Re: Dynamic VLAN Assignment in ISE

connor.jaques · ‎11-12-2021

Hi,

Currently implementing dynamic VLAN assignment for both our 802.1X clients & profiled devices via MAB.

The condition matches the device in ISE with the full summary report showing "authentication succeeded" , authorization profile selected, Radius Access-Accept returned & VLAN attributes visible under "result".

However when I hop over to the switch and run "show auth session interface [] detail" the status shows as "unath" with there no change in VLAN.

Has anyone experienced this issue before or know when to look for troubleshooting?

I have already made sure Dynamic Author is configured on the switch with my clients. Thanks

BryanHefner2568 · ‎11-12-2021

Maybe a COA issue? I notice these tend to pop up a lot. What switch model and version are you running? Run a debug on the switch to see if your receiving the COA. I believe the command is “debug aaa COA”

connor.jaques · ‎11-17-2021

We are running C9300's on version 16.12. Debug Coa gives me a "Authc fail. Authc failure reason: Cred Fail". This log is only produced when applying my own authorization policy as a pose to the default "permit access".

BryanHefner2568 · ‎11-17-2021

This tells you what the issue is. Failed Authentication due to credentials. Default permit access policy that you use does not require a COA, and is probably providing access whether or not you authenticate properly.

Can you provide a screen grab of your Live Logs, showing just the specific device that you are authenticating? And also once that is displayed in the live logs, can you click on the paper icon to show the authentication process for that devices?

Excellent guide on troubleshooting authentications in ISE: https://community.cisco.com/t5/security-documents/how-to-troubleshoot-ise-failed-authentications-amp/ta-p/3630960

connor.jaques · ‎11-17-2021

Thanks Bryan, will review that link. Agree it appears to be a CoA problem here. I've copied the details below from the logs in ISE.

Steps

	11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	11027	Detected Host Lookup UseCase (Service-Type = Call Check (10))
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP - Radius.NAS-IP-Address
	15041	Evaluating Identity Policy
	15013	Selected Identity Source - Internal Endpoints
	24209	Looking up Endpoint in Internal Endpoints IDStore - 7C:D3:0A:20:C0:28
	24211	Found Endpoint in Internal Endpoints IDStore
	22037	Authentication Passed
	24715	ISE has not confirmed locally previous successful machine authentication for user in Active Directory
	15036	Evaluating Authorization Policy
	11055	User name change detected for the session. Attributes for the session will be removed from the cache
	15016	Selected Authorization Profile - WORKSTATION
	24209	Looking up Endpoint in Internal Endpoints IDStore - 7C:D3:0A:20:C0:28
	24211	Found Endpoint in Internal Endpoints IDStore
	11002	Returned RADIUS Access-Accept

Walker · ‎11-16-2021

Have you verified that the VLAN is created on the switch? If so, are you using VLAN name in your auth profile? Make sure it matches.

It sounds like its possibly failing AuthZ. Check your epm logs to see if you can find some helpful information.

connor.jaques · ‎11-17-2021

VLAN name is used in the auth profile and does exist on the switch as an exact match. I'll enable EPM logging and see if that produces anything of help then revert back. Thanks