Authentication Sessions detailed incorrect

NetEngineerKC15 — Wed, 25 Mar 2020 17:00:28 GMT

This is a unique issue as TAC has been having a hard time figuring it out. One minute it starts working, another it doesnt. So to break it down, we are using:

Not Working

Catalyst 9410 -- Latest version 16.9.4 with two patches.

Working

Catalyst 4506

--Same usual configuration. Works flawlessly.

What RADIUS?

ISE 2.6 - Base License -- Uses same policies for both. So we know that is not the issue.

Now, you would believe its just a cut-and-paste of the configs..not so. So here is what I have, I hope you all can shed some light as I'm hitting a dead end here.

ip dhcp snooping glean
ip dhcp snooping vlan 200,400, 800
no ip dhcp snooping information option

--They said this is not supposed to work, but this is causing it to sort-of-work.
ip dhcp snooping

device-tracking logging packet drop
device-tracking logging theft
device-tracking tracking auto-source fallback 0.0.0.10 255.255.255.0 override
device-tracking tracking retry-interval 30

authentication critical recovery delay 1000

switchport access vlan 200
switchport mode access
switchport voice vlan 800
spanning-tree portfast
auto qos voip cisco-phone
spanning-tree bpdufilter enable
authentication control-direction in
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
authentication event fail retry 3 action authorize vlan 400
mab

dot1x pae authenticator
dot1x timeout tx-period 10
qos trust device cisco-phone

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req format %h
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf
radius-server dead-criteria time 10 tries 3
radius-server vsa send cisco-nas-port

If looking at show device-tracking database. It shows all is reachable; cool.

If looking at show authentication sessions interface Blah/Blah/Blah detail. It shows:

Interface: GigabitEthernetBlah/Blah/Blah
IIF-ID: 0x16105801
MAC Address: 0050.0000.0000 (Filtered MAC but It's a Thin Client)
IPv6 Address: Unknown
IPv4 Address: Unknown

----But yet I can ping it and https to it??
User-Name: 00-50-00-00-00-00
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Common Session ID: 0B6410AC000000F311D980CA
Acct Session ID: 0x000000d4
Handle: 0x8a0000e2
Current Policy: POLICY_GiBlah/Blah/Blah

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure

Server Policies:
ACS ACL: xACSACLx-IP-DATA_THINCLIENT_ACL_backup-5e7a240c

Method status list:
Method State
mab Authc Success

So the Authentication is a success.

The VLAN is where it should be

The dACL is what it should be (includes bootps and bootpc in the dACL)

if its voice phone, its where it should be

if its a guest it gets blackholed (as it should be)

after next business day, I can't connect to it any longer. So since then I put in:

device-tracking binding down-lifetime 600

device-tracking binding reachable-lifetime 86400

device-tracking binding stale-lifetime 600

If I look at ISE RADIUS Logs, it reads and authenticates, but does not show the IP address.

I can ping, https to it but it does not show correctly on there as it shows up on the database. I have other ports within the same switch that is not using RADIUS and it works well too. What am I missing?

Re: Authentication Sessions detailed incorrect

Greg Gibbs — Wed, 25 Mar 2020 23:10:15 GMT

Duplicate question.

See this community post

topic Authentication Sessions detailed incorrect in Network Access Control

Authentication Sessions detailed incorrect

Re: Authentication Sessions detailed incorrect