Upon research, it seems like eap-chaining is meant to alleviation this issue
On Tue, Mar 19, 2013 at 8:37 PM, Charlie_CA <spycharlies_at_gmail.com> wrote:
> Hey Guys, just an update...the windows hotfix didn't seem to fix the sleep
> issue..i went as far as configuring the NIC to remain up when windows goes
> to sleep but nope! still not working.
>
> Looking at the Authentication results, this is happening because "ISE has
> not been able to confirm previous successful machine authentication for
> user in Active Directory"
>
> My authorization rule is to only permit users whose machine was previous
> authenticated.
>
> So basically, machine authentication only happens during initial login,
> once machine goes to sleep, it doesnt respond to ISE request. There got to
> be a fix for this...
>
> Thanks
>
>
> On Fri, Mar 15, 2013 at 2:20 PM, Charlie_CA <spycharlies_at_gmail.com> wrote:
>
>> This hotfix is suppose to be for "connecting thru another 802.1x device"
>> but since am connecting thru a WAP and WLC, maybe this might help..let me
>> give it a shot.
>>
>> Also someone suggested in the wireless adapter settings "do not allow
>> the computer to turn off the adapter for power management"..if this hotfix
>> does work, i'll try this.
>>
>> I'll keep y'all posted.
>>
>> Cheers
>>
>> On Fri, Mar 15, 2013 at 2:05 PM, Charlie_CA <spycharlies_at_gmail.com>wrote:
>>
>>> I believe windows is the culprit...i am running windows 7 SP1; i
>>> recently saw a hotfix on Microsoft's website that may address this problem.
>>> I'll see if that work.
>>> http://support.microsoft.com/kb/976373
>>>
>>> When i force it to sleep and resumes, it seems to send username and
>>> authenticates correctly....My plan now is to replicate thesame issue by
>>> leaving it to sleep overnight; with this hotfix, lets see what happens.
>>>
>>> I'll keep you guys posted.
>>>
>>> Thanks for your help.
>>>
>>> C.
>>>
>>>
>>> On Fri, Mar 15, 2013 at 12:32 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:
>>>
>>>> So I suspect the issue is with the PC.
>>>>
>>>> When it resumes from sleep, it is not triggering authentication. What
>>>> version of Windows are you testing with? Does it send out an authentication
>>>> request after resuming? This is your culprit I highly suspect. Let us know
>>>> how you get on.
>>>>
>>>> HTH,
>>>> Sadiq
>>>>
>>>>
>>>> On Thu, Mar 14, 2013 at 5:02 PM, Charlie_CA <spycharlies_at_gmail.com>wrote:
>>>>
>>>>> Sorry for not making myself clear enough...My deployment currently is
>>>>> through a WLC (7.3.112.0) to ISE, no switch is involved. A brief summary of
>>>>> my current setup...
>>>>>
>>>>> The controllers are properly configured with the AAA allowed checked,
>>>>> NAC State=Radius NAC etc..as required.
>>>>>
>>>>> The Authentication Policy for Wireless_802.1x is to allow default
>>>>> protocol referencing the External Identity Source = Active Directory
>>>>>
>>>>> For Authorization i have created 3 policies..
