Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Automatic client re-authentication

Do people generally enable automatic re-authentication? I am having issues with re-authentication overnight when users are not logged in to their machines. They come in the next morning to find their machine authenticated but unauthorized. I am running in closed mode, so they don't get an IP address at that point. Thanks.

New Member

I have configured re-auth,

I have configured re-auth, but my customers have all backed out of it because it is a nuisance... its always funny when someone invests in security and then loosens up because its a nuisance...

Anyhow, are you doing machine and user auth?  or just user?

Are you using the native supplicant or NAM?

When you say they find their machine authenticated, but not authorized, please clarify. Where are they seeing this?  In the monitor logs?  What authZ profile is being applied?

New Member

Thanks Michael. I ended up

Thanks Michael. I ended up disabling the reauth earlier because the issue was just too random and I didn't have time for a deep dive. 

But I am doing just MAB currently. They were authenticated, but not authorized because the DACL wasn't getting applied because they weren't getting an IP address. Since I'm running in closed mode, they weren't getting an IP address that could be applied to the DACL, so it was a double issue. No IP, no DACL.

New Member

Do you have the pre-auth ACL

Do you have the pre-auth ACL on the switchport? And is it allowing DNS and DHCP? 

DHCP requests are sent prior to ISE coming into play. 

Additionally, the DACL has nothing to do with the IP address of the machine, DACL is strictly between switch and ISE.  However i do see what you're getting at with the DACL not having the IP of the machine.  

If there is no IP, i would start with checking the pre-auth ACL on the switch, and the DACL that is applied to the MAB sessions.

New Member

I am running in closed mode,

I am running in closed mode, so there is not a pre-auth DACL on the port. I guess I could put one that allowed DHCP, but the main reason I moved to closed mode is because I'm doing a lot of dynamic VLAN assignment, and having DHCP allowed would cause issues with clients who need to have their VLAN changed.