Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
568
Views
0
Helpful
3
Replies

ISE 2.1 with 4510R+E (firmware 03.08.05) NAD : PC (802.1x) behinds IP Phone 7911-G (MAB), when authenticate get address 169.X.X.X

issmoussa1
Level 4
Level 4

‎01-28-2018 01:57 AM - edited ‎02-21-2020 10:44 AM

Hello dear community,

 

since we changed our Switch 3850 to 4510R+E all PCs (802.1x) behind 7911-G (MAB) phones that authenticate at ISE get addresses 169.x.x.x. We have to disconnect and reconnect the cable from the phone so that the PC has a good DHCP address. Every mornong, all users that use 7911-G have to disconnect and reconnect cable in order to get a good address.

 

the rest of the PCs connected to 7942, 7821, 6921 are working normally and have the correct DHCP addresses.

 

Does anyone already encounter this kind of issue?

Labels:
0 Helpful
3 Replies 3

marce1000
VIP
VIP

‎01-28-2018 06:02 AM

>....

>authenticate at ISE get addresses 169.x.xx

 - How do you know they really 'use' ISE once that address is obtained; check your ise-auth logs to confirm, also check your dhcp server's log , to see wether is a DHCP request is done or not , at those time frame, when the ise authentication is attempted (check for ise-dhcp 'syncing').

M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

issmoussa1
Level 4
Level 4
In response to marce1000

‎01-28-2018 09:08 AM

thank you for the answer.
At the level of the ISE logs, I see that both (PC and IP Phone) are authenticated successfully. It's just that the PC address is still 169.X.X.X
Similarly, with the "show authentication session int gx / x / x details" command, I see that both are still authenticated.
For other types of phones, no problem.

0 Helpful

marce1000
VIP
VIP
In response to issmoussa1

‎01-28-2018 10:03 AM

 - Looks like there is some race condition; between the iphone authenticating, and the PC (already) waiting for a DHCP answer. Verify this by checking your DHCP server's logs and look for the PC-Mac-address (the PC falls back to a link-local address apparently ). I ackowledge that it previously worked, perhaps the new switch needs extra or other do1x sequence of port settings. I am not sure. I always feel a little bit wary about such setups, because of ISE being complex on it's own. I don't prefer PC's behind iphones when ISE is used , especially with supplicants. On intrAnet, I would prefer PC with S/A connection(s).

M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful
Customers Also Viewed These Support Documents