Solved: Displaying Incorrect IP Address in "Authentication Detail Report"

rezaalikhani · ‎12-29-2023

Hi all;

Look at the following screenshot:

In the above scenario, the "Win-PC-02" is connected to an interface that belongs to VLAN 20. After authentication, proper authorization policy applied to that interface which changes the VLAN of it to 10. So, although the client has successfully assigned IP address in VLAN 20, after applying proper authorization policy it changed its address to something in VLAN 10.

Now I decide to see the detail authentication report for the following operation:

As you can see above, under the "IP Address" column, we see "192.168.10.15", but in the report:

I use ISE 3.2 Patch 4.

Any ideas?

Thanks

hslai · ‎01-01-2024

@rezaalikhani

From what you described above, it looks expected. Before the PC authenticates, it receives the IP address from VLAN 20 so it sends this as part of the authentication request. After it authorizes, it moves to VLAN 10 and receives the new IP assignment. At this point, the switch sends the accounting request(s) to update the client IP address but not another authentication request so the authentication report will show the IP from VLAN 10 instead of VLAN 20. If you check the RADIUS accounting reports, you should be able to see one to update the client IP.

View solution in original post

Ruben Cocheno · ‎12-29-2023

@rezaalikhani

Is the timestamp correct on the report? it shows 20minutes past time of the Authz

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

rezaalikhani · ‎12-30-2023

Thanks for your reply;

Yes it is correct because the last picture is not related to the first picture. It is taken from a similar authentication and authorization flow, not just from the first picture in the post...

MHM Cisco World · ‎12-31-2023

you use DHCP profiling ?
MHM

rezaalikhani · ‎12-31-2023

Yes

MHM Cisco World · ‎01-01-2024

what is attribute you use in DHCP profile ?

Arne Bier · ‎01-01-2024

ISE learns about the endpoint's IPv4 address via the IOS Device Tracking feature (should always be enabled) - even if you are not using DHCP, device-tracking will issue a regular gratuitous ARP to get the IPv4 address of the endpoint. In the case of IPv6, it can glean addresses from the ND messages.

show ip device-tracking database int x/y/z

However, I agree with you @rezaalikhani , that when you click on the details of one of the rows in Live Logs, that the IP addressing data should correspond. I think that ISE does some caching behind the scenes and I know that the "blue dot" icon LiveLog entries (Session records) typically don't include updated RADIUS attribute data - they take their data from the original/first Authentication.

Have you tried the same test with Successful Repeated Auths suppression disabled? Worth a try - but like I said, the blue dot indicates an Accounting record was received, and then ISE cheats a little (or, it chooses to be lazy) with the data it chooses to present.

hslai · ‎01-01-2024

@rezaalikhani

From what you described above, it looks expected. Before the PC authenticates, it receives the IP address from VLAN 20 so it sends this as part of the authentication request. After it authorizes, it moves to VLAN 10 and receives the new IP assignment. At this point, the switch sends the accounting request(s) to update the client IP address but not another authentication request so the authentication report will show the IP from VLAN 10 instead of VLAN 20. If you check the RADIUS accounting reports, you should be able to see one to update the client IP.

MHM Cisco World · ‎01-01-2024

Can we see the switchport config

@hslai mention perfect point but I need to see port config to more sure.

MHM

MHM Cisco World · ‎01-02-2024

sorry @rezaalikhani
can you share the SW port config
MHM

rezaalikhani · ‎01-02-2024

C3650#show run interface fastEthernet 0/2
Building configuration...

Current configuration : 834 bytes
!
interface FastEthernet0/2
switchport access vlan 20
switchport mode access
ip device tracking maximum 2
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-host
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 30
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout quiet-period 30
dot1x timeout tx-period 10
dot1x timeout ratelimit-period 300
dot1x timeout held-period 30
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
end

C3650#