01-23-2013 01:21 AM - edited 03-10-2019 08:00 PM
Hi,
I have the following issue:
Several hosts on a specific VLAN cannot reach a VNC server which is located in the same VLAN. All the ports are running 802.1X and hosts are authenticated based on certificate.
The hosts that have the issue are always authenticated with success and a "show authentication session interface <INT-NAME>" shows the following output for a client:
SWl#sh authentication sessions interface g1/0/42
Interface: GigabitEthernet1/0/42
MAC Address: 4437.e668.9896
IP Address: Unknown
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 100
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0000000000000AA09F7A3843
Acct Session ID: 0x00000CD7
Handle: 0x2D000AA0
The server:
SW#sh authentication sessions interface g2/0/43
Interface: GigabitEthernet2/0/43
MAC Address: 4437.e68a.4048
IP Address: 10.10.10.254
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 100
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 00000000000008DC576F3B64
Acct Session ID: 0x000009CB
Handle: 0x200008DC
If I do a "clear authentication sessions interface g1/0/42" on one of the client port then the IP address is not unknown anymore:
SW#sh authentication sessions interface g1/0/42
Interface: GigabitEthernet1/0/42
MAC Address: 4437.e668.9896
IP Address: 10.10.10.20
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 100
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0000000000000E63AA195FED
Acct Session ID: 0x000010A6
Handle: 0x92000E63
Then the client can connect to the server without any issues. Does anyone has a solution to fix this issue?
All port are configured the same (client and server) and DHCP snooping is runing for the authenticated VLAN (100):
!
interface GigabitEthernet1/0/42
switchport access vlan 999
switchport mode access
switchport nonegotiate
switchport block multicast
switchport block unicast
switchport port-security maximum 4
switchport port-security
switchport port-security violation restrict
ip arp inspection limit rate 50
authentication host-mode multi-domain
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 5
storm-control broadcast level 5.00
storm-control action shutdown
no vtp
ip dhcp snooping limit rate 50
!
Platform: cisco WS-C3750X-48P
IOS: c3750e-universalk9-mz.122-55.SE3.bin
Authentication Server: Cisco ISE
Best regards,
Laurent
01-23-2013 01:33 AM
Hi,
You may want consider adding ip device-tracking to see if this helps your situation.
Thanks,
Tarik Admani
*Please rate helpful posts*
01-23-2013 03:15 AM
Hi Tarik,
Thanks for your response.
Can you explain what is "ip device-tracking" for and why it can help to solve this problem?
/Laurent
01-24-2013 03:18 AM
Hi Tarik,
Any news?
Best Regards,
Laurent
01-24-2013 05:46 AM
Hi,
The ip device tracking commands builds an IP address, to MAC address, to vlan binding when users connect to the network.
Here is a thread where this was resolved for another scenario.
https://supportforums.cisco.com/thread/2057414
Sent from Cisco Technical Support iPad App
01-24-2013 07:16 AM
Hi Tarik,
Is this command used in combination with dot1x? The switch is running DHCP snooping so the MAC/IP/VLAN should already be present in the DHCP snooping database, no?
I would like to understand what is causing the problem and how this command can solve it
Regards,
Laurent
04-22-2020 02:27 PM
Client IP address is learned by IP Device Tracking Feature (IPDT). This is an important feature for switch to track the IP address of the machine and then apply the dACL’s and Redirection ACL’s on that port using device IP address. Please refer below document which will explain all about ip device tracking.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide