So I suspect the issue is with the PC.
When it resumes from sleep, it is not triggering authentication. What
version of Windows are you testing with? Does it send out an authentication
request after resuming? This is your culprit I highly suspect. Let us know
how you get on.
HTH,
Sadiq
On Thu, Mar 14, 2013 at 5:02 PM, Charlie_CA <spycharlies_at_gmail.com> wrote:
> Sorry for not making myself clear enough...My deployment currently is
> through a WLC (7.3.112.0) to ISE, no switch is involved. A brief summary of
> my current setup...
>
> The controllers are properly configured with the AAA allowed checked, NAC
> State=Radius NAC etc..as required.
>
> The Authentication Policy for Wireless_802.1x is to allow default protocol
> referencing the External Identity Source = Active Directory
>
> For Authorization i have created 3 policies..
>
> 1. Rule Name=Machine, Condition=Machine, Permission=PermitAccess
>
> the compound expression for Machines is defined as
> Radius:Service-Type = Framed 'AND'
> Radius:Nas-Port-Type=Wireless IEEE 802.11 'AND'
> AD1:ExternalGroup=charlie.local/Users/Domain Computers
>
> 2. Rule Name=Users, Condition=Users, Permission=PermitAccess
>
> the compound expression for machines is defined as
> Radius:Service-Type = Framed 'AND'
> Radius:Nas-Port-Type=Wireless IEEE 802.11 'AND'
> AD1:ExternalGroup=charlie.local/Users/Domain Users
> Network Access:WasMachineAuthenticated=True
> Network Access:AuthenticationMethod=MSCHAPv2
>
> 3. Rule Name=AllOtherWireless, Condition=Wireless802.1x, Permission=Guest
> The Authorization Profile result for Guest
> Access Type=ACCESS_ACCEPT
> VLAN=2 ( fyi: VLAN 2 is for internet Only)
> Airespace ACL Name = Guest (this ACL was defined on the WLC access list to
> permit Internet only)
>
> Like i mentioned earlier, everything works fine except when the computer
> goes to sleep, when it does, Authenticated Users and Computer permanently
> remain on guest vlan; i believe this is happening because when i log back
> in from sleep-mode, windows does not send the username and password or
> machine credentials. To re-authenticated, i have to completely log off.
>
> Thanks
>
>
>
>
> On Thu, Mar 14, 2013 at 9:53 AM, Brandon J Carroll <
> brandon.j.carroll_at_gmail.com> wrote:
>
>> You might try changing the reauth period to something lower.
>>
>> dot1x timeout reauth-period XXXX
>>
>> This could also have something to do with WoL, or WoL may provide a
>> workaround for you. A Port can be configured to allow only outbound
>> frames to be transmitted in the pre-authenticated state. A WoL packet sent
>> to a host in sleep/standby should cause it to wake to an operational state.
>> If the client is configured to automatically authenticate when
>> prompted, it can then authenticate to the switch port
>>
>>
>> http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-wake-lan-supp.html
>>
>> This could also be an issue with the IOS version you are running. I've
>> seen a number of issues resolved by upgrading to a later IOS.
>>
>> I'm assuming that the client gets the proper VLAN *prior* to going into
>> sleep mode and its only after a wake that it gets stuck in the guest VLAN.
>>
>> Just a few ideas.
>>
>> Brandon
>>
>>
>> On Mar 14, 2013, at 7:33 AM, Charlie_CA <spycharlies_at_gmail.com> wrote:
>>
>> Hi Experts,
>>
>> I have been playing with ISE over the last few days, and noticed a problem
>> when windows goes to sleep...
>>
>> I have a few policies including
>>
>> 1.If a machine authenticates via Active Directory, it is granted full
>> access
>> 2.If a user authenticates via AD (with Machine already authenticated) =
>> grants full access
>> 3.All other 802.1x is granted partial access = Guest vlan
>>
>> The issue is when windows goes to sleep, authenticated AD users and
>> machine
>> are put on Guest vlan; when I log back in, it still remains on Guest
>> VLan.
>> My temporary solution was to completely log of the computer and log back
>> in
>> so windows can re-authenticate.
>>
>> If this was in production, it will be a mess getting everyone to log off
>> and log back in have you witness this? How did you solve it?
>>
>> Thanks
>>
>> ~
>>
>> Charlie
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
-- CCIEx2 (R&S|Sec) #19963 Blogs and organic groups at http://www.ccie.netReceived on Fri Mar 15 2013 - 18:32:36 ART
This archive was generated by hypermail 2.2.0 : Wed Apr 03 2013 - 19:06:19 ART