Security

Our biggest issue we are seeing with Clearpass currently is that when our users leave for the day and shut down their computer, when they come back in the morning its sporadically having issues where Dot1x auth just wont work. It will show in the auth sessions on the 3850 cisco sw that Dot1x failed and mab succeeded, for both the desktop and avaya ip phone. Does anyone have any ideas why Dot1x will not work after turning on a device ? If the user restarts their computer or I bounce the port the issue will be resolved, if they leave their computer on for the day, they won't have any connectivity issues. 

Hi,

is 802.1X correctly configured on the computer? You have to enable the wired autoconfiguration service on Windows for example.
For me this sounds like your client is not actively / regularly trying to authenticate or your cisco just does not care.
This behavior has normally nothing to do with ClearPass.

Best,
Adrian

Our biggest issue we are seeing with Clearpass currently is that when our users leave for the day and shut down their computer, when they come back in the morning its sporadically having issues where Dot1x auth just wont work. It will show in the auth sessions on the 3850 cisco sw that Dot1x failed and mab succeeded, for both the desktop and avaya ip phone. Does anyone have any ideas why Dot1x will not work after turning on a device ? If the user restarts their computer or I bounce the port the issue will be resolved, if they leave their computer on for the day, they won't have any connectivity issues. 

Our biggest issue we are seeing with Clearpass currently is that when our users leave for the day and shut down their computer, when they come back in the morning its sporadically having issues where Dot1x auth just wont work. It will show in the auth sessions on the 3850 cisco sw that Dot1x failed and mab succeeded, for both the desktop and avaya ip phone. Does anyone have any ideas why Dot1x will not work after turning on a device ? If the user restarts their computer or I bounce the port the issue will be resolved, if they leave their computer on for the day, they won't have any connectivity issues. 

The switch should request the EAP identity to start the EAP process. Maybe this is not triggered for some reason? If the computer has Wake-on-LAN enabled the network interface will still up. I to check would check the switch logs and capture the traffic between the computer and switch if the EAP process is initiated. Please also check the computer logs. For windows this is the wired-auto-config log.

Our biggest issue we are seeing with Clearpass currently is that when our users leave for the day and shut down their computer, when they come back in the morning its sporadically having issues where Dot1x auth just wont work. It will show in the auth sessions on the 3850 cisco sw that Dot1x failed and mab succeeded, for both the desktop and avaya ip phone. Does anyone have any ideas why Dot1x will not work after turning on a device ? If the user restarts their computer or I bounce the port the issue will be resolved, if they leave their computer on for the day, they won't have any connectivity issues. 

Would it help to post our service-policy? I just find it really odd that if it gets restarted it's fine. Even though it was powered off, I thought it would still do a request no matter what, not sure why it only does it after restarting or cycling the port. 

The switch should request the EAP identity to start the EAP process. Maybe this is not triggered for some reason? If the computer has Wake-on-LAN enabled the network interface will still up. I to check would check the switch logs and capture the traffic between the computer and switch if the EAP process is initiated. Please also check the computer logs. For windows this is the wired-auto-config log.

Our biggest issue we are seeing with Clearpass currently is that when our users leave for the day and shut down their computer, when they come back in the morning its sporadically having issues where Dot1x auth just wont work. It will show in the auth sessions on the 3850 cisco sw that Dot1x failed and mab succeeded, for both the desktop and avaya ip phone. Does anyone have any ideas why Dot1x will not work after turning on a device ? If the user restarts their computer or I bounce the port the issue will be resolved, if they leave their computer on for the day, they won't have any connectivity issues. 

Check the windows event logs (specifically the wired-auto-config logs) to see if an auth request is triggered. 

Would it help to post our service-policy? I just find it really odd that if it gets restarted it's fine. Even though it was powered off, I thought it would still do a request no matter what, not sure why it only does it after restarting or cycling the port. 

The switch should request the EAP identity to start the EAP process. Maybe this is not triggered for some reason? If the computer has Wake-on-LAN enabled the network interface will still up. I to check would check the switch logs and capture the traffic between the computer and switch if the EAP process is initiated. Please also check the computer logs. For windows this is the wired-auto-config log.

Our biggest issue we are seeing with Clearpass currently is that when our users leave for the day and shut down their computer, when they come back in the morning its sporadically having issues where Dot1x auth just wont work. It will show in the auth sessions on the 3850 cisco sw that Dot1x failed and mab succeeded, for both the desktop and avaya ip phone. Does anyone have any ideas why Dot1x will not work after turning on a device ? If the user restarts their computer or I bounce the port the issue will be resolved, if they leave their computer on for the day, they won't have any connectivity issues.