Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1262
Views
0
Helpful
2
Replies

DHCP Failing on dot1x/ISE-controlled Port

Jim Blake
Level 1
Level 1

‎09-17-2015 01:20 PM - edited ‎03-10-2019 11:04 PM

I have a Cisco 3560 with the following configuration on the first two interfaces:

interface GigabitEthernet0/1
 description === Test PC===
 switchport access vlan 10
 switchport mode access
 ip access-group ACL_DEFAULT in
 authentication event fail action next-method
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 spanning-tree bpdufilter enable
 spanning-tree bpduguard enable
 ip dhcp snooping limit rate 10
end

switch#
switch#show run int g0/2
Building configuration...

Current configuration : 146 bytes
!
interface GigabitEthernet0/2
 description === Insecure Port ===
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
end

Extended IP access list ACL_DEFAULT
    10 permit udp any eq bootpc any eq bootps
    20 permit udp any any eq domain
    30 permit udp any eq snmp any
    40 permit icmp any any
    50 permit udp any any eq tftp
    60 permit tcp any any eq www

 

Port G0/1 is controlled by ISE1.3 using IEEE802.1x, which is showing (under "Authentications") that it is accepting both machine and user certificates from the PC and downloading DACLs correctly to the switch to open the port. The switch port LED changes from amber to green when the ISE says it has opened the port, so I'm reasonably happy that the port is fully open

Both ports G0/1 and G0/2 have access to VLAN 10, and the test PC, when placed on G0/2, gets a DHCP lease without any problems.

However, despite the ISE accepting certificates and downloading the DACLs, the same PC that was used successfully on port G0/2 fails to get a DHCP lease when on G0/1 despite the ISE saying the port is wide open.

Wireshark on the test machine shows it sending periodic DHCP requests, but getting nothing back.

I have eliminated the DACLs as the problem by substituting the "Permit_All_Traffic" inbuilt DACL

Any suggestions? I've created configs like this before with no problems...the bit that usually is difficult is the ISE, and that appears to be fine, it looks like a switch config issue because if I move the same client between ports (same DHCP server, same VLAN, same pretty much everything except ISE) it works on G0/2 (unprotected) and fails on G0/1 (IEEE802.1x/ISE).

 

Thanks for any suggestions

 

Jim

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-19-2015 02:35 PM

When the PC is connected on Gi0/1, what does "show int gi0/1 authentication detail" show?

0 Helpful

Bhanu Pradhan
Level 1
Level 1

‎09-20-2015 06:48 PM

Hello Jim,

Is IP Device tracking enabled on the switch?

Remove the command " ip dhcp snooping limit rate 10" and bounce the port once.

Please share the output for the following commands:

show ip device tracking int gi0/1

show auth session interface int gi0/1

or

 show auth session interface int gi0/1 det

If possible try not to push any DACL from ISE and set the "ACL_DEFAULT" to "permit ip any any".

0 Helpful
Customers Also Viewed These Support Documents