Ethernet Switching
Ethernet Switching

EX4200 DOT1x and Cisco ISE

09.12.17   |  
‎09-12-2017 06:05 AM

Hi

 

The issue I’m experiencing is with DOT1x, specifically CERT authentications are failing, the endpoint will then fail over to MAC authentication

Some endpoints are working but we do have alot of failures

I am using Juniper EX4200 version 12.3R6.6
I am using Cisco ISE (version 2.1 patch 3) as my RADIUS server
Clients are windows, primarily 7 and 10
I am using certificates (EAP TLS) as my AUTH method
My fail back method is MAB

My config is as follows, in case anyone can see any immediate issues
    dot1x {
        traceoptions {
            file dot1x;
            flag state;
            flag dot1x-debug;
            flag eapol;
        }
        authenticator {
            authentication-profile-name ISE;
            no-mac-table-binding;
            interface {
                ISE {
                    supplicant multiple;
                    retries 3;
                    quiet-period 15;
                    transmit-period 30;
                    mac-radius;
                    reauthentication 14400;
                    supplicant-timeout 30;
                    server-timeout 30;
                    maximum-requests 3;
                    server-fail use-cache;


access {
    radius-server {
              }
    }
    profile ISE {
        authentication-order radius;
        radius {
            authentication-server [ x.x.x.x x.x.x.x ];
            accounting-server [ x.x.x.x x.x.x.x ];
        }
        accounting {
            order radius;
            accounting-stop-on-failure;
            accounting-stop-on-access-deny;
            immediate-update;
            coa-immediate-update;
 
Regards
Simon