Re: Cisco ISE

kingstdz · ‎12-27-2024

Hi

we have Cisco IS Eve 3.2 and SW C9200L Cisco C9200L-48P-4X (ARM64) processor with 519420K/3071K bytes of memory. ver 17.09.06a after upgrade and activate mode BCN2.0 to activate 802.1x after multiple try we stuck with ports of switch and pc user to activate mode 802.1x still unauthenticated user.

Some SW 9200L after flash, with new version firmware and mode BCN2.0 activated it work but sometimes no

please what to do to fix this issue

thanks

and ver 16.12.4

Devaa · ‎12-27-2024

Hi @kingstdz

Could you please share output of below commands form your switch?

! To Check ISE config:
show run | sec aaa|radius

! To check running-config in interface
show running-config interface <dot1x-enabled-access-port>

! To check derived-config from a template
show derived-config interface <dot1x-enabled-access-port>

! To check all auth sessions
show access-session

! To check auth sessions in an interface
show access-session interface <dot1x-enabled-access-port>

! To check details of auth sessions in an interface
show access-session interface <dot1x-enabled-access-port> details

kingstdz · ‎12-28-2024

To Check ISE config:

show run | sec aaa|radius

aaa new-model

aaa group server tacacs+ ISEServers

server name ISE01

server name ISE02

aaa group server radius ise-group

server name ise1

server name ise2

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authentication dot1x default group ise-group

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization network default group ise-group

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa server radius dynamic-author

client 10.183.x.Y server-key 7 060203224F6E1A115745

client 10.183.x.Z server-key 7 045F07050C015F465B4B

aaa session-id common

match result-type aaa-timeout

ip radius source-interface Vlan100

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server attribute 31 mac format ietf upper-case

radius-server attribute 31 send nas-port-detail

radius-server timeout 2

radius-server deadtime 30

radius-server vsa send cisco-nas-port

radius server ise1

address ipv4 10.183.x.Y auth-port 1812 acct-port 1813

key 7 104A051A063701035E56

radius server ise2

address ipv4 10.183.x.Z auth-port 1812 acct-port 1813

key 7 00001F05077B180E5D73

! To check running-config in interface

show running-config interface <dot1x-enabled-access-port>

interface GigabitEthernet1/0/30

switchport access vlan 42

switchport mode access

switchport voice vlan 200

device-tracking

ip access-group PRE-AUTH in

speed 1000

duplex full

authentication periodic

authentication timer reauthenticate server

access-session host-mode multi-domain

access-session port-control auto

mab

snmp trap mac-notification change added

snmp trap mac-notification change removed

dot1x pae authenticator

dot1x timeout tx-period 10

no mdix auto

spanning-tree portfast

spanning-tree bpduguard disable

service-policy type control subscriber DLCC

! To check derived-config from a template

show derived-config interface <dot1x-enabled-access-port>

Building configuration...

Derived configuration : 588 bytes

!

interface GigabitEthernet1/0/30

switchport access vlan 42

switchport mode access

switchport voice vlan 200

device-tracking

ip access-group PRE-AUTH in

speed 1000

duplex full

authentication periodic

authentication timer reauthenticate server

access-session host-mode multi-domain

access-session port-control auto

mab

snmp trap mac-notification change added

snmp trap mac-notification change removed

dot1x pae authenticator

dot1x timeout tx-period 10

no mdix auto

spanning-tree portfast

spanning-tree bpduguard disable

service-policy type control subscriber DLCC

end

! To check all auth sessions

show access-session

Interface MAC Address Method Domain Status Fg Session ID

--------------------------------------------------------------------------------------------

Gi1/0/33 3822.e20f.786b N/A UNKNOWN Unauth 8201B70A00001BAD0E08473C

Gi1/0/30 90fb.a685.67d9 dot1x DATA Auth 8201B70A00001BAC0E0845E0

Session count = 2

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)

