After a client successfully done on the wired dot1x authentication, my authZ rule is follow by the VLAN assignement whereby DHCP server will provision a client IP to the PC.
But when the client doing these 2 action: 01. after get connected, disable the IEEE 802.1x option on the PC Ethernet port setting 02. after get connected, disable, then enable the PC Ethernet port setting (bouncing)
I found out these 2 actions will still get the user in authorized state, because it is not link down or port-bounce action. Session still persist at client PC.
My question : Anything i can configure either on the switch or ISE will automatic trigger an action like send an EAPOL-Logoff message, causing the switch port to change to the unauthorized state?
Component in use:
client OS: window 7 PEAP-MsCHAP V2 authentication mode : iser or computer authetnication no check on single sign on no check remember credential for connection each time logged on no check fallback to unauthorized network access
ISE 1.1.3 with patch 4
Switchport configuration interface G0/1 switchporGt mode access switchport access vlan 61 authentication port-control auto dot1x pae authenticator authentication host-mode multi-auth authentication order dot1x authentication priority dot1x mab no shutdown end
For #2 - The session should terminate and restart if the Ehternet adapter on the PC bounces. Are you saying that even though the user disables/enables the adapter, the session remains active in ISE/NAD?
For #1 - I am not really sure as I have never played with this before. My guess would be "No" because once ISE sends the "Access Accept" back to the NAD (your switch in this scenario), the NAD won't know if you are disabling 802.1x. The EAPoL conversation already took place so there is no more 802.1x type traffic coming in and out of the NAD/Client on that port.
I suppose you can set a re-autn and inactivity timer on both the NAD and ISE but keep in mind that it is not recommended for those timers to be set at low values (minimum 1 hour). Otherwise you could overwhelm your ISE servers depending on how large your environment is.
You will need to add the following commands on the switchport:
authentication periodic authentication timer reauthenticate server authentication timer inactivity server
Then in ISE you will need to set the re-auth and the idle timers under the "Authorization Profile"
Another thing to keep in mind is that you should control what your users can and cannot do on their workstations via GPO (Group Policy). In normal circumstances a regular user should not have the privileges to disable 802.1x or their Ethernet adapter :)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :