topic Looks like a dhcp snooping in Network Access Control

ISE 2.0 (patch 1) authorization issue

deyster94 — Tue, 26 Mar 2019 00:34:02 GMT

I am running into a bit of an odd issue with ISE 2.0 (patch 1). I have a Win 7 laptop that passes authC/authZ, gets an IP address, but cannot access any internal or external resources. It's using 802.1x with EAP-TLS with machine and user certs from AD. Along with this issue I am having another one with MAR, but TAC is looking into that issue.

I just cannot figure out how the device can get an IP address, but not access anything on the network. The laptop can do a release/renew of the IP address as well, so it's getting somewhere on the network.

TIA for any ideas.

-Dan

Is it wireless or wired, if

jan.nielsen — Tue, 22 Dec 2015 20:24:29 GMT

Is it wireless or wired, if wired you should check on the switch, with "show auth sess int x/x" to see if the switch has actually authorized the user, and downloaded the ACL if you are using open mode

It's a wired deployment.

deyster94 — Tue, 22 Dec 2015 20:26:40 GMT

It's a wired deployment. Results of show auth sess:

IT-READING-S04#sh authentication sessions int g1/0/27
Interface: GigabitEthernet1/0/27
MAC Address: f01f.af48.3290
IP Address: Unknown
User-Name: user@client.com
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-Wired_Permit_All-5661b508
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC100BCC0000120BF61FB559
Acct Session ID: 0x0001DD8A
Handle: 0x36000215

Runnable methods list:
Method State
dot1x Authc Success
mab Not run

Nothing being blocked and the dACL is permit ip any any.

Looks like a dhcp snooping

jan.nielsen — Tue, 22 Dec 2015 22:09:08 GMT

Looks like a dhcp snooping/device tracking issue, the auth sess does not know the ip of your windows pc and the ACL then does not get applied. You can check that with "show ip access-list interface x/x" . Can you do a "show ip device tracking int x/x" and see if the device ip shows up as active ? Also have you configured the recommended settings in the switch using the trustsec universal switch config guide ?

Jan,

deyster94 — Wed, 23 Dec 2015 14:40:02 GMT

Jan,

It was the dhcp snopping/tracking config missing from the switch. Thanks for the help!

-Dan