02-21-2023 12:50 PM
I just migrated from ISE 2.2 to ISE 3.1 and I am having an issue now where a lot of my endpoints come online on the switch, and ISE puts them in the correct VLAN, but by that point, the endpoint has already received an IP address from the VLAN on the switchport. And these devices (mainly security cameras) are not smart enough to refresh their IP. I'm assuming this is just a timing issue because I'm running 'authentication open' on my switchports. I guess the device is coming up on the port and is getting an IP address on the VLAN before ISE can respond with the correct VLAN.
The thing that is weird to me is that this was not an issue in my previous 2.2 deployment. Here is an example of a switchport. The issue in this case is that the endpoint would come up with an IP out of VLAN 58, but ISE then changes the port to VLAN 1001 and the endpoint can't change IP address.
Also, these are not 802.1X endpoints, they are simply MAB in a static group in ISE.
interface GigabitEthernet1/47
switchport access vlan 58
switchport mode access
switchport voice vlan 90
ip device tracking maximum 10
logging event link-status
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize vlan 58
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 300
dot1x timeout tx-period 7
dot1x timeout ratelimit-period 300
dot1x timeout held-period 300
service-policy input QoS-Input-Policy
service-policy output QoS-Host-Port-Output-Policy
end
If you think this is the issue, is there a way for me to fix this without removing authentication open? I'm not ready to go to closed mode yet.
Solved! Go to Solution.
02-20-2024 01:53 PM
This is where we've landed as well. We have a "Landing VLAN" that is essentially a black hole, non-routable network with no default-gateway. The risk with doing this is related to Critical VLAN and all of the different scenarios you can encounter when the NAD/Switch cannot reach ISE to talk RADIUS. Or the AAA Dead Server event. Overall, the dynamic VLAN assignment works much better doing it this way but it is not without significant risk during a WAN Outage, ISE Outage or simple unreachability from SW to ISE/RADIUS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide