12812  Extracted TLS ClientKeyExchange message
    12813  Extracted TLS CertificateVerify message
    12804  Extracted TLS Finished message
    12801  Prepared TLS ChangeCipherSpec message
    12802  Prepared TLS Finished message
    12816  TLS handshake succeeded
    12509  EAP-TLS full handshake finished successfully
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    Evaluating Identity Policy
    15006  Matched Default Rule
    24433  Looking up machine/host in Active Directory - [email protected]
    24492  Machine authentication against Active Directory has failed
    22059  The advanced option that is configured for process failure is used
    22062  The 'Drop' advanced option is configured in case of a failed authentication request
    But the user can authenticated by EAP-TLS
    AAA Protocol > RADIUS Authentication Detail
    RADIUS Audit Session ID : 
    c0a801e10000007f54ffe828
    AAA session ID : 
    ISE-TDS/215430381/59
    Date : 
    March     11,2015
    Generated on March 11, 2015 2:48:43 PM ICT
    Actions
    Troubleshoot Authentication 
    View Diagnostic MessagesAudit Network Device Configuration 
    View Network Device Configuration 
    View Server Configuration Changes
    Authentication Summary
    Logged At:
    March 11,2015 7:27:32.475 AM
    RADIUS Status:
    Authentication succeeded
    NAS Failure:
    Username:
    [email protected]
    MAC/IP Address:
    00:26:82:F1:E6:32
    Network Device:
    WLC : 192.168.1.225 :  
    Allowed Protocol:
    TDS-PEAP-TLS
    Identity Store:
    AD1
    Authorization Profiles:
    TDS-WLAN-PERMIT-ALL
    SGA Security Group:
    Authentication Protocol :
    EAP-TLS
     Authentication Result
    [email protected]
     State=ReauthSession:c0a801e10000007f54ffe828
     Class=CACS:c0a801e10000007f54ffe828:ISE-TDS/215430381/59
     Termination-Action=RADIUS-Request
     cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-508adc03
     MS-MPPE-Send-Key=5a:9a:ca:b0:0b:2a:fe:7d:fc:2f:8f:d8:96:25:50:bb:c8:7d:91:ba:4c:09:63:57:3e:6e:4e:93:5d:5c:b0:5d
     MS-MPPE-Recv-Key=24:fa:8d:c3:65:94:d8:29:77:aa:71:93:05:1b:0f:a5:58:f8:a2:9c:d0:0e:80:2d:b6:12:ae:c3:8c:46:22:48
     Airespace-Wlan-Id=1
     Related Events
     Authentication Details
    Logged At:
    March 11,2015 7:27:32.475 AM
    Occurred At:
    March 11,2015 7:27:32.474 AM
    Server:
    ISE-TDS
    Authentication Method:
    dot1x
    EAP Authentication Method :
    EAP-TLS
    EAP Tunnel Method :
    Username:
    [email protected]
    RADIUS Username :
    [email protected]
    Calling Station ID:
    00:26:82:F1:E6:32
    Framed IP Address:
    Use Case:
    Network Device:
    WLC
    Network Device Groups:
    Device Type#All Device Types,Location#All Locations
    NAS IP Address:
    192.168.1.225
    NAS Identifier:
    WLC-TDS
    NAS Port:
    4
    NAS Port ID:
    NAS Port Type:
    Wireless - IEEE 802.11
    Allowed Protocol:

    Hello,
    I am analyzing your question and seeing the ISE logs i can see that the machine credentials was LENOVO-PC. Do you have shure that these credentials has in your Active Directory to validate this machine ? The machine certificate has the correct machine credentials from the domain ? The group mapped in the ISE rule has the machine inside this group ?
    Differently from the user authentication that happens with success because the domain credentials can be validate from the Active Directory and get access to the network.

