cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1615
Views
0
Helpful
1
Replies

ISE 2.6 Patch 8 - No session / authentication open

Hi,

 

my Customer has some strange behaviors on his Switches with some clients.

First the config (Closed Mode):

 

 

aaa group server radius ISE
 server name cisco-nac01
 server name cisco-nac02
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE 
aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group ISE
aaa accounting network default start-stop group ISE


aaa server radius dynamic-author
 client 10.30.1.16 server-key 7 <removed>
 client 10.30.1.17 server-key 7 <removed>
 
 authentication mac-move permit
 
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server deadtime 15
!
radius server cisco-nac01
 address ipv4 X.X.X.X auth-port 1812 acct-port 1813
 automate-tester username switch_ise_check idle-time 10
 key 7 <removed>
!
radius server cisco-nac02
 address ipv4 X.X.X.X auth-port 1812 acct-port 1813
 automate-tester username switch_ise_check idle-time 10
 key 7 <removed>
 
 
 interface GigabitEthernet1/0/X
 switchport access vlan 332 (Guest VLAN with Captive portal)
 switchport mode access
 authentication event server alive action reinitialize 
 authentication host-mode multi-auth
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 5
 dot1x max-reauth-req 1
 spanning-tree portfast edge
 spanning-tree bpduguard enable

They have 2960X with Release 15.2.7E0a (we already tested with newer Releases but i didnt work. we also can not use newer releases cause we ran into some bugs.)

 

Ok now to the actual problem:

First, with this config mostly everything works fine. But there are about 5 Clients (500 Clients overall) that have strang behaviors. when i configure the interfaces with the config above, the misbehaving client doesnt get a session:

 

Switch#sho authentication sess int g1/0/12 details 
No sessions match supplied criteria.

then i add this to the port:

authentication open

then the clients gets a session with dhcp IP etc. :

 

Switchr#sho authentication sess int g1/0/12 details 
            Interface:  GigabitEthernet1/0/12
          MAC Address:  XXXX.XXXX.XXXX
         IPv6 Address:  Unknown
         IPv4 Address:  10.X.X.X
            User-Name:  00-03-05-18-04-22
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  3600s (server), Remaining: 3220s
       Timeout action:  Reauthenticate
      Restart timeout:  N/A
Periodic Acct timeout:  172800s (local), Remaining: 172421s
       Session Uptime:  392s
    Common Session ID:  0A1E3206000031B4614F1C82
      Acct Session ID:  0x00003168
               Handle:  0xDD000D77
       Current Policy:  POLICY_Gi1/0/12

Local Policies:
	Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
           Vlan Group:  Vlan: 250

Method status list: 
      Method            State 

      dot1x              Stopped
      mab                Authc Success

But the client doenst work. i can not ping or get to its http interface, although it got the correct adresse from the dynamic vlan 250.

i have to add

switchport access vlan 250

Now it works... 

 

Other Clients in the same Policy Set etc. with MAB and dynamic vlan 250 are working perfect! just these **** 5 Clients..

 

Anything i dont see?

 

1 Accepted Solution

Accepted Solutions

Hi @fabian.kaltenschnee ,

 try the following show/debugs to clarify the case:

show mac address table interface <interface>
debug dot1x all
debug mab all
debug mac-notification

 

Hope this helps !!!

View solution in original post

1 Reply 1

Hi @fabian.kaltenschnee ,

 try the following show/debugs to clarify the case:

show mac address table interface <interface>
debug dot1x all
debug mab all
debug mac-notification

 

Hope this helps !!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: