https://community.cisco.com/t5/network-access-control/ip-address-in-ise-live-authentication-after-vlan-change/m-p/2205972#M126383 <HTML><HEAD></HEAD><BODY><P>can you check the accounting msg? if you config periodic accounting, you should see updated ip in accounting msg.<BR /><BR />Sent from Cisco Technical Support iPad App</P></BODY></HTML> Mon, 24 Jun 2013 15:19:32 GMT Shaoqin Li 2013-06-24T15:19:32Z https://community.cisco.com/t5/network-access-control/ip-address-in-ise-live-authentication-after-vlan-change/m-p/2205971#M126340 <P>Hi all,</P><P>on ISE live authentication dashboard we can see IP address of the client (known from FRAMED-IP-ADDRESS).</P><P>But what about vlan change and the situation when client gets new IP address after relocation to different vlan.</P><P>Live logs shows only the first IP address - client mapping (from the guest vlan), after authorization new vlan and dACL is assigned but logs don't include new IP address.</P><P>session ID is the same all the time.</P><P>so maybe ip helper or other trick?</P><P></P><P>regards</P> Mon, 11 Mar 2019 03:34:41 GMT https://community.cisco.com/t5/network-access-control/ip-address-in-ise-live-authentication-after-vlan-change/m-p/2205971#M126340 Przemyslaw Konitz 2019-03-11T03:34:41Z https://community.cisco.com/t5/network-access-control/ip-address-in-ise-live-authentication-after-vlan-change/m-p/2205972#M126383 <HTML><HEAD></HEAD><BODY><P>can you check the accounting msg? if you config periodic accounting, you should see updated ip in accounting msg.<BR /><BR />Sent from Cisco Technical Support iPad App</P></BODY></HTML> Mon, 24 Jun 2013 15:19:32 GMT https://community.cisco.com/t5/network-access-control/ip-address-in-ise-live-authentication-after-vlan-change/m-p/2205972#M126383 Shaoqin Li 2013-06-24T15:19:32Z https://community.cisco.com/t5/network-access-control/ip-address-in-ise-live-authentication-after-vlan-change/m-p/2205973#M126463 <HTML><HEAD></HEAD><BODY><P>thx for reply. </P><P>I added "aaa accounting update newinfo" and I'll see tommorow how it works with anyconnect and 802.1x.</P><P></P><P>Meanwhile I think I must clarify what I meant </P><P></P><P>Not all logs have IP address present in live authentication (this is MAB for test only) </P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/1/0/1/143101-ScreenShot477.jpg" class="jive-image" /></P><P>the situation with 802.1x and anyconnect is a bit better cause there are IP addresses but only from the first dhcp address assignment (authentication open with default ACL). Then if the policy changes vlan and the client gets new IP address from different scope we have wrong information in this log.</P><P></P><P>but getting back to our MAB...</P><P>details of this entry looks like:</P><P></P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/3/0/1/143103-ScreenShot474.jpg" class="jive-image" />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/4/0/1/143104-ScreenShot475.jpg" class="jive-image" /></P><P></P><P>so this is probably the reason that no IP address is visible it was too soon for MAB to get this info and send it as framed IP address (according to this config command "radius-server attribute 8 include-in-access-req")</P><P></P><P>nevertheless clicking the accounting details (from the 2nd screenshot)</P><P>we see that this information is present </P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/5/0/1/143105-ScreenShot476.jpg" class="jive-image" /></P><P></P><P></P><P>so my first question is on which stage this column is fulfilled? only when "FRAMED-IP-ADDRESS" is send in radius-request? or from accounting? </P><P>maybe ISE should dynamically modify this record after each accounting newinfo message? </P><P></P><P>regards</P></BODY></HTML> Mon, 24 Jun 2013 16:36:45 GMT https://community.cisco.com/t5/network-access-control/ip-address-in-ise-live-authentication-after-vlan-change/m-p/2205973#M126463 Przemyslaw Konitz 2013-06-24T16:36:45Z