I am experiencing a very strange problem with the built in 802.1X supplicant on the WIN7. I have about 200 computers where I run 802.1X on all of them. I use machine certificate and EAP-TLS for the 802,1.X. The switch is programmed to use 802.1X first and MAB as failover (check the config below).
Random computers fails with 802.1X. The switch cannot start 802.1X with the computer and switch tries with MAB because 802.1x fails. And the computer dosent match the MAB rule on ISE beacuse its not this way it should work. If the same computer tries next day it will work properly with the 802.1X.
I haven't configured the dot1x timeout quiet-period or dot1x timeout tx-period parameters because I do not have experiences with these commands.
I noticed that the failing computer is trying to authenticate with the MAC address and not the hostname as intended. I do not know why this is happening for random computers.
I hope someone can help me to solve this problem.
SWITCH1#show authentication sessions interface GigabitEthernet2/0/13 Interface: GigabitEthernet2/0/17 MAC Address: 782b.cba4.f812 IP Address: Unknown User-Name: 782bcba4f812 Status: Authz Failed Domain: DATA Security Policy: Should Secure Security Status: Unsecure Oper host mode: multi-host Oper control dir: in Session timeout: N/A Idle timeout: N/A Common Session ID: 0A01FA740000022A13425681 Acct Session ID: 0x00000398 Handle: 0x5200031B
Runnable methods list: Method State dot1x Failed over mab Failed over
SWITCH1#show run int GigabitEthernet2/0/13 Building configuration...
Current configuration : 729 bytes ! interface GigabitEthernet2/0/13 description **USERPORT** switchport access vlan 1732 switchport mode access ip access-group ACL-DEFAULT-DENY+ALL in srr-queue bandwidth share 1 11 11 78 srr-queue bandwidth shape 10 0 0 0 queue-set 2 priority-queue out authentication control-direction in authentication host-mode multi-host authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server mab mls qos trust dscp dot1x pae authenticator storm-control broadcast level 10.00 storm-control multicast level 10.00 spanning-tree portfast spanning-tree guard root service-policy input limit-ef end
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...