Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
328
Views
3
Helpful
2
Replies

Dynamic VLAN + ISE + Track IP

Go to solution
Heaven_Bay
Beginner
Beginner

‎05-11-2023 10:50 AM

Hello everyone,

We use Cisco APs + WLC9800-CL + ISE3.2 + C9200 + dot1x + DVLAN + dhcp snooping. For access ports I attached tracking, for APs ports - tracking disable.

When PC boots up it uses it's own special auth certificate and switch or AP puts it to special PC VLAN. When user logs on the system uses user's own certificate and gives a new VLAN based on account AD group. Everything works fine - when PC gets it's VLAN it also receives ip from pool of this VLAN. When user logs on ISE sends a new VLAN and PC/user session requests new IP from department DHCP VLAN's pool.

However, If I check ISE's session logs I see only PC's IP address, twice. The first time from PC account and the second from user.

 

 

PC:
PCNAME$@domain.com
MAC-ADDRESS
Windows10-Workstation
DOT1X >> Authentication Rule TLS
DOT1X >> Domain Computers
PRFL_AUTHZ_DOMAIN_COMPUTER
PC-VLAN-IP-ADDRESS (IPv4,IPv6)

USER:
USERNAME$@domain.com
MAC-ADDRESS
Windows10-Workstation
DOT1X >> Authentication Rule TLS
DOT1X >> Department Information Technology
PRFL_AUTHZ_IT
PC-VLAN-IP-ADDRESS (IPv4,IPv6)

 

 

This is not I expected to see. I guess ISE could see that user switched to a new VLAN and get a new IP address. And can account it. It doesn't matter if I use wire or wifi. ISE starts showing real user session IP address in logs after some time. But not immediately.

Please help, what I missed?

Thanks!

0 Helpful