Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
907
Views
0
Helpful
2
Replies

Inactive Windows 7 supplicant tries to reauthenticate every 4 to 10 minutes in Cisco ISE 1.2.1.899

Thiruchelvam Thurairaj
Level 1
Level 1

‎07-03-2014 01:34 AM - edited ‎02-21-2020 05:13 AM

Hi,

We have a dashboard windows 7 supplicant which is being used to monitoring the network activities. There is noone working with this supplicant so it goes inactive.

What we see in our ISE log, is the supplicant trying to reauthenticate itself every 4 to 10 minutes. It goes on like this the whole day. We dont want this continous behaviour afterall.

Swith port configuration looks likt this:

interface FastEthernet0/31
description 802.1x Poort
switchport access vlan xxx
switchport mode access
switchport nonegotiate
switchport voice vlan xxx
no logging event link-status
priority-queue out
authentication control-direction in
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication timer inactivity 120
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 300
dot1x timeout tx-period 10
dot1x timeout supp-timeout 300
dot1x max-reauth-req 3
dot1x timeout held-period 300
dot1x timeout auth-period 3
no mdix auto
storm-control broadcast level 10.00
storm-control multicast level 10.00
no cdp enable
spanning-tree portfast
service-policy input xxxx
end

Has anyone got this same issue? Is this an normal behaviour of an Idle'd supplicant? or other issue around ISE/Switch? Are there any switch configuration we missing to get rid off this behaviour?

ISE Version: 1.2.0.899
Patch Information: 5,6,8

Help would be much appreciated

0 Helpful
2 Replies 2

jan.nielsen
Level 7
Level 7

‎09-29-2014 10:28 AM

What do you mean by "idle" supplicant ? Is the pc going into sleep/hibernate or do you mean no user is logged in to the pc?

 

Also your auth timers are very far from the suggested ones in the trustsec guides, any particular reason for this ?

0 Helpful

Thiruchelvam Thurairaj
Level 1
Level 1
In response to jan.nielsen

‎10-06-2014 06:49 AM

Hi Jan,

Thank you for your reply. Indeed those timer values were not covered in the ISE design guide. We have implemented this timer to tweak the standard design. However we have finally discovered the solution for this issue.

"authentication timer inactivity 120" was the route cause of the issue. So when a workstation goes to idle, ISE tries to re-authenticate after 2 minutes because of this switch port configuration.

We have tried to expand the timer to 3600 and it worked, issue fixed. But you will have then every one hour the same result (not a big issue).

And yes, we have deleted all those timer values to keep the configuration simple as possible. Now we don't have the issue anymore.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card