cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1541
Views
5
Helpful
1
Replies
NetEngineerKC15
Beginner

Authentication Sessions detailed incorrect

This is a unique issue as TAC has been having a hard time figuring it out.  One minute it starts working, another it doesnt.  So to break it down, we are using:

 

Not Working

Catalyst 9410 -- Latest version 16.9.4 with two patches.

 

Working

Catalyst 4506

   --Same usual configuration.  Works flawlessly.

 

What RADIUS?

ISE 2.6 - Base License -- Uses same policies for both.  So we know that is not the issue.

 

Now, you would believe its just a cut-and-paste of the configs..not so.  So here is what I have, I hope you all can shed some light as I'm hitting a dead end here.

 

ip dhcp snooping glean
ip dhcp snooping vlan 200,400, 800
no ip dhcp snooping information option

        --They said this is not supposed to work, but this is causing it to sort-of-work.
ip dhcp snooping

 

device-tracking logging packet drop
device-tracking logging theft
device-tracking tracking auto-source fallback 0.0.0.10 255.255.255.0 override
device-tracking tracking retry-interval 30

!

authentication critical recovery delay 1000

!

switchport access vlan 200
switchport mode access
switchport voice vlan 800
spanning-tree portfast
auto qos voip cisco-phone
spanning-tree bpdufilter enable
authentication control-direction in
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
authentication event fail retry 3 action authorize vlan 400
mab

dot1x pae authenticator
dot1x timeout tx-period 10
qos trust device cisco-phone

!

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req format %h
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf
radius-server dead-criteria time 10 tries 3
radius-server vsa send cisco-nas-port

 

 

If looking at show device-tracking database.  It shows all is reachable; cool.  

If looking at show authentication sessions interface Blah/Blah/Blah detail.  It shows:

 

Interface: GigabitEthernetBlah/Blah/Blah
IIF-ID: 0x16105801
MAC Address: 0050.0000.0000 (Filtered MAC but It's a Thin Client)
IPv6 Address: Unknown
IPv4 Address: Unknown

            ----But yet I can ping it and https to it??
User-Name: 00-50-00-00-00-00
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Common Session ID: 0B6410AC000000F311D980CA
Acct Session ID: 0x000000d4
Handle: 0x8a0000e2
Current Policy: POLICY_GiBlah/Blah/Blah


Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure

Server Policies:
ACS ACL: xACSACLx-IP-DATA_THINCLIENT_ACL_backup-5e7a240c

 

Method status list:
Method State
mab Authc Success

 

So the Authentication is a success. 

The VLAN is where it should be

The dACL is what it should be (includes bootps and bootpc in the dACL)

if its voice phone, its where it should be

if its a guest it gets blackholed (as it should be)

after next business day, I can't connect to it any longer.  So since then I put in:

                device-tracking binding down-lifetime 600

                device-tracking binding reachable-lifetime 86400

                device-tracking binding stale-lifetime 600

 

If I look at ISE RADIUS Logs, it reads and authenticates, but does not show the IP address.

 

I can ping, https to it but it does not show correctly on there as it shows up on the database.  I have other ports within the same switch that is not using RADIUS and it works well too.  What am I missing?

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Greg Gibbs
Cisco Employee

1 REPLY 1
Greg Gibbs
Cisco Employee

Content for Community-Ad