nabz0r Veteran Posted November 22, 2017 Veteran Share Posted November 22, 2017 A customer of ours wants to implement dot1x and wants to do it with NPS (I've never worked with NPS nor MS products so I tried to make them buy ISE instead but that didn't go well...) anyway, I have some questions and I was wondering if anyone has implemented dot1x with NPS? I have run it in my lab and everything seems to be working fine, but I want to discuss it with someone who has done this. Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/ Share on other sites More sharing options...
+BudMan MVC Posted November 22, 2017 MVC Share Posted November 22, 2017 I do believe sc302 has some experience with this.. Never use NPS, always use freerad or ACS/ICE... What exactly are they wanting to accomplish with dot1x? What problem are they looking to solve or what scenario are they trying to prevent? They are wanting to deploy NAP/NAC ?? ISE would be the way to go in most scenarios wanting to control access to their network - which is really the whole point of 802.1x If there issue is the cost of ISE, why not look at https://packetfence.org/ Love to point you in the right direction to actually solve the issue at hand vs just talking about NPS as one piece in a larger puzzle. Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598108966 Share on other sites More sharing options...
nabz0r Veteran Posted November 22, 2017 Author Veteran Share Posted November 22, 2017 There is no problem atm, they just want to prevent and have more control. ISE is my choice as well, but for now they want to use NPS. I actually have never heard of packetfence before though I will download and do some labs with it. As I said I don't have any issue to solve, just want to discuss and see how other people have implemented wired dot1x. Wireless is already deployed before I start (one week ago). To get to the point, I was wondering how would you deploy MAB, joined domain PC vs non-domain joined PC. Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598109072 Share on other sites More sharing options...
nabz0r Veteran Posted November 24, 2017 Author Veteran Share Posted November 24, 2017 Ok, now I have a scenario that might be interesting. I want to redirect non-domain joined PC for their initial web access to the captive portal page and then after authentication get internet access via guest VLAN. If PC is known, then allow access If PC is unknown, then assign it to guest VLAN @BudMan and @sc302, Is this possible in any way with NPS, Cisco switch, or packetfence? This isn only for wired, as the wireless is working fine with Meraki. Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598110800 Share on other sites More sharing options...
+BudMan MVC Posted November 24, 2017 MVC Share Posted November 24, 2017 This is a typical NAP/NAC setup.. unknown devices get put into an isolated vlan.. Once they auth then they get put in into the correct vlan.. What I would suggest if customers balk at price of ISE... Then look into packetfence - its FREE You could for sure do it with just plain 802.1x setup on the client, etc. But why not give yourself all the bells and whistle of something like packetfence.. What is going to run your captive portal if you just use NPS? Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598110814 Share on other sites More sharing options...
nabz0r Veteran Posted November 24, 2017 Author Veteran Share Posted November 24, 2017 Yes, this is NAP/NAC deployment. In my lab PC that is non-domain joined are put into another VLAN and this I could achieve with NPS. My question is can I redirect a PC that is not in the domain to a web page to get guest access after they accept the policy and provide name, etc? The price is not the problem for them, the decision would have to come from higher up so that is the main reason. I looked at packetfence, can I achieve this with it? I don't have captive portal with NPS for wired, and I don't even know if I can do it with NPS. Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598110866 Share on other sites More sharing options...
sc302 Veteran Posted November 24, 2017 Veteran Share Posted November 24, 2017 Well the web filter could have a portal for users to sign in with and then gain access once auth’d there. Not sure why you would bring nps into the mix for web access. Barracuda has a authorized side and non authorized. I would think you can enable a portal for the non authorized side. ESP if you enable proxy. Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598110924 Share on other sites More sharing options...
nabz0r Veteran Posted November 26, 2017 Author Veteran Share Posted November 26, 2017 Sorry for the late reply. I don't think it can be don with Cisco 2960x switches, (I've never done it and never seen someone else done this before), are they capable of this? The reason I brought NPS is that I thought/think captive portal is done there, like ISE. Where should the captive portal should be configured if it is not the NPS then? Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598112426 Share on other sites More sharing options...
sc302 Veteran Posted November 26, 2017 Veteran Share Posted November 26, 2017 2960x will forward radius request. It doesn’t have a way to forward to a captive portal, that I can see anyway. Nps can authenticate and you can kind of do it the way you want but it is only an authenticator. There is no front end signin portal. If you want to do it based on authentication, won’t really be captive portal, you could create a rule that would allow auth if on a specific ssid, the user belongs to a specific group, then the device can auth on that ssid. Otherwise a third party utility for captive portal would be needed. Or it is done at the web gateway. UniFi can port to a captive portal, but it isn’t radius/nps. You could have a captive portal auth against nps. Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598112464 Share on other sites More sharing options...
