01-05-2024 08:51 AM
I am currently working on deploying a NAC appliance for a customer and I am puzzled by this occurrence. We have disabled .1x authentication globally on phones for this customer, and have configured the switches to make mac auth take precedence over .1x auth; however, there are two phones that still seem to be attempting .1x authentication. The most confusing aspect of this is they maintain a rejected state when looking at end systems, but looking at the detailed authentication logs, it appears a successful mac authentication has occurred. I have attached a screen shot of the issue for clarity.
Does anyone have any insight as to why these will not move to an accepted state when looking at end systems?
Thank you
Solved! Go to Solution.
01-07-2024 08:58 AM
I would suggest starting a case with GTAC.
XIQ-SE should not be displaying a rejected 802.1x state if an underlying successful MAC authentication has occurred.
Thanks
-Ryan
01-07-2024 08:58 AM
I would suggest starting a case with GTAC.
XIQ-SE should not be displaying a rejected 802.1x state if an underlying successful MAC authentication has occurred.
Thanks
-Ryan
01-05-2024 08:59 AM - edited 01-05-2024 09:00 AM
Hi Joshua,
I can't really help you, I can just confirm that I saw this issue multiple times (but very rarely) in all kind of scenarios and version of XIQ-SE / Control. Never had the time to dig deeper into it or open a Case. Did you try to reload the distributed end-system cache?
01-05-2024 09:23 AM
Thanks for your reply Stefan. It is interesting to know that this is a problem for others as well. It is a very isolated incident (2 devices out of >2000), but I would still like to better understand it.
I have not attempted reloading the distributed end system cache, but will try it later today when the customer is not in production hours. I appreciate the suggestion.
01-10-2024 02:01 PM
Hi @Joshua_DeltaNS ,
did you already raise a case as suggested by @Ryan_Yacobucci
I have it the other way round for one client at the moment: It's displayed as accepted in the End-System list, all information are up to date and look good. Last seen 10/01/2024 22:51, looks like correct 802.1x (EAP-TLS) auth, shows a username, client IP etc.
When I take a look at the End-System Events I see that the client has been rejected since yesterday.
The important thing: On the switch the client is getting rejected, so the End-System Events are correct and the "main" entry in the End-System table is faulty.
Unfortunately I'm only able to raise a case on friday. Hope that problem is still present then. Or I have to find another affected client...
Best regards
Stefan