  • %HA_EM-3-LOG: NAC-RADIUS-FAIL-OPEN-DEAD: All RADIUS servers are dead changing the nac-enforcement ACL to permit all

    We just implemented ISE 802.1x in couple of our  Cisco 4507 switches  and we are seeing the following error in the log.
    %HA_EM-3-LOG: NAC-RADIUS-FAIL-OPEN-DEAD: All RADIUS servers are dead changing the nac-enforcement ACL to permit all
    I paste it in the Cisco error message decoder and came back with not found.
    Thanks...

    Jimmy,
    Srory for the late reply but it turned out to be we needed to add the missing auth data vlan command on the switch. After that the error went away.
    Thanks for you input I do appreciate it.
    Jack.

  • Should ACL be applied on port in Closed mode

    Hi,
    while reading about Closed mode deployment of ISE, I came across conflict in Cisco's "HowTo-10-Universal_Switch_Config" and "HowTo-25-Closed_Mode" documents.
    According to "HowTo-10-Universal_Switch_Config", in Closed Mode, we need to apply a ACL on switch port as follows 
    ip access-list ext ACL-DEFAULT
    remark DHCP
    permit udp any eq bootpc any eq bootps
    remark DNS
    permit udp any any eq domain
    remark Ping
    permit icmp any any
    remark PXE / TFTP
    permit udp any any eq tftp
    remark Drop all the rest
    deny ip any any log
    But according to "HowTo-25-Closed_Mode", in Closed Mode, we don't apply this ACL on switchport.
    So my question is, if the ACL need to applied on Switchport or not..and how it will affect switchport 
    Thanks,
    Aditya

    Hello Aditya-
    Very good question. The default ACL will always be there on the switch weather you configure one or not. Check out this document:
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/sw8021x.html#pgfId-1193896
    You have two options:
    1. Create your own default ACL to avoid the default one (that only allows DHCP). Your default ACL should be more permissive than the default one. For instance, mine always included "permit ip any any." That way authenticated and authorized hosts are not blocked from accessing any resources on the network. 
    2. Always return a DACL in your ISE authorization profiles (even if it is just "permit ip any any". That way the default-ACL is removed
    I prefer method number #2 that way I don't have to bother with the default ACL and it also allows me to control traffic based on the different authorization profiles and DACLs that I apply.
    I hope this helps!
    Thank you for rating helpful posts!

  • Duplicate IP 0.0.0.0 Conflict on 802.1X Windows 7 Clients

    Hi,
    Ever since we implemented ISE 1.x with 802.1X authentication about two years ago, a number of our Windows 7 user stations occassionally report the well known error message: "duplicate ip 0.0.0.0" . Only wired stations are affected and it happens randomly but not frequently. On further investigation I found that the conflicting device mac address in every case is in fact the bia of the switch port that the Windows 7 PC client is connected. The characteristics of each case is consistent with the Cisco device tracking process as detailed in TAC Document ID: 116529, Updated: Oct 09, 2013
         http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/8021x/116529-problemsolution-product-00.html
    We have Cisco C6500 access switches with IOS Ver: 12.2(33)SXJ1.The output of "Show ip device track all" command on the switches:
     access-switch#sh ip device track all
     IP Device Tracking = Enabled
     IP Device Tracking Probe Count = 3
     IP Device Tracking Probe Interval = 30
    I found that Cisco recommends three Solution options as follows:
     1. ip device tracking probe delay 10
     2. ip device tracking probe use-svi
     3. ip device tracking probe interval <seconds>
    However, the ios only shows track probe "count" and "interval" for change. There is no option to change the probe delay or use-svi in this IOS.
    What is your advice?
    Many thanks.
    Sankung

    You may have a look at this document if you have not seen it yet. It goes over device tracking a little more in detail and possible workarounds.
    http://tekdigest.blogspot.com/2013/11/windows-7-with-address-conflict-for-ip.html
    HTH
    luke

