Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Authentication Sessions detailed incorrect

This is a unique issue as TAC has been having a hard time figuring it out.  One minute it starts working, another it doesnt.  So to break it down, we are using:


Not Working

Catalyst 9410 -- Latest version 16.9.4 with two patches.



Catalyst 4506

   --Same usual configuration.  Works flawlessly.



ISE 2.6 - Base License -- Uses same policies for both.  So we know that is not the issue.


Now, you would believe its just a cut-and-paste of the configs..not so.  So here is what I have, I hope you all can shed some light as I'm hitting a dead end here.


ip dhcp snooping glean
ip dhcp snooping vlan 200,400, 800
no ip dhcp snooping information option

        --They said this is not supposed to work, but this is causing it to sort-of-work.
ip dhcp snooping


device-tracking logging packet drop
device-tracking logging theft
device-tracking tracking auto-source fallback override
device-tracking tracking retry-interval 30


authentication critical recovery delay 1000


switchport access vlan 200
switchport mode access
switchport voice vlan 800
spanning-tree portfast
auto qos voip cisco-phone
spanning-tree bpdufilter enable
authentication control-direction in
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
authentication event fail retry 3 action authorize vlan 400

dot1x pae authenticator
dot1x timeout tx-period 10
qos trust device cisco-phone


radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req format %h
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf
radius-server dead-criteria time 10 tries 3
radius-server vsa send cisco-nas-port



If looking at show device-tracking database.  It shows all is reachable; cool.  

If looking at show authentication sessions interface Blah/Blah/Blah detail.  It shows:


Interface: GigabitEthernetBlah/Blah/Blah
IIF-ID: 0x16105801
MAC Address: 0050.0000.0000 (Filtered MAC but It's a Thin Client)
IPv6 Address: Unknown
IPv4 Address: Unknown

            ----But yet I can ping it and https to it??
User-Name: 00-50-00-00-00-00
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Common Session ID: 0B6410AC000000F311D980CA
Acct Session ID: 0x000000d4
Handle: 0x8a0000e2
Current Policy: POLICY_GiBlah/Blah/Blah

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure

Server Policies:


Method status list:
Method State
mab Authc Success


So the Authentication is a success. 

The VLAN is where it should be

The dACL is what it should be (includes bootps and bootpc in the dACL)

if its voice phone, its where it should be

if its a guest it gets blackholed (as it should be)

after next business day, I can't connect to it any longer.  So since then I put in:

                device-tracking binding down-lifetime 600

                device-tracking binding reachable-lifetime 86400

                device-tracking binding stale-lifetime 600


If I look at ISE RADIUS Logs, it reads and authenticates, but does not show the IP address.


I can ping, https to it but it does not show correctly on there as it shows up on the database.  I have other ports within the same switch that is not using RADIUS and it works well too.  What am I missing?




Accepted Solutions
Greg Gibbs
Cisco Employee

Greg Gibbs
Cisco Employee

Content for Community-Ad