nabz0r Veteran Posted December 14, 2017 Author Veteran Share Posted December 14, 2017 (edited) Sorry for the late reply. Anyway, now after many discussions with our customer and my boss have succeeded to use ISE instead and I've been working with it in the past few days though using eva license just for testing and everything works almost fine except this tiny issue. This is how I am using it: ISE connecte to AD Domain Computers to authenticate computers = works fine and I've also tested with AD username and it works without any problems MAB AD Group to authenticate printers, camera, etc = it doesn't work and I've grew 50 new grey hair troubleshooting this Switch port config for dot1x and mab interface GigabitEthernet1/0/13 description DOT1X switchport access vlan 3180 switchport mode access access-session closed access-session port-control auto dot1x pae authenticator no cdp enable spanning-tree portfast service-policy type control subscriber DOT1X_POLICY end interface GigabitEthernet1/0/13 description MAB switchport access vlan 3180 switchport mode access access-session control-direction in access-session closed access-session port-control auto mab dot1x pae authenticator no cdp enable spanning-tree portfast service-policy type control subscriber MAB_POLICY Switch policy for both dot1x and mab policy-map type control subscriber DOT1X_POLICY event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x priority 10 event authentication-failure match-first 10 class always do-until-failure 10 terminate dot1x 20 authentication-restart 60 event agent-found match-all 10 class always do-until-failure 10 authenticate using dot1x priority 10 event authentication-success match-all 10 class always do-until-failure 10 activate service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE ! policy-map type control subscriber MAB_POLICY event session-started match-all 10 class always do-until-failure 10 authenticate using mab priority 10 event authentication-failure match-first 10 class always do-until-failure 10 terminate mab 20 authentication-restart 60 event authentication-success match-all 10 class always do-until-failure 10 activate service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE On ISE I used the default Authentication Policy but Authorization I I use the following: Condition: ADNAME:ExternlGroups EQUALS: ADNAME/Users/Domain Computers Results: PermitAccess (works fine) Condition: ADNAME:ExternlGroups EQUALS: ADNAME/Groups/G.Sec/Dot1X.MAB (this is a group in the active directory) Results: PermitAccess = doens't work, it ends up matching Default Policy which is DenyAccess, though I've changed it to PermitAccess, but no success. Failure reason: 15039 Rejected per authorization profile (from ISE) Event: 5434 Endpoint conducted several failed authentications of the same scenario (from ISE) I don't know what else to do, I've looked every where in google and tried every possible solution I've thought of or came across in Google, but still not working. I can't post this on Cisco as the community is only on read mode due to update until tomorrow. I think it is something in AD that I have missed but can't come up with what. Have you two had any similar issue with ISE and MAB? Sorry for the long post and thanks in advanced! Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598131804 Share on other sites More sharing options...
sc302 Veteran Posted December 14, 2017 Veteran Share Posted December 14, 2017 Here is my port config. I will have to check your post later. switchport mode access authentication order mab dot1x authentication port-control auto mab dot1x pae authenticator spanning-tree portfast Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598131810 Share on other sites More sharing options...
nabz0r Veteran Posted December 14, 2017 Author Veteran Share Posted December 14, 2017 authentication port-control auto doesn't work any more. It is access-session instead now and other parameters should be specified in the policy-map. Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598131816 Share on other sites More sharing options...
sc302 Veteran Posted December 14, 2017 Veteran Share Posted December 14, 2017 2960xr right? Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598131822 Share on other sites More sharing options...
nabz0r Veteran Posted December 14, 2017 Author Veteran Share Posted December 14, 2017 Yeah. Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598131824 Share on other sites More sharing options...
sc302 Veteran Posted December 14, 2017 Veteran Share Posted December 14, 2017 Let me check pretty sure it still works even though it may be depreciated. Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598131826 Share on other sites More sharing options...
