Solved: Dynamic VLAN + ISE + Track IP

Heaven_Bay · ‎05-11-2023

Hello everyone,

We use Cisco APs + WLC9800-CL + ISE3.2 + C9200 + dot1x + DVLAN + dhcp snooping. For access ports I attached tracking, for APs ports - tracking disable.

When PC boots up it uses it's own special auth certificate and switch or AP puts it to special PC VLAN. When user logs on the system uses user's own certificate and gives a new VLAN based on account AD group. Everything works fine - when PC gets it's VLAN it also receives ip from pool of this VLAN. When user logs on ISE sends a new VLAN and PC/user session requests new IP from department DHCP VLAN's pool.

However, If I check ISE's session logs I see only PC's IP address, twice. The first time from PC account and the second from user.

PC:
PCNAME$@domain.com
MAC-ADDRESS
Windows10-Workstation
DOT1X >> Authentication Rule TLS
DOT1X >> Domain Computers
PRFL_AUTHZ_DOMAIN_COMPUTER
PC-VLAN-IP-ADDRESS (IPv4,IPv6)

USER:
USERNAME$@domain.com
MAC-ADDRESS
Windows10-Workstation
DOT1X >> Authentication Rule TLS
DOT1X >> Department Information Technology
PRFL_AUTHZ_IT
PC-VLAN-IP-ADDRESS (IPv4,IPv6)

This is not I expected to see. I guess ISE could see that user switched to a new VLAN and get a new IP address. And can account it. It doesn't matter if I use wire or wifi. ISE starts showing real user session IP address in logs after some time. But not immediately.

Please help, what I missed?

Thanks!

thomas · ‎05-11-2023

It sounds like you are expecting to see a different IP address from a different VLAN when the user logs in.

802.1X happens at layer 2 and ISE only learns about the L3 IP address if there is a DHCP forward from the network device or from the RADIUS Accounting Start/Interim message(s).

I don't know how long "some time" is to you, but it should happen within a few seconds of the endpoint being assigned a new DHCP address on the new VLAN. There could be a delay in the ISE LiveLog or LiveSessions update. You may perform a packet capture in ISE to see the RADIUS Accounting updates with the IP address as I showed in the recent ISE Webinar:

▷ RADIUS Simulation with ISE 2023/05/04

11:34 Demo: RADIUS Packet Capture (TCPDump) on ISE for RADIUS Authentication and Accounting Start+Stop
14:30 Demo: RADIUS Packet Capture in WireShark

View solution in original post

thomas · ‎05-11-2023

It sounds like you are expecting to see a different IP address from a different VLAN when the user logs in.

802.1X happens at layer 2 and ISE only learns about the L3 IP address if there is a DHCP forward from the network device or from the RADIUS Accounting Start/Interim message(s).

I don't know how long "some time" is to you, but it should happen within a few seconds of the endpoint being assigned a new DHCP address on the new VLAN. There could be a delay in the ISE LiveLog or LiveSessions update. You may perform a packet capture in ISE to see the RADIUS Accounting updates with the IP address as I showed in the recent ISE Webinar:

▷ RADIUS Simulation with ISE 2023/05/04

11:34 Demo: RADIUS Packet Capture (TCPDump) on ISE for RADIUS Authentication and Accounting Start+Stop
14:30 Demo: RADIUS Packet Capture in WireShark

Heaven_Bay · ‎05-12-2023

Dear Thomas,

Many thanks for your answer! I saw your lesson and got the dump. I found that there were no accounting-requests at all!

I checked again my configs and found sadly mistakes in aaa accounting configurations. Moreover, I found missed accounting lists in wireless policy profiles.

Now everything is fixed and works fine. Amazing how precise advice and lesson could help in one moment!

Thank you!