  • ISE 1.2 - WLC 5508 (7.5x) - Windows 7 802.1X

    Hi ,
    We deployed ISE 1.2 (patch 3) with 5580 WLC to authenticate machines and users using 802.1x .
    We are experiencing a strange issue - randomly some machines authenticate fine over wireless and we are able to see logs on ISE and nexst day the same machine stops authenticating itself and ISE doesnt generate any log.. seems like somehow no request is coming to ISE.
    we have checked all the settings including wireless settings ,services, 802.1x settings on the laptop but struggling to find the a reason why randomly machine would work and then not work.
    whenever a machine works we see all the logs but when a machine doesnt work no log is generated in ise.
    has anyone experienced a similar issue?
    Thanks

    Thanks, we have figured it out.
    Machine Auth timer would expire after 12 hours and ISE had another setting where it would blacklist the client and supress logs for an hour if it sees more then certain amount of failed authentication attempts.
    Thanks

  • ISE 1.2, Supplicant configured for 802.1x but need to MAB

    I posted this yesterday but deleted the thread thinking I had fixed the issue - alas I was wrong. In summary I have a scenario where I am doing wired 802.1x and also wired MAB/CWA. The issue is that a certain number of external/BYOD hosts have supplicants configured for 802.1x at their "home" organisations which for obvious reasons can't authenticate on this network. The idea is that MAB and CWA become a fallback but these hosts in question don't efficiently fail to MAB.
    If the host has validate server certificates enabled (and doesn't have our root selected) then 802.1x fails and goes to MAB as per the tx timers etc. Hosts that don't validate certificates essentially fail authentication, abandon the EAP session and start new... this process seems to continue for a very long time.
    Does anyone have any similoar experiences and if so can you provide some info? I am looking into tweaking 802.1x port timers to make this fail quicker/better but am not confident this will fix the issue.
    Thanks in advance

    Maybe the held-period and quite-period parameters would help.  I would not change the TX period to anything shorter than 10 seconds.  Every cisco doc that I have ever seen has said this same recomendation and I can tell you from experience you will have devices at times that will authenticate via MAB when you dont want them to if you decrease lower than 10 seconds. 
    Read this doc for best pratices including the timers listed below.  
    I hope this link works.  http://d2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKSEC-3698.pdf
    If not goto www.ciscolive365.com (signup if you havn't already) and search for
    "BRKSEC-3698 - Advanced ISE and Secure Access Deployment (2014 Milan) - 2 Hours"
    Change the dot1x hold, quiet, and ratelimit-period to 300. 
    held-period seconds
    Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt). The range is from 1 to 65535. The default is 60.
    quiet-period seconds
    Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state)
    following a failed authentication exchange before trying to reauthenticate the client. For all platforms except the Cisco 7600 series Switch, the range is from 1 to 65535. The default is 120.
    ratelimit-period seconds
    Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs that send EAP-START packets that result in the wasting of switch processing power). The authenticator ignores EAPOL-Start packets from clients that have successfully authenticated For the rate-limit period duration. The range is from 1 to 65535. By default, rate limiting is disabled.

Maybe you are looking for

  • Battery issue on Satellite U400

    I bought my Dad a Satellite U400 10J laptop for his birthday just under 2 years ago. Being over 60 and not too enthusiatic about using a laptop, he left the unit in his cupboard for close to a year before turning on. The first problem materialsed wit

  • Error in run Hyperion S9 EPM Architect Process Manager

    and i installing Hyperion 9.3.1 winxpSP2 I can't able to start the following services. -> Hyperion S9 EPM Architecht process Manager -> Hyperion S9 EPM Architecht job Manager -> Hyperion S9 EPM Architecht Event Manager -> Hyperion S9 EPM Architecht E

  • PDF to

    Hello everyone, I've been using Adobe Acrobat Pro 9 to convert PDF files to PDF/a and recently added a batch process to take care of the task. Anytime the process is executed, a copy of the original file (the file being converted) with "_A1b" tagged

  • How can i use 3d models without open gl in PScc?

    i dont know if i have a open gl function. when i go to the  pres i dont have the option to activate open gl.. anyone can calp me please. thanks alot

  • How do I get Firefox for Android to OPEN a document instead of Download it?

    I have an android tablet and am using a web application that has links to Word documents. I need this to be very simple for the end user. By default Firefox downloads the file (which is on a share on our server). The user then has to find it and open