https://community.cisco.com/t5/network-access-control/ise-1-3-issue-with-catalyst-4500e-12-54/m-p/2957144#M37459 <P>Hi again!</P> <P></P> <P>Anyone can look into this?</P> <P></P> <P>Thanks</P> Wed, 14 Dec 2016 12:05:39 GMT Capricorn 2016-12-14T12:05:39Z https://community.cisco.com/t5/network-access-control/ise-1-3-issue-with-catalyst-4500e-12-54/m-p/2957141#M37456 <P>Hi!</P> <P>I am new to ISE world.</P> <P>I have different Authorization policy based on computer and user. Once the computer start it will assign to vlan based on its security group membership. If a user login to same computer then second Authorization clicks in IP is assigned from Vlan based on user security group.</P> <P>It works on 2900 series switch but the same thing doesn't work on&nbsp;Catalyst 4500E (12.54). I have matched the config for Dot1x on both switches and the look fine.</P> <P></P> <P>The issue is that on Catalyst 4500 the second authorization doesnt work. Only the first policy that is for computer authentication works.</P> <P></P> <P>Any suggestion on this?</P> <P></P> <P>Thanks</P> <P></P> <P>Capricorn</P> <P></P> <P></P> Mon, 11 Mar 2019 07:15:17 GMT https://community.cisco.com/t5/network-access-control/ise-1-3-issue-with-catalyst-4500e-12-54/m-p/2957141#M37456 Capricorn 2019-03-11T07:15:17Z https://community.cisco.com/t5/network-access-control/ise-1-3-issue-with-catalyst-4500e-12-54/m-p/2957142#M37457 <P>Hello Capricorn-</P> <P>My guess is that you are hitting a bug with the version of code that you are running on the 4500. Can you provide the following info:</P> <P>- Exact chassis model (Obtain from show ver)</P> <P>- Exact version code (Obtain from show ver)</P> <P>- Output from from the following command: show authentication session interface&nbsp;<EM>interface_name_number</EM></P> <P>- Configuration of the affected port</P> <P><EM>Thank you for rating helpful posts!</EM></P> Tue, 29 Nov 2016 17:56:54 GMT https://community.cisco.com/t5/network-access-control/ise-1-3-issue-with-catalyst-4500e-12-54/m-p/2957142#M37457 nspasov 2016-11-29T17:56:54Z https://community.cisco.com/t5/network-access-control/ise-1-3-issue-with-catalyst-4500e-12-54/m-p/2957143#M37458 <P>Thanks Neno for looking into this. Please see below.</P> <P></P> <P>WS-C4506-E</P> <P>cat4500e-ipbasek9-mz.122-54.SG1.bin</P> <P><BR />description ISE<BR /> switchport access vlan 550<BR /> switchport mode access<BR /> switchport voice vlan 300<BR /> ip access-group ACL-DEFAULT in<BR /> authentication event fail action next-method<BR /> authentication host-mode multi-domain<BR /> authentication order dot1x mab<BR /> authentication priority dot1x mab<BR /> authentication port-control auto<BR /> authentication violation restrict<BR /> mab<BR /> dot1x pae authenticator<BR /> dot1x timeout tx-period 5<BR /> dot1x max-reauth-req 1<BR /> spanning-tree portfast<BR /> spanning-tree guard root</P> <P></P> <P></P> <P>--------</P> <P></P> <P></P> <P>show authentication sessions interface gigabitEthernet 3/31<BR /> Interface: GigabitEthernet3/31<BR /> MAC Address: a0b3.cc23.xxxx<BR /> IP Address: 10.2.7.227<BR /> User-Name: host/testcomputer.mydomain.com<BR /> Status: Authz Success<BR /> Domain: DATA<BR /> Oper host mode: multi-domain<BR /> Oper control dir: both<BR /> Authorized By: Authentication Server<BR /> Vlan Policy: 109<BR /> Session timeout: N/A<BR /> Idle timeout: N/A<BR /> Common Session ID: 0AF4DC0C0000003D8153AA91<BR /> Acct Session ID: 0x00005255<BR /> Handle: 0xA300003E</P> <P>Runnable methods list:<BR /> Method State<BR /> dot1x Authc Success<BR /> mab Not run</P> Tue, 06 Dec 2016 09:28:05 GMT https://community.cisco.com/t5/network-access-control/ise-1-3-issue-with-catalyst-4500e-12-54/m-p/2957143#M37458 Capricorn 2016-12-06T09:28:05Z https://community.cisco.com/t5/network-access-control/ise-1-3-issue-with-catalyst-4500e-12-54/m-p/2957144#M37459 <P>Hi again!</P> <P></P> <P>Anyone can look into this?