Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
648
Views
0
Helpful
4
Replies

ISE 2.0 (patch 1) authorization issue

Go to solution
deyster94
Level 5
Level 5

‎12-22-2015 12:07 PM - last edited on ‎03-25-2019 05:34 PM by Community Manager

I am running into a bit of an odd issue with ISE 2.0 (patch 1).  I have a Win 7 laptop that passes authC/authZ, gets an IP address, but cannot access any internal or external resources.  It's using 802.1x with EAP-TLS with machine and user certs from AD.  Along with this issue I am having another one with MAR, but TAC is looking into that issue.  

I just cannot figure out how the device can get an IP address, but not access anything on the network.  The laptop can do a release/renew of the IP address as well, so it's getting somewhere on the network.

TIA for any ideas.  

-Dan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jan.nielsen
Level 7
Level 7
In response to deyster94

‎12-22-2015 02:09 PM

Looks like a dhcp snooping/device tracking issue, the auth sess does not know the ip of your windows pc and the ACL then does not get applied. You can check that with "show ip access-list interface x/x" . Can you do a "show ip device tracking int x/x" and see if the device ip shows up as active ? Also have you configured the recommended settings in the switch using the trustsec universal switch config guide ?

View solution in original post

0 Helpful
4 Replies 4

Go to solution
jan.nielsen
Level 7
Level 7

‎12-22-2015 12:24 PM

Is it wireless or wired, if wired you should check on the switch, with "show auth sess int x/x" to see if the switch has actually authorized the user, and downloaded the ACL if you are using open mode
0 Helpful

Go to solution
deyster94
Level 5
Level 5
In response to jan.nielsen

‎12-22-2015 12:26 PM

It's a wired deployment.  Results of show auth sess:

IT-READING-S04#sh authentication sessions int g1/0/27
Interface: GigabitEthernet1/0/27
MAC Address: f01f.af48.3290
IP Address: Unknown
User-Name: user@client.com
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-Wired_Permit_All-5661b508
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC100BCC0000120BF61FB559
Acct Session ID: 0x0001DD8A
Handle: 0x36000215

Runnable methods list:
Method State
dot1x Authc Success
mab Not run

Nothing being blocked and the dACL is permit ip any any.

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to deyster94

‎12-22-2015 02:09 PM

Looks like a dhcp snooping/device tracking issue, the auth sess does not know the ip of your windows pc and the ACL then does not get applied. You can check that with "show ip access-list interface x/x" . Can you do a "show ip device tracking int x/x" and see if the device ip shows up as active ? Also have you configured the recommended settings in the switch using the trustsec universal switch config guide ?
0 Helpful

Go to solution
deyster94
Level 5
Level 5
In response to jan.nielsen

‎12-23-2015 06:40 AM

Jan,

It was the dhcp snopping/tracking config missing from the switch.  Thanks for the help!

-Dan

0 Helpful
Customers Also Viewed These Support Documents