Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3531
Views
0
Helpful
9
Replies

Cisco ISE 1.2, Clients not getting IP address in closed mode

Josh Morris
Level 3
Level 3

‎09-18-2014 06:45 AM - edited ‎03-10-2019 10:02 PM

Hello, I am running closed mode on my switchports. I have an issue where some clients come in in the morning, try to login, and will not get network access. I see that this is because they do not get an IP address. I am using MAB for authentication currently. They appear to MAB correctly and get Authorized in ISE, but they do not get an IP. Therefore, they also do not get the DACL of permit ANY. It's like the port gets de-authenticated during the night. Usually when the machine is rebooted it will come up with an IP address. Here is my switchport config...

 switchport access vlan 32
 switchport mode access
 switchport voice vlan 64
 logging event link-status
 authentication event fail action next-method
 authentication event server dead action authorize vlan 32
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize 
 authentication host-mode multi-auth
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer restart 600
 authentication timer reauthenticate 7200
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout quiet-period 300
 dot1x timeout tx-period 10
 dot1x timeout ratelimit-period 300
 dot1x timeout held-period 300
 service-policy input QoS-Input-Policy
 service-policy output QoS-Host-Port-Output-Policy
end

1 person had this problem
Labels:
0 Helpful
9 Replies 9

Jimmy Johansson
Level 1
Level 1

‎09-19-2014 02:30 AM

Is the problem that the dACL isn't downloaded? What about the rest of the switch configuration, do you have the two commands:

radius-server vsa send, ip device-tracking

 

0 Helpful

Josh Morris
Level 3
Level 3
In response to Jimmy Johansson

‎09-19-2014 05:07 AM

Thanks Jimmy, I do have both of those commands.

It appears that the client isn't getting an IP, which leads to the DACL not being downloaded. It's like the port isn't authenticated fast enough for the machine to get an IP. But I have moved MAB to the front of the auth order and it seems to happen pretty quickly.

0 Helpful

Ahmad Murad
Level 1
Level 1

‎09-19-2014 09:32 AM

Did you check if you add an ACL on the interface (switch port) like the following:

ip access-list extended ACL-TEST
 permit udp any eq bootpc any eq bootps
 permit udp any any eq domain
 permit udp any any eq tftp
 deny   ip any any log 

interface g1/0/x

 ip access-group ACL-TEST in

 

and then from your ISE configuration (Authorization Profile), you can over write the applied ACL on the physical interface, with DACL (like permit ip any any), and check if this will work?

0 Helpful

Josh Morris
Level 3
Level 3
In response to Ahmad Murad

‎09-19-2014 10:24 AM

Ahmad,

 

I am running in closed mode, so doesn't that mean that a pre-auth ACL is not required nor used?

0 Helpful

jordanburnett
Level 4
Level 4

‎09-25-2014 06:25 AM

The DACL is a separate process from the IP address acquirement that the host goes through. It shouldn't matter whether the client has an IP address or not, the DACL is sent to the switch and then it permits the necessary traffic. 

 

When you say they "dont' get the DACL," what exactly do you mean? The session on the port doesn't show the DACL? 

If you can, when a client is having this issue (no IP but has been successfully authenticated via MAB), run the following commands on the switch: 

switch# show authentication sessions interface <problem_client_interface>

switch# sh ip access-lists interface <problem_client_interface>

switch# show access-list <problem_client_interface>

0 Helpful

Josh Morris
Level 3
Level 3
In response to jordanburnett

‎09-25-2014 07:09 AM

Thanks, here is the requested output of an Unauthorized client. I had to configure authentication open so they could still get access...

 

SJ5051IDF1#show authen sess int g2/20 d
            Interface:  GigabitEthernet2/20
          MAC Address:  d4be.d94f.ab92
         IPv6 Address:  Unknown
         IPv4 Address:  10.42.32.109
            User-Name:  D4-BE-D9-4F-AB-92
               Status:  Unauthorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
    Common Session ID:  0A2A000B000034E367D4B998
      Acct Session ID:  Unknown
               Handle:  0x21000508
       Current Policy:  POLICY_Gi2/20
 
Local Policies:
Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
      Security Policy:  Should Secure
      Security Status:  Link Unsecure
 
Method status list:
       Method           State
       mab              Authc Success
 
SJ5051IDF1#
SJ5051IDF1#
SJ5051IDF1#show ip access int g2/20
SJ5051IDF1#
SJ5051IDF1#
SJ5051IDF1#show access-list int g2/20
                                ^
% Invalid input detected at '^' marker.
 
SJ5051IDF1#show access-list ?        
  <1-2799>    ACL number
  WORD        ACL name
  ipc         Show access-list config download info
  rate-limit  Show rate-limit access lists
  |           Output modifiers
  <cr>
 
SJ5051IDF1#show access-list g2/20
SJ5051IDF1#
SJ5051IDF1#
SJ5051IDF1#
0 Helpful

jordanburnett
Level 4
Level 4
In response to Josh Morris

‎09-25-2014 09:22 AM

What kind of switch/what version of IOS are you running?

0 Helpful

Josh Morris
Level 3
Level 3
In response to jordanburnett

‎09-25-2014 10:16 AM

I am running 4510R+E with SUP8. IOS-XE v3.3.1 with IP Base license.

0 Helpful

andy.richter
Level 1
Level 1
In response to Josh Morris

‎12-06-2017 01:38 PM

Did you figure out the cause and a solution?

0 Helpful
Customers Also Viewed These Support Documents