10-30-2024 01:42 AM
Solved! Go to Solution.
10-30-2024 11:48 PM
Hi Together
Thanks for the many replies!
I found the problem (It's a stupid fault from my site)
The Clients couldn't get any ip address. In the ACL I allow connection to the dhcp.
But for dhcp the Client tries with a broadcast address.
I just hat to add: permit udp any any eq 67.
I didn't saw it first because this devices only has a web UI (which wasn't reachable)
Also there APIPPA Looks like the old address from the dhcp a.a.20.13 -> 169.254.20.13
I really appreciate your help and I am sorry for your loss of time.
10-31-2024 12:29 AM - edited 10-31-2024 01:16 AM
Hi,
By enabling the logging i've recommended, you would have seen that dACL was not actually applied because hosts had no IP address that switch can make use of before applying the dACL.
Good you fixed it.
Best,
Cristian.
10-30-2024 02:17 AM
I believe this is an expect behavior and you need to use CoA to overcome this. Take a look on the below thread and there are lots of similar threads here in the forum.
10-30-2024 02:23 AM
I think here it is another problem because I'm not speaking of Guest Access.
These Clients I described authenticate with dot1x EAP-TLS.
10-30-2024 02:27 AM
permit ip any host a.a.a.a <<- remove this
Add
Permit ip any any <<-
And let device tracking adjust any
MHM
10-30-2024 02:31 AM
Thanks for the reply!
With permit ip any any it works.
But then I cloud just use no dACL
The Goal is this:
10-30-2024 02:49 PM
Hi,
I would check for dACL related bugs on that ISE version. Second, do you have "epm logging" to validate that dACL is actually correctly applied on the port via "show logging"?
Best,
Cristian.
10-30-2024 11:17 PM
This issue' how ISE know that this is user a.a.a.a or user b.b.b.b to assign correct dacl?
Instead push in dacl permit ip any any
And try use ACL in port connect to server or use vlan access list.
MHM
10-30-2024 02:29 AM - edited 10-30-2024 02:31 AM
- Here are a number of related bugs with DACL , which include your ISE version :
https://bst.cloudapps.cisco.com/bugsearch?pf=prdNm&prdNam=Cisco%20Identity%20Services%20Engine%203.2&kw=dacl%203.2&bt=custV&sb=anfr
Check if anything related comes up ; it's probably advisable to test with the latest patch for ISE 3.2 (p7)
M.
10-30-2024 11:48 PM
Hi Together
Thanks for the many replies!
I found the problem (It's a stupid fault from my site)
The Clients couldn't get any ip address. In the ACL I allow connection to the dhcp.
But for dhcp the Client tries with a broadcast address.
I just hat to add: permit udp any any eq 67.
I didn't saw it first because this devices only has a web UI (which wasn't reachable)
Also there APIPPA Looks like the old address from the dhcp a.a.20.13 -> 169.254.20.13
I really appreciate your help and I am sorry for your loss of time.
10-31-2024 12:29 AM - edited 10-31-2024 01:16 AM
Hi,
By enabling the logging i've recommended, you would have seen that dACL was not actually applied because hosts had no IP address that switch can make use of before applying the dACL.
Good you fixed it.
Best,
Cristian.
10-31-2024 12:45 AM
with respect to your solution
how ISE know this endpoint is a.a.a.a or b.b.b.b
this can only done via dhcp profiling
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide