Re: CCIE Sec/OT: Cisco ISE and windows sleep login problem from Sadiq Yakasai on 2013-03-14 (Ccielab archives 03/2013)

From: Sadiq Yakasai <sadiqtanko_at_gmail.com>
Date: Thu, 14 Mar 2013 15:50:13 +0000

Hi Charlie,

A few details required to give you a specific response. Whats the port
config (Cisco switch?), switch and Windows versions?

When a device does to sleep, some devices would 'shutdown' their MIC, while
others would leave the NIC in a somewhat UP state. The difference is that
when the PC NIC is shutdown, the switchport looses its
authenticated&&authorized state and therefore a full re-authc must occur
upon a WakeUP for the PC.

Now, I have seen this behaviour in the past testing WinXP (many many years
back so the details are abit foggy - excuse me). When you put the PC to
sleep, the NIC momentarily shuts down but then comes back UP. At this point
in time, since the PC is 'asleep' then there are not credentials to perform
an 802.1X authentication and the port ends up in the Guest VLAN, per your
policy. This is where the configuration can change things; if MAB is
configured as a fallover authentication method or not. So far all is
expected.

When the PC boots back up, if EAPoL Start if configured (not enabled by
default on some Windows versions), it should trigger authentication by
sending an EAPoL Start frame and the PC should successfully authenticate
and end up in the right VLAN/Policy.

Anyway, let us know what you have configured and what you are seeing.

HTH,
Sadiq

On Thu, Mar 14, 2013 at 2:33 PM, Charlie_CA <spycharlies_at_gmail.com> wrote:

> Hi Experts,
>
> I have been playing with ISE over the last few days, and noticed a problem
> when windows goes to sleep...
>
> I have a few policies including
>
> 1.If a machine authenticates via Active Directory, it is granted full
> access
> 2.If a user authenticates via AD (with Machine already authenticated) =
> grants full access
> 3.All other 802.1x is granted partial access = Guest vlan
>
> The issue is when windows goes to sleep, authenticated AD users and machine
> are put on Guest vlan; when I log back in, it still remains on Guest VLan.
> My temporary solution was to completely log of the computer and log back in
> so windows can re-authenticate.
>
> If this was in production, it will be a mess getting everyone to log off
> and log back in have you witness this? How did you solve it?
>
> Thanks
>
> ~
>
> Charlie
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net

Received on Thu Mar 14 2013 - 15:50:13 ART

This archive was generated by hypermail 2.2.0 : Wed Apr 03 2013 - 19:06:19 ART