>>>>>
>>>>> 1. Rule Name=Machine, Condition=Machine, Permission=PermitAccess
>>>>>
>>>>> the compound expression for Machines is defined as
>>>>> Radius:Service-Type = Framed 'AND'
>>>>> Radius:Nas-Port-Type=Wireless IEEE 802.11 'AND'
>>>>> AD1:ExternalGroup=charlie.local/Users/Domain Computers
>>>>>
>>>>> 2. Rule Name=Users, Condition=Users, Permission=PermitAccess
>>>>>
>>>>> the compound expression for machines is defined as
>>>>> Radius:Service-Type = Framed 'AND'
>>>>> Radius:Nas-Port-Type=Wireless IEEE 802.11 'AND'
>>>>> AD1:ExternalGroup=charlie.local/Users/Domain Users
>>>>> Network Access:WasMachineAuthenticated=True
>>>>> Network Access:AuthenticationMethod=MSCHAPv2
>>>>>
>>>>> 3. Rule Name=AllOtherWireless, Condition=Wireless802.1x,
>>>>> Permission=Guest
>>>>> The Authorization Profile result for Guest
>>>>> Access Type=ACCESS_ACCEPT
>>>>> VLAN=2 ( fyi: VLAN 2 is for internet Only)
>>>>> Airespace ACL Name = Guest (this ACL was defined on the WLC access
>>>>> list to permit Internet only)
>>>>>
>>>>> Like i mentioned earlier, everything works fine except when the
>>>>> computer goes to sleep, when it does, Authenticated Users and Computer
>>>>> permanently remain on guest vlan; i believe this is happening because when
>>>>> i log back in from sleep-mode, windows does not send the username
>>>>> and password or machine credentials. To re-authenticated, i have to
>>>>> completely log off.
>>>>>
>>>>> Thanks
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Mar 14, 2013 at 9:53 AM, Brandon J Carroll <
>>>>> brandon.j.carroll_at_gmail.com> wrote:
>>>>>
>>>>>> You might try changing the reauth period to something lower.
>>>>>>
>>>>>> dot1x timeout reauth-period XXXX
>>>>>>
>>>>>> This could also have something to do with WoL, or WoL may provide a
>>>>>> workaround for you. A Port can be configured to allow only outbound
>>>>>> frames to be transmitted in the pre-authenticated state. A WoL packet sent
>>>>>> to a host in sleep/standby should cause it to wake to an operational state.
>>>>>> If the client is configured to automatically authenticate when
>>>>>> prompted, it can then authenticate to the switch port
>>>>>>
>>>>>>
>>>>>> http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-wake-lan-supp.html
>>>>>>
>>>>>> This could also be an issue with the IOS version you are running.
>>>>>> I've seen a number of issues resolved by upgrading to a later IOS.
>>>>>>
>>>>>> I'm assuming that the client gets the proper VLAN *prior* to going
>>>>>> into sleep mode and its only after a wake that it gets stuck in the guest
>>>>>> VLAN.
>>>>>>
>>>>>> Just a few ideas.
>>>>>>
>>>>>> Brandon
>>>>>>
>>>>>>
>>>>>> On Mar 14, 2013, at 7:33 AM, Charlie_CA <spycharlies_at_gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>> Hi Experts,
>>>>>>
>>>>>> I have been playing with ISE over the last few days, and noticed a
>>>>>> problem
>>>>>> when windows goes to sleep...
>>>>>>
>>>>>> I have a few policies including
>>>>>>
>>>>>> 1.If a machine authenticates via Active Directory, it is granted full
>>>>>> access
>>>>>> 2.If a user authenticates via AD (with Machine already authenticated)
>>>>>> =
>>>>>> grants full access
>>>>>> 3.All other 802.1x is granted partial access = Guest vlan
>>>>>>
>>>>>> The issue is when windows goes to sleep, authenticated AD users and
>>>>>> machine
>>>>>> are put on Guest vlan; when I log back in, it still remains on Guest
>>>>>> VLan.
>>>>>> My temporary solution was to completely log of the computer and log
>>>>>> back in
>>>>>> so windows can re-authenticate.
>>>>>>
>>>>>> If this was in production, it will be a mess getting everyone to log
>>>>>> off
>>>>>> and log back in have you witness this? How did you solve it?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> ~
>>>>>>
>>>>>> Charlie
>>>>>>
>>>>>>
>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>
>>>>>>
>>>>>> _______________________________________________________________________
>>>>>> Subscription information may be found at:
>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net
Received on Tue Mar 19 2013 - 23:03:09 ART
This archive was generated by hypermail 2.2.0 : Wed Apr 03 2013 - 19:06:19 ART