cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1905
Views
0
Helpful
2
Replies
Highlighted

IP address in ISE live authentication after vlan change

Hi all,

on ISE live authentication dashboard we can see IP address of the client (known from FRAMED-IP-ADDRESS).

But what about vlan change and the situation when client gets new IP address after relocation to different vlan.

Live logs shows only the first IP address - client mapping (from the guest vlan), after authorization new vlan and dACL is assigned but logs don't include new IP address.

session ID is the same all the time.

so maybe ip helper or other trick?

regards

2 REPLIES 2
Highlighted
Participant

can you check the accounting msg? if you config periodic accounting, you should see updated ip in accounting msg.

Sent from Cisco Technical Support iPad App

Highlighted

thx for reply.

I added "aaa accounting update newinfo" and I'll see tommorow how it works with anyconnect and 802.1x.

Meanwhile I think I must clarify what I meant

Not all logs have IP address present in live authentication (this is MAB for test only)

the situation with 802.1x and anyconnect is a bit better cause there are IP addresses but only from the first dhcp address assignment (authentication open with default ACL). Then if the policy changes vlan and the client gets new IP address from different scope we have wrong information in this log.

but getting back to our MAB...

details of this entry looks like:

     

so this is probably the reason that no IP address is visible it was too soon for MAB to get this info and send it as framed IP address (according to this config command "radius-server attribute 8 include-in-access-req")

nevertheless clicking the accounting details (from the 2nd screenshot)

we see that this information is present

so my first question is on which stage this column is fulfilled? only when "FRAMED-IP-ADDRESS" is send in radius-request? or from accounting?

maybe ISE should dynamically modify this record after each accounting newinfo message?

regards

Content for Community-Ad