Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12648
Views
0
Helpful
6
Replies

IP address unknown "show authentication session interface"

lap
Level 2
Level 2

‎01-23-2013 01:21 AM - edited ‎03-10-2019 08:00 PM

Hi,

I have the following issue:

Several hosts on a specific VLAN cannot reach a VNC server which is located in the same VLAN. All the ports are running 802.1X and hosts are authenticated based on certificate.

The hosts that have the issue are always authenticated with success and a "show authentication session interface <INT-NAME>" shows the following output for a client:

SWl#sh authentication sessions interface g1/0/42

            Interface:  GigabitEthernet1/0/42

          MAC Address:  4437.e668.9896

           IP Address:  Unknown

               Status:  Authz Success

               Domain:  DATA

       Oper host mode:  multi-domain

     Oper control dir:  both

        Authorized By:  Authentication Server

          Vlan Policy:  100

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  0000000000000AA09F7A3843

      Acct Session ID:  0x00000CD7

               Handle:  0x2D000AA0

The server:

SW#sh authentication sessions interface g2/0/43   

            Interface:  GigabitEthernet2/0/43

          MAC Address:  4437.e68a.4048

           IP Address:  10.10.10.254

                  Status:  Authz Success

               Domain:  DATA

       Oper host mode:  multi-domain

     Oper control dir:  both

        Authorized By:  Authentication Server

          Vlan Policy:  100

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  00000000000008DC576F3B64

      Acct Session ID:  0x000009CB

               Handle:  0x200008DC

If I do a "clear authentication sessions interface g1/0/42" on one of the client port then the IP address is not unknown anymore:

SW#sh authentication sessions interface g1/0/42

            Interface:  GigabitEthernet1/0/42

          MAC Address:  4437.e668.9896

           IP Address:  10.10.10.20

              Status:  Authz Success

               Domain:  DATA

       Oper host mode:  multi-domain

     Oper control dir:  both

        Authorized By:  Authentication Server

          Vlan Policy:  100

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  0000000000000E63AA195FED

      Acct Session ID:  0x000010A6

               Handle:  0x92000E63

Then the client can connect to the server without any issues. Does anyone has a solution to fix this issue?

All port are configured the same (client and server) and DHCP snooping is runing for the authenticated VLAN (100):

!

interface GigabitEthernet1/0/42

switchport access vlan 999

switchport mode access

switchport nonegotiate

switchport block multicast

switchport block unicast

switchport port-security maximum 4

switchport port-security

switchport port-security violation restrict

ip arp inspection limit rate 50

authentication host-mode multi-domain

authentication port-control auto

mab

dot1x pae authenticator

dot1x timeout tx-period 5

storm-control broadcast level 5.00

storm-control action shutdown

no vtp

ip dhcp snooping limit rate 50

!


Platform: cisco WS-C3750X-48P

IOS: c3750e-universalk9-mz.122-55.SE3.bin

Authentication Server: Cisco ISE

Best regards,

Laurent

2 people had this problem
Labels:
0 Helpful
6 Replies 6

Tarik Admani
VIP Alumni
VIP Alumni

‎01-23-2013 01:33 AM

Hi,

You may want consider adding ip device-tracking to see if this helps your situation.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

lap
Level 2
Level 2
In response to Tarik Admani

‎01-23-2013 03:15 AM

Hi Tarik,

Thanks for your response.

Can you explain what is "ip device-tracking" for and why it can help to solve this problem?

/Laurent

0 Helpful

lap
Level 2
Level 2
In response to lap

‎01-24-2013 03:18 AM

Hi Tarik,

Any news?

Best Regards,

Laurent

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to lap

‎01-24-2013 05:46 AM

Hi,

The ip device tracking commands builds an IP address, to MAC address, to vlan binding when users connect to the network.

Here is a thread where this was resolved for another scenario.

https://supportforums.cisco.com/thread/2057414


Sent from Cisco Technical Support iPad App

0 Helpful

lap
Level 2
Level 2
In response to Tarik Admani

‎01-24-2013 07:16 AM

Hi Tarik,

Is this command used in combination with dot1x? The switch is running DHCP snooping so the MAC/IP/VLAN should already be present in the DHCP snooping database, no?

I would like to understand what is causing the problem and how this command can solve it

Regards,

Laurent

0 Helpful

Srihdasari
Level 1
Level 1

‎04-22-2020 02:27 PM

Client IP address is learned by IP Device Tracking Feature (IPDT). This is an important feature for switch to track the IP address of the machine and then apply the dACL’s and Redirection ACL’s on that port using device IP address. Please refer below document which will explain all about ip device tracking.

 

https://www.cisco.com/c/en/us/support/docs/ip/address-resolution-protocol-arp/118630-technote-ipdt-00.html

0 Helpful
Customers Also Viewed These Support Documents