Re: IPV4 ADDRESS unknown

pankajpatil · ‎04-14-2022

sh authentication sessions interface GigabitEthernet1/0/36 details
Interface: GigabitEthernet1/0/36
IIF-ID: 0x14A1BD96
MAC Address: e86a.64cd.6368
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: host/PUNLT0101059.abc.com
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Session timeout: 28800s (server), Remaining: 28773s
Timeout action: Reauthenticate
Common Session ID: 0460DE0A000000192186A075
Acct Session ID: 0x00000002
Handle: 0x6300000e
Current Policy: POLICY_Gi1/0/36

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure

Server Policies:
Session-Timeout: 28800 sec
Idle timeout: 90 sec
ACS ACL: xACSACLx-IP-Wired_AD_Computer-57e437ad

Method status list:
Method State
dot1x Authc Success

we are getting ipv4 address unknow on 9200 cisco switch.. tried device tracking but it isn't worked

pankajpatil · ‎04-14-2022

This is interface configuration

authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
spanning-tree portfast
end

Aref Alsouqi · ‎04-14-2022

Could you please share the output of the access list "xACSACLx-IP-Wired_AD_Computer-57e437ad". The issue could be that on that dACL there is not entry to allow the DHCP traffic. If that is not the case, it could be that there is no dhcp helper configured on the SVI where that endpoint is located.

pankajpatil · ‎04-14-2022

Extended IP access list xACSACLx-IP-Wired_AD_Computer-57e437ad
10 permit ip any any

On SVI helper address is there

balaji.bandi · ‎04-14-2022

what code running on Cisco 9200 ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

pankajpatil · ‎04-14-2022

Version 17.3.4b

MHM Cisco World · ‎04-14-2022

the Port not config with VLAN and this mode is low-mode dot1x.
the port must config with
VLAN and ACL permit dhcp & EAP
after auth
dACL is give the cleint full access.

add VLAN and pre-auth ACL.

pankajpatil · ‎04-14-2022

Vlan configuration is there I missed it to paste it here. Same configuration is working on 2960 switch without any issues.

Mike.Cifelli · ‎04-14-2022

tried device tracking but it isn't worked

-Is dhcp snooping enabled? The binding table is used by IPDT so it can map MAC to IP and constantly keep the mapping current/up to date. Without it the NAD will not be able to track an IP associated with a client MAC.

Example:

ip dhcp snooping vlan x,x,x, etc.
ip dhcp snooping

Test and check results. HTH!

pankajpatil · ‎04-14-2022

Without device traking configuration is working on 2960 switches without any issues

MHM Cisco World · ‎04-15-2022

ip device tracking probe delay 20 <- need this command to resolve issue.