Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

An issue with authentication and authorization on ISE 1.2

Hi, I'm new to ISE.

I have an issue with authentication and authorization.

I have ISE 1.2 plus patch 6 installed on VMware.

I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin

On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.

I created  authentication and authorization rules with Active Directory  as External Identity Source. Also I applied  authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for  authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.

I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.

I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?

What  should I do to resolve this issue?

Switch configuration:

 testISE#sh runn

Building configuration...

 

Current configuration : 7103 bytes

! Last configuration change at 12:20:15Tue Apr 15 2014

! NVRAM config last updated at 10:35:02  Tue Apr 15 2014

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname testISE

boot-start-marker

boot-end-marker

no logging console

logging monitor informational

enable secret 5 ************

enable password ********

username radius-test password 0 ********

username admin privilege 15 secret 5 ******************

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa authorization auth-proxy default group radius

aaa accounting update periodic 5

aaa accounting dot1x default start-stop group radius

aaa server radius dynamic-author

 client 172.16.0.90 server-key ********

aaa session-id common

clock timezone 4 0

system mtu routing 1500

authentication mac-move permit

ip dhcp snooping vlan 1,22

ip dhcp snooping

ip domain-name elauloks

ip device tracking probe use-svi

ip device tracking

epm logging

crypto pki trustpoint TP-self-signed-1888913408

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1888913408

 revocation-check none

 rsakeypair TP-self-signed-1888913408

crypto pki certificate chain TP-self-signed-1888913408

dot1x system-auth-control

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

ip ssh version 2

interface FastEthernet0/5

 switchport mode access

 ip access-group ACL-ALLOW in

 authentication event fail action next-method

 authentication event server dead action reinitialize vlan 1

 authentication event server alive action reinitialize

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

 authentication periodic

 authentication timer reauthenticate server

 authentication violation restrict

 mab

 dot1x pae authenticator

 dot1x timeout tx-period 10

 spanning-tree portfast

interface FastEthernet0/6

 switchport mode access

 ip access-group ACL-ALLOW in

 authentication event fail action next-method

 authentication event server dead action reinitialize vlan 1

 authentication event server alive action reinitialize

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

 authentication periodic

 authentication timer reauthenticate server

 authentication violation restrict

 mab

!

 dot1x pae authenticator

 dot1x timeout tx-period 10

 spanning-tree portfast

interface FastEthernet0/7

interface Vlan1

 ip address 172.16.0.204 255.255.240.0

 no ip route-cache

ip default-gateway 172.16.0.1

ip http server

ip http secure-server

ip access-list extended ACL-ALLOW

 deny   icmp any host 172.16.0.1

 permit ip any any

ip radius source-interface Vlan1

logging origin-id ip

logging source-interface Vlan1

logging host 172.16.0.90 transport udp port 20514

snmp-server community public RO

snmp-server community ciscoro RO

snmp-server trap-source Vlan1

snmp-server source-interface informs Vlan1

snmp-server enable traps snmp linkdown linkup

snmp-server enable traps mac-notification change move

snmp-server host 172.16.0.90 ciscoro

radius-server attribute 6 on-for-login-auth

radius-server attribute 6 support-multiple

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 5 tries 3

radius-server vsa send accounting

radius-server vsa send authentication

radius server ISE-Alex

 address ipv4 172.16.0.90 auth-port 1812 acct-port 1813

 automate-tester username radius-test idle-time 15

 key ******

ntp server 172.16.0.1

ntp server 172.16.0.5

end

 

 

 

 

 

 

 

 

808
Views
0
Helpful
0
Replies