06-27-2019 07:09 PM
Hi ,
I currently have anissue with ISE authentication. I have Motorola wireless access point hangin off a 3850 (16.6.2) .
Some clients are getting Stuck in this state below and the Auth session is not clearing...and the port have this message on the affected port "Blocked On: apply user profile - RX_METHOD_NEW_MAC (1)"
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/3 fc0a.81c0.a350 N/A DATA Unauth U AC101F0B000A04C78DDBD673
Gi1/0/3 7467.f7af.e1dc mab DATA Auth AC101F0B000ADDAE9BD1111E
Gi1/0/3 000b.ab81.58f6 N/A DATA Unauth U AC101F0B0009F7FA8D42EAED
Gi1/0/3 000b.ab85.00f5 N/A DATA Unauth U AC101F0B00098ED1882B25E9
Key to Session Events Blocked Status Flags:
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
Interface: GigabitEthernet1/0/3
IIF-ID: 0x13280E3F
MAC Address: fc0a.81c0.a350
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: FC-0A-81-C0-A3-50
Status: Unauthorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: AC101F0B000A04C78DDBD673
Acct Session ID: Unknown
Handle: 0x20000f07
Current Policy: POLICY_Gi1/0/3
Blocked On: apply user profile - RX_METHOD_NEW_MAC (1)
Method status list:
Method State
mab Authc Success
Has anyone else had this type of issue??
interface GigabitEthernet1/0/3
description [EDGE] Wireless
switchport access vlan 102
switchport mode access
power inline never
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
authentication timer inactivity server
authentication timer unauthorized 5
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 1.00
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
Solved! Go to Solution.
07-01-2019 07:53 PM
The error is similar to that found in CSCvm07425. As this is a switch IOS platform code issue, please open a Cisco TAC case to troubleshoot and get advised on which release might work for your deployment.
06-28-2019 08:43 AM
Few questions:
- What is the auth status for these endpoints on the 3850 'show auth sess int gig1/0/3 detail'?
- What is the AuthC status of these endpoints on ISE?
- What is the AuthZ profile sent for these endpoints?
- Are these endpoints still connected?
- How are these endpoints authenticated on the Motorola AP?
06-30-2019 07:04 PM
- What is the auth status for these endpoints on the 3850 'show auth sess int gig1/0/3 detail'? IT is Success but it should get a 5 second inactivity timer pushed from ISE like the second example below.
Switch#sho authentication sessions interface gigabitEthernet 1/0/26 details
Interface: GigabitEthernet1/0/26
IIF-ID: 0x2A3D51D4
MAC Address: fc0a.81c2.0024
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: FC-0A-81-C2-00-24
Status: Unauthorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: AC103F07000C790EA7603412
Acct Session ID: Unknown
Handle: 0x33000750
Current Policy: POLICY_Gi1/0/26
Blocked On: apply user profile - RX_METHOD_NEW_MAC (1)
Method status list:
Method State
mab Authc Success
----------------------------------------
Interface: GigabitEthernet1/0/26
IIF-ID: 0x2DD24675
MAC Address: fc0a.81c3.32c0
IPv6 Address: Unknown
IPv4 Address: 172.16.34.212
User-Name: FC-0A-81-C3-32-C0
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: AC103F07000CC0DDAB3D0860
Acct Session ID: 0x00038722
Handle: 0xb900007d
Current Policy: POLICY_Gi1/0/26
Local Policies:
Server Policies:
Idle timeout: 5 sec
Method status list:
Method State
mab Authc Success
- What is the AuthC status of these endpoints on ISE? -- Unauthorized
- What is the AuthZ profile sent for these endpoints?-- the below gets pushed
Access Type = ACCESS_ACCEPT
Idle-Timeout = 5
- Are these endpoints still connected? These are endpoint's that are in a moving vesicle and connect to each AP at the vehicle station
- How are these endpoints authenticated on the Motorola AP? The just associate to the Motorolla AP but this systme i dont have too much visibility of. We just MAB them once they appear on the switch port..
07-01-2019 07:53 PM
The error is similar to that found in CSCvm07425. As this is a switch IOS platform code issue, please open a Cisco TAC case to troubleshoot and get advised on which release might work for your deployment.
07-01-2019 08:12 PM
This link to the bug is not working
07-01-2019 08:42 PM
That bug is customer visible. Likely, you are not currently entitled to, somehow.
As it's not an ISE issue, I am unable to tell whether you hitting that particular bug or which IOS releases have the fix. That is why I asked you to engage TAC.
07-01-2019 09:03 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide