cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1787
Views
0
Helpful
1
Replies

ISE 2.6 Patch 8 - No session / authentication open

Hi,

 

my Customer has some strange behaviors on his Switches with some clients.

First the config (Closed Mode):

 

 

aaa group server radius ISE
 server name cisco-nac01
 server name cisco-nac02
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE 
aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group ISE
aaa accounting network default start-stop group ISE


aaa server radius dynamic-author
 client 10.30.1.16 server-key 7 <removed>
 client 10.30.1.17 server-key 7 <removed>
 
 authentication mac-move permit
 
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server deadtime 15
!
radius server cisco-nac01
 address ipv4 X.X.X.X auth-port 1812 acct-port 1813
 automate-tester username switch_ise_check idle-time 10
 key 7 <removed>
!
radius server cisco-nac02
 address ipv4 X.X.X.X auth-port 1812 acct-port 1813
 automate-tester username switch_ise_check idle-time 10
 key 7 <removed>
 
 
 interface GigabitEthernet1/0/X
 switchport access vlan 332 (Guest VLAN with Captive portal)
 switchport mode access
 authentication event server alive action reinitialize 
 authentication host-mode multi-auth
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 5
 dot1x max-reauth-req 1
 spanning-tree portfast edge
 spanning-tree bpduguard enable

They have 2960X with Release 15.2.7E0a (we already tested with newer Releases but i didnt work. we also can not use newer releases cause we ran into some bugs.)

 

Ok now to the actual problem:

First, with this config mostly everything works fine. But there are about 5 Clients (500 Clients overall) that have strang behaviors. when i configure the interfaces with the config above, the misbehaving client doesnt get a session:

 

Switch#sho authentication sess int g1/0/12 details 
No sessions match supplied criteria.

then i add this to the port:

authentication open

then the clients gets a session with dhcp IP etc. :

 

Switchr#sho authentication sess int g1/0/12 details 
            Interface:  GigabitEthernet1/0/12
          MAC Address:  XXXX.XXXX.XXXX
         IPv6 Address:  Unknown
         IPv4 Address:  10.X.X.X
            User-Name:  00-03-05-18-04-22
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  3600s (server), Remaining: 3220s
       Timeout action:  Reauthenticate
      Restart timeout:  N/A
Periodic Acct timeout:  172800s (local), Remaining: 172421s
       Session Uptime:  392s
    Common Session ID:  0A1E3206000031B4614F1C82
      Acct Session ID:  0x00003168
               Handle:  0xDD000D77
       Current Policy:  POLICY_Gi1/0/12

Local Policies:
	Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
           Vlan Group:  Vlan: 250

Method status list: 
      Method            State 

      dot1x              Stopped
      mab                Authc Success

But the client doenst work. i can not ping or get to its http interface, although it got the correct adresse from the dynamic vlan 250.

i have to add

switchport access vlan 250

Now it works... 

 

Other Clients in the same Policy Set etc. with MAB and dynamic vlan 250 are working perfect! just these **** 5 Clients..

 

Anything i dont see?

 

1 Accepted Solution

Accepted Solutions

Hi @fabian.kaltenschnee ,

 try the following show/debugs to clarify the case:

show mac address table interface <interface>
debug dot1x all
debug mab all
debug mac-notification

 

Hope this helps !!!

View solution in original post

1 Reply 1

Hi @fabian.kaltenschnee ,

 try the following show/debugs to clarify the case:

show mac address table interface <interface>
debug dot1x all
debug mab all
debug mac-notification

 

Hope this helps !!!