sc302 Veteran Posted December 14, 2017 Veteran Share Posted December 14, 2017 here is my sh ver: Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.2(6)E, RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2017 by Cisco Systems, Inc. Compiled Sat 05-Aug-17 12:55 by prod_rel_team here is my config, and it is working in production right now. Some things of course edited out. aaa new-model ! ! aaa authentication login vtylogin group radius local aaa authentication login Console local aaa authentication enable default group radius enable aaa authentication dot1x default group radius aaa authorization console aaa authorization exec default group radius local aaa authorization exec vtylogin group radius local aaa authorization exec console local aaa authorization network default group radius ip domain-name whaterver.com dot1x system-auth-control interface GigabitEthernet1/0/1 switchport mode access authentication order mab dot1x authentication port-control auto mab dot1x pae authenticator spanning-tree portfast edge interface vlan1 no ip address ! interface vlan 2 no ip address ! ip default-gateway 192.168.1.1 ip forward-protocol nd ip http server ip http authentication aaa login-authentication vtylogin ip http authentication aaa exec-authorization vtylogin ip http secure-server ! ip ssh version 2 ! radius server RADIUS address ipv4 192.168.1.242 auth-port 1812 acct-port 1813 key 7 0000000000000000000 ! vstack ! line con 0 authorization exec console login authentication Console line vty 0 4 password 7 password login authentication vtylogin transport input ssh line vty 5 14 password 7 password login authentication vtylogin transport input ssh line vty 15 password 7password login authentication vtylogin transport input ssh Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598131844 Share on other sites More sharing options...
nabz0r Veteran Posted December 14, 2017 Author Veteran Share Posted December 14, 2017 Yeah, it works on some switches but not this one. %Command deprecated (authentication mac-move permit) - use access-session instead switch# sh access-s int g1/0/14 det switch#sh access-s int g1/0/14 det Interface: GigabitEthernet1/0/14 MAC Address: c85b.76e8.ee32 IPv6 Address: Unknown IPv4 Address: Unknown User-Name: c85b76e8ee32 Status: Unauthorized Domain: UNKNOWN Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Restart timeout: 60s (local), Remaining: 32s Session Uptime: 28s Common Session ID: AC1E31AA0000015576191DDC Acct Session ID: Unknown Handle: 0xD600010B Current Policy: MAB_POLICY Method status list: Method State mab Stopped Debug: switch#u all Dec 14 13:51:36.816: mab-ev: [c85b.76e8.ee32, Gi1/0/14] Received MAB context create from AuthMgr Dec 14 13:51:36.816: mab-ev: MAB authorizing c85b.76e8.ee32 Dec 14 13:51:36.816: mab-ev: Created MAB client context 0x84000005 Dec 14 13:51:36.816: mab : initial state mab_initialize has enter Dec 14 13:51:36.816: mab-ev: [c85b.76e8.ee32, Gi1/0/14] Sending create new context event to EAP from MAB for 0x84000005 (c85b.76e8.ee32) Dec 14 13:51:36.816: mab-ev: [c85b.76e8.ee32, Gi1/0/14] MAB authentication started for 0x078DBE48 (c85b.76e8.ee32) Dec 14 13:51:36.816: mab-ev: [c85b.76e8.ee32, Gi1/0/14] Invalid EVT 9 from EAP Dec 14 13:51:36.816: mab-sm: [c85b.76e8.ee32, Gi1/0/14] Received event 'MAB_CONTINUE' on handle 0x84000005 Dec 14 13:51:36.816: mab : during state mab_initialize, got event 1(mabContinue) Dec 14 13:51:36.816: @@@ mab : mab_initialize -> mab_authorizing Dec 14 13:51:36.816: mab-ev: [c85b.76e8.ee32] formatted mac = c85b76e8ee32 Dec 14 13:51:36.816: mab-ev: [c85b.76e8.ee32] created mab pseudo dot1x profile dot1x_mac_auth_c85b.76e8.ee32 Dec 14 13:51:36.816: mab-ev: [c85b.76e8.ee32, Gi1/0/14] Starting MAC-AUTH-BYPASS for 0x84000005 (c85b.76e8.ee32) Dec 14 