ISE3.1 shows no endpoints

Kasper Elsborg — Wed, 03 Aug 2022 12:28:32 GMT

Hi community. First, I'm studying the ISE so I'm simply a beginner. However I've managede to integrate my NAD's with Tacacs+ and authenticating with AD.

It's a pure lab setup, with a ISE 3.1 and 4 switches, DC, with CA.

Client1 (win10) have their certificate pushed from GPO, and are attached to the if.

client2, printer

Client3 Android device-

All 3 clients have internet access

I'd like to authenticate with Dot1x on the swithport, but after several attempt I still have no endpoints visable in ISE or anything in the live logs. I think it's the sw config, as the endpoints are in device-tracking database on the sw.

it's kind of a big mouthful, but I need start somewhere 🙂

ISE31, are in Vlan3 192.168.3.120

Clients are in Vlan2 192.168.2.0/24

DC in vlan2 192.168.2.82 and OSPF are enabled on the switches.

I hope you are able to help

some information to begin with:

The SW 3650 is NOT licensed(could this be a problem?)

labsw2#sh device-tracking database Binding Table has 6 entries, 5 dynamic (limit 100000) Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created Preflevel flags (prlvl): 0001:MAC and LLA match 0002:Orig trunk 0004:Orig access 0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned 0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned Network Layer Address Link Layer Address Interface vlan prlvl age state Time left L 192.168.2.251 00f2.8b47.3d77 Vl2 2 0100 201mn REACHABLE ARP 192.168.2.231 0021.cc72.70d9 Gi1/0/1 2 0005 5s REACHABLE N/A ARP 192.168.2.102 b422.0023.3854 Gi1/0/2 2 0005 4mn REACHABLE N/A ARP 192.168.2.54 0004.4bfb.2253 Gi1/0/3 2 0005 82s REACHABLE N/A ND FE80::B622:FF:FE23:3854 b422.0023.3854 Gi1/0/2 2 0005 4mn REACHABLE N/A ND FE80::4467:5437:A836:5A0A 0021.cc72.70d9 Gi1/0/1 2 0005 9mn REACHABLE N/A labsw2# labsw2#sh authentication se labsw2#sh authentication sessions Interface MAC Address Method Domain Status Fg Session ID -------------------------------------------------------------------------------------------- Gi1/0/3 0004.4bfb.2253 mab UNKNOWN Auth C0A802FB000000256374F7FD Gi1/0/1 0021.cc72.70d9 dot1x UNKNOWN Auth C0A802FB0000002763752D71 Gi1/0/2 b422.0023.3854 mab UNKNOWN Auth C0A802FB0000002663750C99 Session count = 3 Key to Session Events Blocked Status Flags: A - Applying Policy (multi-line status for details) D - Awaiting Deletion F - Final Removal in progress I - Awaiting IIF ID allocation P - Pushed Session R - Removing User Profile (multi-line status for details) U - Applying User Profile (multi-line status for details) X - Unknown Blocker labsw2# labsw2#sh authentication sessions in gi 1/0/1 det Interface: GigabitEthernet1/0/1 IIF-ID: 0x114136F0 MAC Address: 0021.cc72.70d9 IPv6 Address: fe80::4467:5437:a836:5a0a IPv4 Address: 192.168.2.231 Status: Authorized Domain: UNKNOWN Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Acct update timeout: 86400s (local), Remaining: 85415s Common Session ID: C0A802FB0000002763752D71 Acct Session ID: 0x00000005 Handle: 0x9100001d Current Policy: POLICY_Gi1/0/1 Local Policies: Service Template: DEFAULT_CRITICAL_VOICE_TEMPLATE (priority 150) Voice Vlan: Vlan: 4096 Service Template: CRITICAL_AUTH_VLAN_Gi1/0/1 (priority 150) Vlan Group: Vlan: 2 Idle timeout: 65536 sec Server Policies: Method status list: Method State dot1x Authc Failed labsw2# labsw2#sh ver Cisco IOS XE Software, Version 16.12.05b Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.12.5b, ROM: IOS-XE ROMMON BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) Version 4.76, RELEASE SOFTWARE (P) ------------------------------------------------------------------------------ Technology-package Technology-package Current Type Next reboot ------------------------------------------------------------------------------ ipbasek9 Smart License ipbasek9 None Subscription Smart License None Smart Licensing Status: UNREGISTERED/EVAL EXPIRED Base Ethernet MAC Address : Motherboard Assembly Number : Motherboard Serial Number : Model Revision Number : K0 Motherboard Revision Number : B0 Model Number : WS-C3650-48PD System Serial Number : Switch Ports Model SW Version SW Image Mode ------ ----- ----- ---------- ---------- ---- * 1 52 WS-C3650-48PD 16.12.05b CAT3K_CAA-UNIVERSALK9 INSTALL Configuration register is 0x102 labsw2#

Br- Kasper

Re: ISE3.1 shows no endpoints

PSM — Wed, 03 Aug 2022 13:34:41 GMT

Hi,

You are missing the command which tells switch which group to be used for Dot1x authentication.

aaa authentication dot1x default group ISE-Radius-group

Re: ISE3.1 shows no endpoints

Kasper Elsborg — Wed, 03 Aug 2022 14:49:55 GMT

Hi PradeepSingh and thankls for taking the time to help me.

I have entered the command, and by making the policy set a bit "wide" with and default permit access in the end, I was able to get it to authenticate. I still need to set up the policy set for the certificate, but I haven't figured this out yet.

How ever I still don't see any endpoints in ISE?

Br. Kasper

Re: ISE3.1 shows no endpoints

Kasper Elsborg — Sun, 07 Aug 2022 08:56:11 GMT

Update.

I have played around with the Vmware machines settings, copied it from one to another host, and changed CPU, and RAM settings. I knew I should'nt do that, but I didn't think it mattered so much in an lab enviroment. now we know:-)

Story short, it crashed on a startup one morning. So I reinstalled a new ISE, and changed it to the same VLAN/subnet as my clients.

Now I have endpints registering on the fly.

BR. Kasper

topic ISE3.1 shows no endpoints in Network Access Control

ISE3.1 shows no endpoints

Re: ISE3.1 shows no endpoints

Re: ISE3.1 shows no endpoints

Re: ISE3.1 shows no endpoints