Solved: Configure Radius on Cisco 9300 to Allow Hosts to Access the Internet - Page 2

candidolevy · ‎05-10-2023

I upgraded cisco switch 2960x to 9300 and copied all configurations from 2960x to 9300 and I didn't have any syntax errors, however the hosts cannot be authenticated by ISE when they try to access the Internet. On the intranet everything is fine.

I ask for your support in resolving this problem.

I want the hosts to access the internet

Best regards

davidgfriedman · ‎05-10-2023

That's not fair. I just texted it on a 16.12.X and a 17.5.X variant. Still doesn't work for us. Both were C9200-48P's. Does anyone know if this is a license or feature issue we might not have enabled?

davidgfriedman · ‎05-10-2023

I'd like to know what IOS you're running because "show ip access-list interface gi1/0/XX" type commands have given me no output (no lines, just next enable prompt, immediately) since we received Cisco 9200's / 9300's, etc. to replace our older model switches. I miss that command. I need to run "show auth sessions int gi1/0/XX" then do a "show ip access-list XACSACLx-......" type command to see the rough IP Access list that would apply to that session on that port. If there was a DACL error, it won't show the DACL as applied under show auth sessions. If there is no IP Address learned, it won't show the DACL as applied under show auth sessions. I've got nothing I can run, that gives me any output, for a 2+ years now on that platform, which would show me the applied DACLs on the port.

Regards,
David

candidolevy · ‎05-10-2023

But I can Boot this

thomas · ‎05-10-2023

See How to Ask The Community for Help for the kind of information we need to help you troubleshoot. These are the basic things that would help anyone including TAC troubleshoot your problem.

And rather than pictures of your configuration, a regular copy and paste would easier to read.

We have best practice IOS switch configurations documented in ISE Secure Wired Access Prescriptive Deployment Guide for your reference. That will get 802.1X and MAB working for your endpoints' authentication and authorization.

Since the ACL you have applied is permit ip any any, traffic control to the internet is a route/switch problem. Can your switch ping 1.1.1.1? If not, you have a routing problem that has nothing to do with ISE or 802.1X.

candidolevy · ‎05-10-2023

Hello Mr. @thomas

Thanks for your help.

It cannot be a routing problem, because the hosts that are connected to the Cisco 2960x can access the internet and the cisco 9300 is connected to the cisco 2960x.

I believe the problem is in the syntax configuration of the cisco 9300, because the same config work fine on the cisco 2960x.

Rob Ingram · ‎05-10-2023

@candidolevy from your screenshots it is clear the session is authenticated and authorised by ISE fine, the only thing that stands out is there is no IPv4 Address in the output of the authenticated session - is device tracking enabled? Refer to the device tracking section here.

Have you tried not applying the DACL to the authorised session, to rule out a problem with the syntax of the DACL?

What happens if you connect and endpoint to an interface configured in vlan 503 without the 802.1X configuration, can it access the internet?

candidolevy · ‎05-10-2023

The switch does not have a device tracking.

What would be the syntax of device-trackig to use?

Rob Ingram · ‎05-10-2023

@candidolevy it's in the guide both @thomas and I provided. Here is the syntax, you'll notice it is required to learn the IP address and to use DACLs.

candidolevy · ‎05-11-2023

hello everyone

Thanks a lot for your support.

It was very useful and important for me.

I already have Tracking on the Switch and I can access the Internet.

Cisco is the power

thomas · ‎05-10-2023

Just because you connect one switch to another one does not mean it will magically route traffic from one through the other. 8-)