13:51:36.816: mab-ev: [c85b.76e8.ee32, Gi1/0/14] Invalid EVT 9 from EAP Dec 14 13:51:36.819: AAA/AUTHEN/8021X (00000000): Pick method list 'default' Dec 14 13:51:36.819: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified Dec 14 13:51:36.819: RADIUS/ENCODE(00000000):Orig. component type = Invalid Dec 14 13:51:36.819: RADIUS(00000000): Config NAS IP: 0.0.0.0 Dec 14 13:51:36.819: RADIUS(00000000): Config NAS IPv6: :: Dec 14 13:51:36.819: RADIUS(00000000): sending Dec 14 13:51:36.819: RADIUS/ENCODE: Best Local IP-Address 172.30.49.170 for Radius-Server 172.30.1.181 Dec 14 13:51:36.819: RADIUS(00000000): Send Access-Request to 172.30.1.181:1812 id 1645/66, len 261 Dec 14 13:51:36.819: RADIUS: authenticator 24 D5 05 1C 95 CD B2 AA - E8 70 A1 24 BA AC 0F 6E Dec 14 13:51:36.819: RADIUS: User-Name [1] 14 "c85b76e8ee32" Dec 14 13:51:36.819: RADIUS: User-Password [2] 18 * Dec 14 13:51:36.819: RADIUS: Service-Type [6] 6 Call Check [10] Dec 14 13:51:36.819: RADIUS: Vendor, Cisco [26] 31 Dec 14 13:51:36.819: RADIUS: Cisco AVpair [1] 25 "service-type=Call Check" Dec 14 13:51:36.819: RADIUS: Framed-MTU [12] 6 1500 Dec 14 13:51:36.819: RADIUS: Called-Station-Id [30] 19 "28-52-61-22-7A-0E" Dec 14 13:51:36.819: RADIUS: Calling-Station-Id [31] 19 "C8-5B-76-E8-EE-32" Dec 14 13:51:36.819: RADIUS: Message-Authenticato[80] 18 Dec 14 13:51:36.823: RADIUS: EF 1F 17 00 74 59 C5 35 A3 90 F6 92 DA 10 03 16 [ tY5] Dec 14 13:51:36.823: RADIUS: EAP-Key-Name [102] 2 * Dec 14 13:51:36.823: RADIUS: Vendor, Cisco [26] 49 Dec 14 13:51:36.823: RADIUS: Cisco AVpair [1] 43 "audit-session-id=AC1E31AA0000015476113A03" Dec 14 13:51:36.823: RADIUS: Vendor, Cisco [26] 18 Dec 14 13:51:36.823: RADIUS: Cisco AVpair [1] 12 "method=mab" Dec 14 13:51:36.823: RADIUS: NAS-IP-Address [4] 6 172.30.49.170 Dec 14 13:51:36.823: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/14" Dec 14 13:51:36.823: RADIUS: NAS-Port-Type [61] 6 Ethernet [15] Dec 14 13:51:36.823: RADIUS: NAS-Port [5] 6 50114 Dec 14 13:51:36.823: RADIUS(00000000): Sending a IPv4 Radius Packet Dec 14 13:51:36.823: RADIUS(00000000): Started 5 sec timeout Dec 14 13:51:36.826: RADIUS: Received from id 1645/66 172.30.1.181:1812, Access-Reject, len 38 Dec 14 13:51:36.826: RADIUS: authenticator 89 E9 E0 49 BD 71 DD C2 - E9 1A 83 73 30 6B 09 95 Dec 14 13:51:36.826: RADIUS: Message-Authenticato[80] 18 Dec 14 13:51:36.830: RADIUS: F7 4F 20 8C BC A8 D9 E8 CF F3 36 E4 70 2E 80 B5 [ O 6p.] Dec 14 13:51:36.830: RADIUS(00000000): Received from id 1645/66 Dec 14 13:51:36.830: mab-ev: [c85b.76e8.ee32, Gi1/0/14] MAB received an Access-Reject for 0x84000005 (c85b.76e8.ee32) Dec 14 13:51:36.830: %MAB-5-FAIL: Authentication failed for client (c85b.76e8.ee32) on Interface Gi1/0/14 AuditSessionID AC1E31AA0000015476113A03 Dec 14 13:51:36.830: mab-sm: [c85b.76e8.ee32, Gi1/0/14] Received event 'MAB_RESULT' on handle 0x84000005 Dec 14 13:51:36.830: mab : during state mab_authorizing, got event 5(mabResult) Dec 14 13:51:36.830: @@@ mab : mab_authorizing -> mab_terminate Dec 14 13:51:36.830: mab-ev: [c85b.76e8.ee32, Gi1/0/14] Deleted credentials profile for 0x84000005 (dot1x_mac_auth_c85b.76e8.ee32) Dec 14 13:51:36.830: mab-ev: [c85b.76e8.ee32, Gi1/0/14] Added username (c85b76e8ee32) in mab for 0x84000005 Dec 14 13:51:36.830: mab-sm: [c85b.76e8.ee32, Gi1/0/14] Received event 'MAB_DELETE' on handle 0x84000005 svky-as170-upp#u all Dec 14 13:51:36.830: mab-ev: [c85b.76e8.ee32, Gi1/0/14] Received ABORT event from Auth Mgr for 0x84000005 (c85b.76e8.ee32) Dec 14 13:51:36.830: mab-ev: [c85b.76e8.ee32, Gi1/0/14] Deleted credentials profile for 0x84000005 (dot1x_mac_auth_c85b.76e8.ee32) Dec 14 13:51:36.833: mab-ev: Freed MAB client context Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598131846 Share on other sites More sharing options...
