topic Is the device updated with in Network Access Control

ISE blocking PC's after switch native vlan change

preston trogden — Mon, 11 Mar 2019 06:02:14 GMT

So i encountered a strange problem the other day after changing the Native/Mgt vlan on a switch. It was set to 1 and i changed it to 10. after that none of the PC's could get DHCP addresses. restarted the router and switch and pc's to no avial. they would get the windows pipa address 169.254.x.x. as soon as i did a auth open, they got ip's before i could even say "how about now" and all are working just fine. I need to know what caused this blockage before i start down the road of doing the other 170 networks that need to be done.

my steps were:

create new vlan on switch with ip, ssh into new vlan IP, change original mgt vlan, set native command on trunk ports and PC ports, change encap dot1q on router subint for new vlan. rebooted router and switch, and PC's. Had to "auth open" ports do PC's could get DHCP, then everything was fine. No auth open to return to normal and all is well.

ISE version 1.1.0876 patch 4

distributed deployment

Is the device updated with

Tobias Svensson — Tue, 08 Sep 2015 17:17:33 GMT

Is the device updated with the correct ip in ISE Network Devices?

its able to talk with ISE if you try "test aaa group radius ..."

yes i added the new IP to

preston trogden — Tue, 08 Sep 2015 17:29:41 GMT

yes i added the new IP to Network devices.

that i don't know because i am investigating this after it happened.

Ok, make sure its talking

Tobias Svensson — Tue, 08 Sep 2015 17:33:37 GMT

Ok, make sure its talking with the right interface via "ip radius source-interface" on the switch/routers.

just to clarify, the switch

preston trogden — Tue, 08 Sep 2015 18:58:04 GMT

just to clarify, the switch and router were already in ISE and everything worked fine. we were just getting the mgt vlan off 1.

here is the port config on the switch before the change

switchport mode access
switchport voice vlan 25
authentication event fail action authorize vlan 1
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast

int g0/3

switchport mode trunk
spanning-tree portfast trunk

router :

int g0/0.20

encap dot1q 1 native

and after the change:

switchport access vlan 20
switchport mode access
switchport voice vlan 25
authentication event fail action authorize vlan 20
authentication event server dead action authorize vlan 20
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast

int g0/3

switchport trunk native vlan 20
switchport mode trunk
spanning-tree portfast trunk

router

int g0/0.20

encap dot1q 20 native

after making and writing the changes i rebooted both devices and the PC's

any help is appreciated.

preston trogden — Wed, 09 Sep 2015 21:13:30 GMT

any help is appreciated.

What is the status of "show

jan.nielsen — Wed, 09 Sep 2015 23:13:54 GMT

What is the status of "show auth sess interface x/x", when the pc is trying to get an ip address ? Try running it with a few secs interval after you plug the pc in.

it would say running or

preston trogden — Fri, 11 Sep 2015 15:25:01 GMT

it would say running or failed

where is your dhcp server, is

adam kalabadzi — Mon, 14 Sep 2015 00:02:57 GMT

where is your dhcp server, is it your router? or is it another device on your network? if yes, just make sure your new vlan is exist all along the path between your switch and your dhcp server.

i dont think you read the

preston trogden — Mon, 14 Sep 2015 13:25:11 GMT

i dont think you read the entire post. how would an auth open fix that?

Could you post the complete

jan.nielsen — Mon, 14 Sep 2015 13:37:08 GMT

Could you post the complete config (without passwords of course) ?

Also, are you running dhcp snooping and ip device tracking ?

When your PC's don't get a dhcp address, do they actually do a successfull dot1x authentication? Are you assigning the new vlan id in your authorization result ?

from what i remember, yes,

preston trogden — Mon, 14 Sep 2015 13:54:07 GMT

from what i remember, yes, some did get successful dot1x on the switch. We are assigning a new vlan to that port as well.

anything else you can think

preston trogden — Fri, 18 Sep 2015 18:48:30 GMT

anything else you can think of?