Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2596
Views
25
Helpful
15
Replies

Endpoints getting IP from switchport VLAN before ISE changes VLAN

Go to solution
Josh Morris
Level 3
Level 3

‎02-21-2023 12:50 PM

I just migrated from ISE 2.2 to ISE 3.1 and I am having an issue now where a lot of my endpoints come online on the switch, and ISE puts them in the correct VLAN, but by that point, the endpoint has already received an IP address from the VLAN on the switchport. And these devices (mainly security cameras) are not smart enough to refresh their IP. I'm assuming this is just a timing issue because I'm running 'authentication open' on my switchports. I guess the device is coming up on the port and is getting an IP address on the VLAN before ISE can respond with the correct VLAN. 

The thing that is weird to me is that this was not an issue in my previous 2.2 deployment. Here is an example of a switchport. The issue in this case is that the endpoint would come up with an IP out of VLAN 58, but ISE then changes the port to VLAN 1001 and the endpoint can't change IP address. 

Also, these are not 802.1X endpoints, they are simply MAB in a static group in ISE. 

interface GigabitEthernet1/47
 switchport access vlan 58
 switchport mode access
 switchport voice vlan 90
 ip device tracking maximum 10
 logging event link-status
 authentication control-direction in
 authentication event fail action next-method
 authentication event server dead action authorize vlan 58
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize 
 authentication host-mode multi-auth
 authentication open
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout quiet-period 300
 dot1x timeout tx-period 7
 dot1x timeout ratelimit-period 300
 dot1x timeout held-period 300
 service-policy input QoS-Input-Policy
 service-policy output QoS-Host-Port-Output-Policy
end

If you think this is the issue, is there a way for me to fix this without removing authentication open? I'm not ready to go to closed mode yet. 

 

1 person had this problem
15 Replies 15

Go to solution
Rob R.
Level 1
Level 1
In response to ianbirchall

‎02-20-2024 01:53 PM

This is where we've landed as well. We have a "Landing VLAN" that is essentially a black hole, non-routable network with no default-gateway. The risk with doing this is related to Critical VLAN and all of the different scenarios you can encounter when the NAD/Switch cannot reach ISE to talk RADIUS. Or the AAA Dead Server event. Overall, the dynamic VLAN assignment works much better doing it this way but it is not without significant risk during a WAN Outage, ISE Outage or simple unreachability from SW to ISE/RADIUS. 

0 Helpful
Customers Also Viewed These Support Documents