Sorry for not making myself clear enough...My deployment currently is
through a WLC (7.3.112.0) to ISE, no switch is involved. A brief summary of
my current setup...
The controllers are properly configured with the AAA allowed checked, NAC
State=Radius NAC etc..as required.
The Authentication Policy for Wireless_802.1x is to allow default protocol
referencing the External Identity Source = Active Directory
For Authorization i have created 3 policies..
1. Rule Name=Machine, Condition=Machine, Permission=PermitAccess
the compound expression for Machines is defined as
Radius:Service-Type = Framed 'AND'
Radius:Nas-Port-Type=Wireless IEEE 802.11 'AND'
AD1:ExternalGroup=charlie.local/Users/Domain Computers
2. Rule Name=Users, Condition=Users, Permission=PermitAccess
the compound expression for machines is defined as
Radius:Service-Type = Framed 'AND'
Radius:Nas-Port-Type=Wireless IEEE 802.11 'AND'
AD1:ExternalGroup=charlie.local/Users/Domain Users
Network Access:WasMachineAuthenticated=True
Network Access:AuthenticationMethod=MSCHAPv2
3. Rule Name=AllOtherWireless, Condition=Wireless802.1x, Permission=Guest
The Authorization Profile result for Guest
Access Type=ACCESS_ACCEPT
VLAN=2 ( fyi: VLAN 2 is for internet Only)
Airespace ACL Name = Guest (this ACL was defined on the WLC access list to
permit Internet only)
Like i mentioned earlier, everything works fine except when the computer
goes to sleep, when it does, Authenticated Users and Computer permanently
remain on guest vlan; i believe this is happening because when i log back
in from sleep-mode, windows does not send the username and password or
machine credentials. To re-authenticated, i have to completely log off.
Thanks
On Thu, Mar 14, 2013 at 9:53 AM, Brandon J Carroll <
brandon.j.carroll_at_gmail.com> wrote:
> You might try changing the reauth period to something lower.
>
> dot1x timeout reauth-period XXXX
>
> This could also have something to do with WoL, or WoL may provide a
> workaround for you. A Port can be configured to allow only outbound
> frames to be transmitted in the pre-authenticated state. A WoL packet sent
> to a host in sleep/standby should cause it to wake to an operational state.
> If the client is configured to automatically authenticate when prompted,
> it can then authenticate to the switch port
>
>
> http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-wake-lan-supp.html
>
> This could also be an issue with the IOS version you are running. I've
> seen a number of issues resolved by upgrading to a later IOS.
>
> I'm assuming that the client gets the proper VLAN *prior* to going into
> sleep mode and its only after a wake that it gets stuck in the guest VLAN.
>
> Just a few ideas.
>
> Brandon
>
>
> On Mar 14, 2013, at 7:33 AM, Charlie_CA <spycharlies_at_gmail.com> wrote:
>
> Hi Experts,
>
> I have been playing with ISE over the last few days, and noticed a problem
> when windows goes to sleep...
>
> I have a few policies including
>
> 1.If a machine authenticates via Active Directory, it is granted full
> access
> 2.If a user authenticates via AD (with Machine already authenticated) =
> grants full access
> 3.All other 802.1x is granted partial access = Guest vlan
>
> The issue is when windows goes to sleep, authenticated AD users and machine
> are put on Guest vlan; when I log back in, it still remains on Guest VLan.
> My temporary solution was to completely log of the computer and log back in
> so windows can re-authenticate.
>
> If this was in production, it will be a mess getting everyone to log off
> and log back in have you witness this? How did you solve it?
>
> Thanks
>
> ~
>
> Charlie
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Mar 14 2013 - 11:02:12 ART
This archive was generated by hypermail 2.2.0 : Wed Apr 03 2013 - 19:06:19 ART