I believe windows is the culprit...i am running windows 7 SP1; i recently
saw a hotfix on Microsoft's website that may address this problem. I'll see
if that work.
http://support.microsoft.com/kb/976373
When i force it to sleep and resumes, it seems to send username and
authenticates correctly....My plan now is to replicate thesame issue by
leaving it to sleep overnight; with this hotfix, lets see what happens.
I'll keep you guys posted.
Thanks for your help.
C.
On Fri, Mar 15, 2013 at 12:32 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:
> So I suspect the issue is with the PC.
>
> When it resumes from sleep, it is not triggering authentication. What
> version of Windows are you testing with? Does it send out an authentication
> request after resuming? This is your culprit I highly suspect. Let us know
> how you get on.
>
> HTH,
> Sadiq
>
>
> On Thu, Mar 14, 2013 at 5:02 PM, Charlie_CA <spycharlies_at_gmail.com> wrote:
>
>> Sorry for not making myself clear enough...My deployment currently is
>> through a WLC (7.3.112.0) to ISE, no switch is involved. A brief summary of
>> my current setup...
>>
>> The controllers are properly configured with the AAA allowed checked, NAC
>> State=Radius NAC etc..as required.
>>
>> The Authentication Policy for Wireless_802.1x is to allow default
>> protocol referencing the External Identity Source = Active Directory
>>
>> For Authorization i have created 3 policies..
>>
>> 1. Rule Name=Machine, Condition=Machine, Permission=PermitAccess
>>
>> the compound expression for Machines is defined as
>> Radius:Service-Type = Framed 'AND'
>> Radius:Nas-Port-Type=Wireless IEEE 802.11 'AND'
>> AD1:ExternalGroup=charlie.local/Users/Domain Computers
>>
>> 2. Rule Name=Users, Condition=Users, Permission=PermitAccess
>>
>> the compound expression for machines is defined as
>> Radius:Service-Type = Framed 'AND'
>> Radius:Nas-Port-Type=Wireless IEEE 802.11 'AND'
>> AD1:ExternalGroup=charlie.local/Users/Domain Users
>> Network Access:WasMachineAuthenticated=True
>> Network Access:AuthenticationMethod=MSCHAPv2
>>
>> 3. Rule Name=AllOtherWireless, Condition=Wireless802.1x, Permission=Guest
>> The Authorization Profile result for Guest
>> Access Type=ACCESS_ACCEPT
>> VLAN=2 ( fyi: VLAN 2 is for internet Only)
>> Airespace ACL Name = Guest (this ACL was defined on the WLC access list
>> to permit Internet only)
>>
>> Like i mentioned earlier, everything works fine except when the computer
>> goes to sleep, when it does, Authenticated Users and Computer permanently
>> remain on guest vlan; i believe this is happening because when i log back
>> in from sleep-mode, windows does not send the username and password or
>> machine credentials. To re-authenticated, i have to completely log off.
>>
>> Thanks
>>
>>
>>
>>
>> On Thu, Mar 14, 2013 at 9:53 AM, Brandon J Carroll <
>> brandon.j.carroll_at_gmail.com> wrote:
>>
>>> You might try changing the reauth period to something lower.
>>>
>>> dot1x timeout reauth-period XXXX
>>>
>>> This could also have something to do with WoL, or WoL may provide a
>>> workaround for you. A Port can be configured to allow only outbound
>>> frames to be transmitted in the pre-authenticated state. A WoL packet sent
>>> to a host in sleep/standby should cause it to wake to an operational state.
>>> If the client is configured to automatically authenticate when
>>> prompted, it can then authenticate to the switch port
>>>
>>>
>>> http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-wake-lan-supp.html
>>>
>>> This could also be an issue with the IOS version you are running. I've
>>> seen a number of issues resolved by upgrading to a later IOS.
>>>
>>> I'm assuming that the client gets the proper VLAN *prior* to going into
>>> sleep mode and its only after a wake that it gets stuck in the guest VLAN.
>>>
>>> Just a few ideas.
>>>
>>> Brandon
>>>
>>>
>>> On Mar 14, 2013, at 7:33 AM, Charlie_CA <spycharlies_at_gmail.com> wrote:
>>>
>>> Hi Experts,
>>>
>>> I have been playing with ISE over the last few days, and noticed a
>>> problem
>>> when windows goes to sleep...
>>>
>>> I have a few policies including
>>>
>>> 1.If a machine authenticates via Active Directory, it is granted full
>>> access
>>> 2.If a user authenticates via AD (with Machine already authenticated) =
>>> grants full access
>>> 3.All other 802.1x is granted partial access = Guest vlan
>>>
>>> The issue is when windows goes to sleep, authenticated AD users and
>>> machine
>>> are put on Guest vlan; when I log back in, it still remains on Guest
>>> VLan.
>>> My temporary solution was to completely log of the computer and log back
>>> in
>>> so windows can re-authenticate.
>>>
>>> If this was in production, it will be a mess getting everyone to log off
>>> and log back in have you witness this? How did you solve it?
>>>
>>> Thanks
>>>
>>> ~
>>>
>>> Charlie
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>
>
> --
> CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net
Received on Fri Mar 15 2013 - 14:05:34 ART
This archive was generated by hypermail 2.2.0 : Wed Apr 03 2013 - 19:06:19 ART