ISE Domain Unknown

Ethan_Bray — Mon, 11 Mar 2019 08:50:55 GMT

We're currently doing a tech refresh and replacing older switches with 2960s and we're having an issue with our switches displaying UKNOWN when doing the command "sh auth sess". Here's an example of the command output. The switch I use in this example is allowing users to connect however sometimes this is not the case.

sh auth sess

Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/18 xxxx.xxxx.xxxx dot1x UNKNOWN Auth 842A611B000000F31868AABC
Gi1/0/13 xxxx.xxxx.xxxx dot1x UNKNOWN Auth 842A611B000000EE1868A9ED
Gi2/0/5 xxxx.xxxx.xxxx mab UNKNOWN Auth 842A611B000000F61868B3AA

A detailed auth session

sh auth sess int g1/0/18 det
Interface: GigabitEthernet1/0/18
MAC Address: xxxx.xxxx.xxxx
IPv6 Address: Unknown
IPv4 Address: xxx.xxx.xxx.xxx
Status: Authorized
Domain: UNKNOWN
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Common Session ID: 842A611B000000E91868A97E
Acct Session ID: 0x0000011B
Handle: 0xF30000CE
Current Policy: POLICY_Gi1/0/18

Local Policies:
Service Template: CRITICAL_AUTH_VLAN_Gi1/0/18 (priority 150)
Vlan Group: Vlan:
Service Template: DEFAULT_CRITICAL_VOICE_TEMPLATE (priority 150)
Voice Vlan:

Method status list:
Method State
dot1x Stopped
mab Authc Failed

----------------------------------------
Interface: GigabitEthernet1/0/18
MAC Address: xxxx.xxxx.xxxx
IPv6 Address: Unknown
IPv4 Address: xxx.xxx.xxx.xxx
Status: Authorized
Domain: UNKNOWN
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Common Session ID: 842A611B000000F31868AABC
Acct Session ID: 0x000000DE
Handle: 0x040000D8
Current Policy: POLICY_Gi1/0/18

Local Policies:
Service Template: CRITICAL_AUTH_VLAN_Gi1/0/18 (priority 150)
Vlan Group: Vlan:
Service Template: DEFAULT_CRITICAL_VOICE_TEMPLATE (priority 150)
Voice Vlan:

Method status list:
Method State
dot1x Authc Failed

Here's is what every port is configured with.

description USER_Port
switchport access vlan
switchport mode access
switchport voice vlan
authentication event fail action next-method
authentication event server dead action authorize vlan
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 8
dot1x max-req 3
spanning-tree portfast

Global commands we use for dot1x.

dot1x system-auth-control

dot1x critical eapol

Here are our radius/aaa commands we're using for ISE.

aaa authentication dot1x default group ISE

aaa authorization network default group ISE

aaa accounting dot1x default start-stop group ISE

aaa accounting update newinfo periodic 2880

aaa session-id common

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 30 tries 3

radius-server vsa send accounting

radius-server vsa send authentication

Finally here are the switches versions and models.

1 52 WS-C2960X-48LPD-L 15.2(2)E3 C2960X-UNIVERSALK9-M
2 52 WS-C2960X-48LPD-L 15.2(2)E3 C2960X-UNIVERSALK9-M

Re: ISE Domain Unknown

hslai — Thu, 25 Oct 2018 22:03:35 GMT

For Cisco IOS, the domain is usually either data or voice and I do not believe there is a such thing as ISE domain.

Anyhow, it looks the authentications are failing and that would be where to start the investigation. Please check whether the RADIUS auth requests are reaching ISE and, if so, what info available in ISE about these authentications.

Re: ISE Domain Unknown

howon — Thu, 25 Oct 2018 22:17:52 GMT

This is expected as the endpoints are put into critical VLAN. Critical condition happens when none of the configured RADIUS servers are available or the switch management IP has not been added to ISE NAD list. When this happens the domain will show UNKNOWN. It is also evident from your output:

Local Policies:
Service Template: CRITICAL_AUTH_VLAN_Gi1/0/18 (priority 150)
Vlan Group: Vlan:
Service Template: DEFAULT_CRITICAL_VOICE_TEMPLATE (priority 150)
Voice Vlan:

Re: ISE Domain Unknown

Captain82 — Thu, 19 Sep 2024 19:50:33 GMT

Why do these devices stay in the unknown domain after the radius server is back up? The sessions seem to reauthenticate to the critical VLAN they fell back to. Is there a way to have the unknown devices reauth when RADIUS comes back online?

topic Re: ISE Domain Unknown in Network Access Control

ISE Domain Unknown

Re: ISE Domain Unknown

Re: ISE Domain Unknown

Re: ISE Domain Unknown