D - Awaiting Deletion

F - Final Removal in progress

I - Awaiting IIF ID allocation

P - Pushed Session

R - Removing User Profile (multi-line status for details)

U - Applying User Profile (multi-line status for details)

X - Unknown Blocker

! To check auth sessions in an interface

show access-session interface <dot1x-enabled-access-port>

Interface MAC Address Method Domain Status Fg Session ID

--------------------------------------------------------------------------------------------

Gi1/0/30 90fb.a685.67d9 dot1x DATA Auth 8201B70A00001BAC0E0845E0

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)

D - Awaiting Deletion

F - Final Removal in progress

I - Awaiting IIF ID allocation

P - Pushed Session

R - Removing User Profile (multi-line status for details)

U - Applying User Profile (multi-line status for details)

X - Unknown Blocker

Runnable methods list:

Handle Priority Name

9 5 dot1xSup

8 5 dot1x

14 10 webauth

10 15 mab

! To check details of auth sessions in an interface

show access-session interface <dot1x-enabled-access-port> details

Interface: GigabitEthernet1/0/30

IIF-ID: 0x112AE76B

MAC Address: 90fb.a685.67d9

IPv6 Address: Unknown

IPv4 Address: Unknown

User-Name: userxxxxx

Status: Authorized

Domain: DATA

Oper host mode: multi-domain

Oper control dir: both

Session timeout: N/A

Common Session ID: 8201B70A00001BAC0E0845E0

Acct Session ID: Unknown

Handle: 0x6e0000a1

Current Policy: DLCC

Local Policies:

Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Security Policy: Should Secure

Security Status: Link Unsecured

Server Policies:

URL Redirect ACL: ISE-URL-REDIRECT

URL Redirect: https://10.183.x.Y:8443/portal/gateway?sessionId=8201B70A00001BAC0E0845E0&portal=aa72bfd7-24e5-4ba1-84ab-203e03c0bc01&action=cpp&token=6f1f2943deb8930765f1a9755c1fea1b

ACS ACL: xACSACLx-IP-PERMIT_ALL_IPV4_TRAFFIC-57f6b0d3

Method status list:

Method State

dot1x Authc Success

mab Stopped

MHM Cisco World · ‎12-28-2024

show aaa server <<- share this

MHM

kingstdz · ‎12-28-2024

in switch acivated IBCN 2.

show aaa server

RADIUS: id 1, priority 1, host 10.183.x.Y, auth-port 1812, acct-port 1813, hostname ise1

State: current UP, duration 187091s, previous duration 0s

Dead: total time 0s, count 0

Platform State from SMD: current UP, duration 187090s, previous duration 0s

SMD Platform Dead: total time 0s, count 0

Platform State from WNCD (1) : current UP

Platform State from WNCD (2) : current UP

Platform State from WNCD (3) : current UP

Platform State from WNCD (4) : current UP

Platform State from WNCD (5) : current UP

Platform State from WNCD (6) : current UP

Platform State from WNCD (7) : current UP

Platform State from WNCD (8) : current UP, duration 0s, previous duration 0s

WNCD Platform Dead: total time 0s, count 0UP

Quarantined: No

Authen: request 40876, timeouts 0, failover 0, retransmission 0

Response: accept 83, reject 7082, challenge 33711

Response: unexpected 0, server error 0, incorrect 0, time 8ms

Transaction: success 40876, failure 0

Throttled: transaction 0, timeout 0, failure 0

Malformed responses: 0

Bad authenticators: 0

Dot1x transactions:

Response: total responses: 40750, avg response time: 8ms

Transaction: timeouts 0, failover 0

Transaction: total 7039, success 81, failure 6958

MAC auth transactions:

Response: total responses: 126, avg response time: 19ms

Transaction: timeouts 0, failover 0

Transaction: total 126, success 2, failure 124

Author: request 23, timeouts 0, failover 0, retransmission 0

Response: accept 23, reject 0, challenge 0

Response: unexpected 0, server error 0, incorrect 0, time 3ms

Transaction: success 23, failure 0

Throttled: transaction 0, timeout 0, failure 0

Malformed responses: 0

Bad authenticators: 0

MAC author transactions:

Response: total responses: 0, avg response time: 0ms

Transaction: timeouts 0, failover 0

Transaction: total 0, success 0, failure 0

Account: request 0, timeouts 0, failover 0, retransmission 0

Request: start 0, interim 0, stop 0

Response: start 0, interim 0, stop 0

Response: unexpected 0, server error 0, incorrect 0, time 0ms

Transaction: success 0, failure 0

Throttled: transaction 0, timeout 0, failure 0

Malformed responses: 0

Bad authenticators: 0

Elapsed time since counters last cleared: 2d3h58m

Estimated Outstanding Access Transactions: 0

Estimated Outstanding Accounting Transactions: 0

Estimated Throttled Access Transactions: 0

Estimated Throttled Accounting Transactions: 0

Maximum Throttled Transactions: access 0, accounting 0

Consecutive Response Failures: total 0

SMD Platform : max 0, current 0 total 0

WNCD Platform: max 0, current 0 total 0

IOSD Platform : max 0, current 0 total 0

Consecutive Timeouts: total 0

SMD Platform : max 0, current 0 total 0

WNCD Platform: max 0, current 0 total 0

IOSD Platform : max 0, current 0 total 0

Requests per minute past 24 hours:

high - 3 hours, 58 minutes ago: 0

low - 3 hours, 58 minutes ago: 0

average: 0

RADIUS: id 2, priority 2, host 10.183.x.Z, auth-port 1812, acct-port 1813, hostname ise2

State: current UP, duration 187091s, previous duration 0s

Dead: total time 0s, count 0

Platform State from SMD: current UP, duration 187090s, previous duration 0s

SMD Platform Dead: total time 0s, count 0

Platform State from WNCD (1) : current UP

Platform State from WNCD (2) : current UP

Platform State from WNCD (3) : current UP

Platform State from WNCD (4) : current UP

Platform State from WNCD (5) : current UP

Platform State from WNCD (6) : current UP

Platform State from WNCD (7) : current UP

Platform State from WNCD (8) : current UP, duration 0s, previous duration 0s

WNCD Platform Dead: total time 0s, count 0UP

Quarantined: No

Authen: request 0, timeouts 0, failover 0, retransmission 0

Response: accept 0, reject 0, challenge 0

Response: unexpected 0, server error 0, incorrect 0, time 0ms

Transaction: success 0, failure 0

Throttled: transaction 0, timeout 0, failure 0

Malformed responses: 0

Bad authenticators: 0

Dot1x transactions:

Response: total responses: 0, avg response time: 0ms

Transaction: timeouts 0, failover 0

Transaction: total 0, success 0, failure 0

MAC auth transactions:

Response: total responses: 0, avg response time: 0ms

Transaction: timeouts 0, failover 0

Transaction: total 0, success 0, failure 0

Author: request 0, timeouts 0, failover 0, retransmission 0

Response: accept 0, reject 0, challenge 0

Response: unexpected 0, server error 0, incorrect 0, time 0ms

Transaction: success 0, failure 0

Throttled: transaction 0, timeout 0, failure 0

Malformed responses: 0

Bad authenticators: 0

MAC author transactions:

Response: total responses: 0, avg response time: 0ms

Transaction: timeouts 0, failover 0

Transaction: total 0, success 0, failure 0

Account: request 0, timeouts 0, failover 0, retransmission 0

Request: start 0, interim 0, stop 0

Response: start 0, interim 0, stop 0

Response: unexpected 0, server error 0, incorrect 0, time 0ms

Transaction: success 0, failure 0

Throttled: transaction 0, timeout 0, failure 0

Malformed responses: 0

Bad authenticators: 0

Elapsed time since counters last cleared: 2d3h58m

Estimated Outstanding Access Transactions: 0

Estimated Outstanding Accounting Transactions: 0

Estimated Throttled Access Transactions: 0

Estimated Throttled Accounting Transactions: 0

Maximum Throttled Transactions: access 0, accounting 0

Consecutive Response Failures: total 0

SMD Platform : max 0, current 0 total 0

WNCD Platform: max 0, current 0 total 0

IOSD Platform : max 0, current 0 total 0

Consecutive Timeouts: total 0

SMD Platform : max 0, current 0 total 0

WNCD Platform: max 0, current 0 total 0

IOSD Platform : max 0, current 0 total 0

Requests per minute past 24 hours:

high - 3 hours, 58 minutes ago: 0

low - 3 hours, 58 minutes ago: 0

average: 0

kingstdz · ‎12-28-2024

in previous switch
authentication display config-mode

Current configuration mode is new-style

in others same model C9200L-48

authentication display config-mode

Current configuration mode is legacy

Devaa · ‎12-29-2024

Is there any specific device unauthenticated always or all the devices fail to auth randomly?

I see multiple radius rejects from the RADIUS server 1. Also I see the device in Gi1/0/33 is unauthenticated.

Do you see any logs in ISE?

RADIUS: id 1, priority 1, host 10.183.x.Y, auth-port 1812, acct-port 1813, hostname ise1

     State: current UP, duration 187091s, previous duration 0s

     Dead: total time 0s, count 0

     Platform State from SMD: current UP, duration 187090s, previous duration 0s

     ......

     Authen: request 40876, timeouts 0, failover 0, retransmission 0

             Response: accept 83, <reject 7082>, challenge 33711

========================================================================

# show access-session

Interface                MAC Address    Method  Domain  Status Fg  Session ID

--------------------------------------------------------------------------------------------

Gi1/0/33                 3822.e20f.786b N/A     UNKNOWN <Unauth>      8201B70A00001BAD0E08473C

Gi1/0/30                 90fb.a685.67d9 dot1x   DATA    Auth        8201B70A00001BAC0E0845E0

kingstdz · ‎12-30-2024

In live log it appear autheticated successfull other no authenticated anonyme or name of pc

Devaa · ‎12-30-2024

Means,

Device connected to Gi1/0/30 (90fb.a685.67d9) is authenticated.

Device connected to Gi1/0/33 (3822.e20f.786b) is not getting authenticated.

If both port has similar configuration, then it will be AUTH issue. Check if the device is expected to get authenticated via 802.1x or not. If yes, check if the device has a valid 802.1x cert installed.

kingstdz · ‎12-30-2024

thanks for reply

from this post i want to undersatand shall i upgrade switch to last firmware stable and active mode isbn 2.0 to get sw working with ise ? or may be bugs in thoses sw c9200L? i want really to understand , if there is a solution for this issue ?

we have 3750X whats is steps on those to get aaa port working with my ise?

thanks for helps

thomas · ‎01-07-2025

Please follow our ISE Secure Wired Access Prescriptive Deployment Guide : https://cs.co/ise-wired

Find more ISE deployment guides in the ISE BERG (Big Encyclopedic Resources Guide): https://cs.co/ise-berg

https://cs.co/ise-berg#wired
https://cs.co/ise-berg#catalyst
https://cs.co/ise-berg#switching

kingstdz · ‎01-10-2025

Thanks i think thoses type sw c9200l had problems with ise !! Because
wireless with wlc it work normaly but with wired issues with 802.1x
If there are any others have this type of sw and ise can confirm us?
Thanks for helps

MHM Cisco World · ‎01-11-2025

Switch#show platform software trace message smd switch active R0 <<- use this to see if this only C9200 with issue send message-authenticator

MHM

kingstdz · ‎01-14-2025

Thanks nhm

Please what did this client?

MHM Cisco World · ‎01-14-2025

sorry dont get your reply

MHM

Cisco ISE & SW C9200L