sc302 Veteran Posted December 14, 2017 Veteran Share Posted December 14, 2017 What version are you on? I am on the latest version https://www.cisco.com/c/en/us/support/switches/catalyst-2960xr-48lps-i-switch/model.html#~tab-downloads Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598131850 Share on other sites More sharing options...
nabz0r Veteran Posted December 14, 2017 Author Veteran Share Posted December 14, 2017 (edited) Mine is pretty much the same configuration. These are interesting Dec 14 13:51:36.830: mab-ev: [c85b.76e8.ee32, Gi1/0/14] MAB received an Access-Reject for 0x84000005 (c85b.76e8.ee32) Dec 14 13:51:36.830: %MAB-5-FAIL: Authentication failed for client (c85b.76e8.ee32) on Interface Gi1/0/14 AuditSessionID AC1E31AA0000015476113A03 Dec 14 13:51:36.830: mab-sm: [c85b.76e8.ee32, Gi1/0/14] Received event 'MAB_RESULT' on handle 0x84000005 Dec 14 13:51:36.830: mab : during state mab_authorizing, got event 5(mabResult) Dec 14 13:51:36.830: @@@ mab : mab_authorizing -> mab_terminate Dec 14 13:51:36.830: mab-ev: [c85b.76e8.ee32, Gi1/0/14] Deleted credentials profile for 0x84000005 (dot1x_mac_auth_c85b.76e8.ee32) Dec 14 13:51:36.830: mab-ev: [c85b.76e8.ee32, Gi1/0/14] Added username (c85b76e8ee32) in mab for 0x84000005 Dec 14 13:51:36.830: mab-sm: [c85b.76e8.ee32, Gi1/0/14] Received event 'MAB_DELETE' on handle 0x84000005 I am on this version: Switch Ports Model SW Version SW Image ------ ----- ----- ---------- ---------- * 1 28 WS-C2960X-24TS-L 15.2(2)E5 C2960X-UNIVERSALK9-M Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598131852 Share on other sites More sharing options...
sc302 Veteran Posted December 14, 2017 Veteran Share Posted December 14, 2017 AD based auth with mab? mac address for the device has to be the user id and the password all lower case. Otherwise you will be rejected access. In this case, in ad you must create a user object with the following and associate with the proper groups required in your rules: userid: c85b76e8ee32 pass: c85b76e8ee32 Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598131856 Share on other sites More sharing options...
nabz0r Veteran Posted December 14, 2017 Author Veteran Share Posted December 14, 2017 Yeah, AD based mab. Just checked and all lower case, changed password and I'll try again. Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598131858 Share on other sites More sharing options...
sc302 Veteran Posted December 14, 2017 Veteran Share Posted December 14, 2017 might want to upgrade...the gui is a lot better/more useful. https://software.cisco.com/download/release.html?mdfid=284795737&softwareid=280805680&os=&release=15.2.6E&relind=AVAILABLE&rellifecycle=&reltype=latest&i=!pp strange that it is depreciated in your but in mine it works. I guess that is the difference between IP Lite and LAN Base Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598131862 Share on other sites More sharing options...
nabz0r Veteran Posted December 14, 2017 Author Veteran Share Posted December 14, 2017 Switch gui? oO It used to work last week, but when I applied dACL and when I disabled dACL authentication command stopped working. Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598131870 Share on other sites More sharing options...
sc302 Veteran Posted December 14, 2017 Veteran Share Posted December 14, 2017 5 minutes ago, nabz0r said: Switch gui? oO It used to work last week, but when I applied dACL and when I disabled dACL authentication command stopped working. oh yeah much more useful. at least in the xr... it is actually somewhat usable, at least for more than looking to see if the ports are up/down. need to use the .tar to get it though, the bin is just the the boot os not the gui.. Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598131872 Share on other sites More sharing options...
nabz0r Veteran Posted December 14, 2017 Author Veteran Share Posted December 14, 2017 Oh ok, I don't think I'll be using it. I have restarted both ise and the switch, hopefully this will solve the issue, otherwise I don't know what to do. Link to comment https://www.neowin.net/forum/topic/1348962-ms-nps-dot1x-and-cisco-switches/#findComment-598131888 Share on other sites More sharing options...
Recommended Posts