Solved: 802.1x with Windows 10 / ISE / AnyConnect 4.9 / Stuck on Acquiring IP Address

Xividar · ‎08-02-2020

Hi Guys,

I have been labbing some 802.1x up, I am using ISE for my Auth policies. The basic Windows 10 supplicant works fine, so I thought I would go to the 'next level' and break out some AnyConnect. If I try and establish a new connection with AnyConnect, I can see the Authentication and Authorization requests pass and succeed in ISE, but the client is stuck on Acquiring IP Address, and eventually times out. I have tried this on two ISE installs I have, the only thing that's the same is that the clients are both virtual. ISE version is 2.6, AnyConnect 4.9.

Thanks :)

Colby LeMaire · ‎08-03-2020

It is possible that ISE is showing the authentication/authorization pass and returns an Access-Accept; however, the switch may not be able to apply the policy you are returning. In that case, the switchport remains closed since it cannot apply the policy. But ISE still shows it as good. I have seen this happen a few times over the years. It can happen if you push down a VLAN assignment but the VLAN doesn't exist on the switch. It can also happen when the dACL has an issue with it such as being too long (>63 lines) for older switches (3750) or if the dACL syntax is incorrect. I have seen where ISE says the dACL is fine even when one of the IP addresses was missing an entire octet (3 versus 4).

Do a "show authentication session interface gx/y detail" and make sure it shows "Authorized". Also, if using a dACL, you need to be using IP device tracking.

Another thing to look at is with your Anyconnect profile, there is an option to allow traffic to flow before authentication. I recommend allowing the traffic to flow and let the switch control access with default ACLs. Because with Windows, you will probably want to allow some basic connectivity at a minimum to not break GPO's and domain logins. This would include DHCP too.

View solution in original post

poongarg · ‎08-02-2020

DART bundle from user machine need to be checked for DHCP issue along with the "show authentication session int <> detail> output on the switch .

Colby LeMaire · ‎08-03-2020

It is possible that ISE is showing the authentication/authorization pass and returns an Access-Accept; however, the switch may not be able to apply the policy you are returning. In that case, the switchport remains closed since it cannot apply the policy. But ISE still shows it as good. I have seen this happen a few times over the years. It can happen if you push down a VLAN assignment but the VLAN doesn't exist on the switch. It can also happen when the dACL has an issue with it such as being too long (>63 lines) for older switches (3750) or if the dACL syntax is incorrect. I have seen where ISE says the dACL is fine even when one of the IP addresses was missing an entire octet (3 versus 4).

Do a "show authentication session interface gx/y detail" and make sure it shows "Authorized". Also, if using a dACL, you need to be using IP device tracking.

Another thing to look at is with your Anyconnect profile, there is an option to allow traffic to flow before authentication. I recommend allowing the traffic to flow and let the switch control access with default ACLs. Because with Windows, you will probably want to allow some basic connectivity at a minimum to not break GPO's and domain logins. This would include DHCP too.