Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1059
Views
5
Helpful
1
Replies

DHCP conflict when port is authenticated

lilianamartinez
Level 1
Level 1

‎02-24-2020 09:25 AM

Hi people, 

 

I just implement radius for authentication devices on a switch , but after this change all the PC's (windows 7) are having DHCP conflicts, the DHCP lease time server is 12 hours , but at the end of thi time the past ip is not released correctly and the ip is sent to the DHCP conflict.

I thing this two commands are generating this issue 

authentication periodic
authentication timer reauthenticate 7200

 

The comands that I use are the next;

aaa new-model
aaa group server radius ISE
server name ISE-1
server name ISE-2
dot1x system-auth-control
dot1x critical eapol
aaa authentication dot1x default group ISE
aaa authorization network default local
aaa authorization auth-proxy default group ISE
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group ISE
aaa accounting system default start-stop group ISE
aaa server radius dynamic-author
client X.X.X.X server-key 0 RADIUS
client X.X.X.X server-key 0 RADIUS
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server deadtime 10
radius server ISE-1
address ipv4 X.X.X.X auth-port 1812 acct-port 1813
key 0 RADIUS
!
radius server ISE-2
address ipv4 X.X.X.X auth-port 1812 acct-port 1813
key 0 RADIUS

And for the ports:

 

interface GigabitEthernet1/0/18
description "PCs"
switchport access vlan 2
switchport mode access
switchport voice vlan 104
authentication event fail action next-method
authentication event server dead action reinitialize vlan 2
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 7200
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

 

Thanks

Labels:
0 Helpful
1 Reply 1

Damien Miller
VIP Alumni
VIP Alumni

‎02-24-2020 10:31 AM - edited ‎02-24-2020 10:42 AM

First thing I will mention is that it's generally recommended that you send the re-authentication timer from ISE in the access accept result, rather than hard coding it on the interface.  This way you can change it centrally on ISE rather than having to modify switchports. 

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server dynamic



On the conflicts, Windows 7 DHCP conflicts are typically a cause of IP device tracking and not the re-authentication. It's at least a known issue with older windows clients during network stack initialization (they would complain about a conflict with 0.0.0.0) and we would typically address this with an IPDT delay timer.  Have you confirmed these conflicts by looking at the windows log, are they real IP addresses or 0.0.0.0 that IPDT arps are often sent with?  That could change the recommendations provided here.  

Customers Also Viewed These Support Documents