Re: CCIE Sec/OT: Cisco ISE and windows sleep login problem from Brandon J Carroll on 2013-03-14 (Ccielab archives 03/2013)

From: Brandon J Carroll <brandon.j.carroll_at_gmail.com>
Date: Thu, 14 Mar 2013 08:53:08 -0700

You might try changing the reauth period to something lower.

dot1x timeout reauth-period XXXX

This could also have something to do with WoL, or WoL may provide a workaround
for you. A Port can be configured to allow only outbound frames to be
transmitted in the pre-authenticated state. A WoL packet sent to a host in
sleep/standby should cause it to wake to an operational state. If the client
is configured to automatically authenticate when prompted, it can then
authenticate to the switch port

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2m
t/sec-ieee-wake-lan-supp.html

This could also be an issue with the IOS version you are running. I've seen a
number of issues resolved by upgrading to a later IOS.

I'm assuming that the client gets the proper VLAN *prior* to going into sleep
mode and its only after a wake that it gets stuck in the guest VLAN.

Just a few ideas.

Brandon

On Mar 14, 2013, at 7:33 AM, Charlie_CA <spycharlies_at_gmail.com> wrote:

> Hi Experts,
>
> I have been playing with ISE over the last few days, and noticed a problem
> when windows goes to sleep...
>
> I have a few policies including
>
> 1.If a machine authenticates via Active Directory, it is granted full
access
> 2.If a user authenticates via AD (with Machine already authenticated) =
> grants full access
> 3.All other 802.1x is granted partial access = Guest vlan
>
> The issue is when windows goes to sleep, authenticated AD users and machine
> are put on Guest vlan; when I log back in, it still remains on Guest VLan.
> My temporary solution was to completely log of the computer and log back in
> so windows can re-authenticate.
>
> If this was in production, it will be a mess getting everyone to log off
> and log back inhave you witness this? How did you solve it?
>
> Thanks
>
> ~
>
> Charlie
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Mar 14 2013 - 08:53:08 ART

This archive was generated by hypermail 2.2.0 : Wed Apr 03 2013 - 19:06:19 ART