Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1680
Views
0
Helpful
1
Replies

Device-tracking and dot1x COA on 16.9.2 (3850 stack)

Go to solution
ergamusai
Level 1
Level 1

‎06-12-2019 08:29 AM - edited ‎02-21-2020 11:06 AM

 

I have a 4 switch 3850 stack on the 16.9.2 code

I'm building a new ISE server on 2.4 code (the production one is 2.2). My clients authenticate, reach the Posture-Unknown authorization profile, but then they don't get provisioned.

This is the device tracking policy for my trunk ports

device-tracking policy DEVICE-TRACKING-UPLINK
trusted-port
device-role switch
no protocol udp

 

DHCP snooping enabled for the user VLAN and that automatically enables DT-PROGRAMMATIC  policy.

Cisco TAC suggested to add a policy to the port as well

device-tracking policy ACCESS_IPv4_GUARD
trusted-port
limit address-count 2
no protocol udp
tracking enable

 

According to TAC device-tracking config is correct and ISE config is correct. But the clients get stuck in Posture -Unkown auth profile.

 

This stack has been in production for a long time, along with ise server, and since the upgrade and device-tracking configuration, new clients don't get provisioned. I have to switch the  clients to wireless, in order for the ConnectionData.xml file to be updated, afterwards they can provision.

 

All of this works in my test stack, (2-3850s, same code), I can provision clients in the production ISE and test ISE.

I'm at loss at what else I can do,  besides rebooting the production stack after hours.

 

TIA

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-01-2019 02:48 PM

I hope this issue already resolved. If not, please continue working with Cisco TAC.

As you mentioned needing ConnectionData.xml updated, the issue might be around URL redirect by the switch.

ISE Posture Style Comparison for Pre and Post 2.2 - Cisco has a lot of detailed info.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-01-2019 02:48 PM

I hope this issue already resolved. If not, please continue working with Cisco TAC.

As you mentioned needing ConnectionData.xml updated, the issue might be around URL redirect by the switch.

ISE Posture Style Comparison for Pre and Post 2.2 - Cisco has a lot of detailed info.

0 Helpful
Customers Also Viewed These Support Documents