</P> <P></P> <P>Thanks</P> Wed, 14 Dec 2016 12:05:39 GMT https://community.cisco.com/t5/network-access-control/ise-1-3-issue-with-catalyst-4500e-12-54/m-p/2957144#M37459 Capricorn 2016-12-14T12:05:39Z https://community.cisco.com/t5/network-access-control/ise-1-3-issue-with-catalyst-4500e-12-54/m-p/2957145#M37460 <P>Sorry about that. I thought I replied to the thread but I guess I missed it <span class="lia-unicode-emoji" title=":confused_face:">😕</span></P> <P>So, based on what you have provided I see two things that look strange:</P> <P>1. The username provided in the session is a name of a computer not actual user. Thus, it appears that the user auth is not even seen by the switch/ise</P> <P>2. In the port config you have a pre-auth ACL (<SPAN>ACL-DEFAULT) but I don't see a dACL in the authorization policy. So my question here is: Are you returning a dACL with your authorization policy? If not, I would suggest doing that as you need a dACL to replace the pre-auth ACL. Otherwise, the pre-auth ACL remains on the port even after successful authentication/authorization. You can quickly test this by pushing a "permit ip any any" with both authorization profiles.</SPAN></P> <P><EM>Thank you for rating helpful posts!</EM></P> Thu, 15 Dec 2016 23:25:09 GMT https://community.cisco.com/t5/network-access-control/ise-1-3-issue-with-catalyst-4500e-12-54/m-p/2957145#M37460 nspasov 2016-12-15T23:25:09Z https://community.cisco.com/t5/network-access-control/ise-1-3-issue-with-catalyst-4500e-12-54/m-p/2957146#M37461 <P>Hi!</P> <P></P> <P>Thanks for looking into it.</P> <P></P> <P>Everything works fine if I have a computer connected to Catalyst 2960G (&nbsp;Version 12.2(44)SE6) and&nbsp;it doesnt work if I connected the same computer to&nbsp;<SPAN>WS-C4506-E.</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>To me it looks ok from ISE as it works for 2960G. What you say?</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>Thanks</SPAN></P> Fri, 16 Dec 2016 10:46:30 GMT https://community.cisco.com/t5/network-access-control/ise-1-3-issue-with-catalyst-4500e-12-54/m-p/2957146#M37461 Capricorn 2016-12-16T10:46:30Z https://community.cisco.com/t5/network-access-control/ise-1-3-issue-with-catalyst-4500e-12-54/m-p/2957147#M37462 <P>So the reason I suggest you try the dACL is because the behavior of the default Pre-Auth ACL changed between versions and switch family. I had a link that described this but cannot find it now.</P> <P>I would definitely configure and push a dACL and see if that fixes the problem.&nbsp;</P> <P><EM>Thank you for rating helpful posts!</EM></P> Sat, 17 Dec 2016 21:39:41 GMT https://community.cisco.com/t5/network-access-control/ise-1-3-issue-with-catalyst-4500e-12-54/m-p/2957147#M37462 nspasov 2016-12-17T21:39:41Z https://community.cisco.com/t5/network-access-control/ise-1-3-issue-with-catalyst-4500e-12-54/m-p/2957148#M37463 <P>Hi!</P> <P></P> <P>We are already pushing DACL to it.</P> <P>I can see the DACL is coming down to switch.</P> <P>Thanks</P> Thu, 22 Dec 2016 13:13:33 GMT https://community.cisco.com/t5/network-access-control/ise-1-3-issue-with-catalyst-4500e-12-54/m-p/2957148#M37463 Capricorn 2016-12-22T13:13:33Z https://community.cisco.com/t5/network-access-control/ise-1-3-issue-with-catalyst-4500e-12-54/m-p/2957149#M37464 <P>If you are pushing a dACL then I would expect to see "&nbsp;ACS ACL:<EM>your_dACL_name</EM>" in the output from "show authentication session..." I did not see that in the output that you provided. To test this further, you can issue "show ip access-list interface&nbsp;<EM>interface_name"&nbsp;</EM>after the session has completed.&nbsp;</P> <P><EM>Thank you for rating helpful posts!</EM></P> Fri, 23 Dec 2016 19:49:30 GMT https://community.cisco.com/t5/network-access-control/ise-1-3-issue-with-catalyst-4500e-12-54/m-p/2957149#M37464 nspasov 2016-12-23T19:49:30Z https://community.cisco.com/t5/network-access-control/ise-1-3-issue-with-catalyst-4500e-12-54/m-p/2957150#M37465 <P>I get this. show ip access-lists interface gigabitEthernet 3/31</P> <P></P> <P>permit ip any any (30 estimate matches)</P> Thu, 12 Jan 2017 13:34:06 GMT https://community.cisco.com/t5/network-access-control/ise-1-3-issue-with-catalyst-4500e-12-54/m-p/2957150#M37465 Capricorn 2017-01-12T13:34:06Z