cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2757
Views
0
Helpful
7
Replies

ISE Authentication Succeed but the Windows not obtaining IP

Hello 

after enabling NAC on a C2960S-UNIVERSALK9-M , the authentication result in success but WKS doesn't obtain IP

I receive the following log;

194541: Sep 15 16:40:21.116 EET: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 1803.7322.ff73| AuditSessionID 0A2E080D00000A45825AABF8| EVENT APPLY
194542: Sep 15 16:40:21.116 EET: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-531f2938| EVENT DOWNLOAD_REQUEST
194543: Sep 15 16:40:21.116 EET: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 1803.7322.ff73| AuditSessionID 0A2E080D00000A45825AABF8| EVENT APPLY
194544: Sep 15 16:40:21.132 EET: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-531f2938| EVENT DOWNLOAD-SUCCESS
194545: Sep 15 16:40:21.153 EET: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 1803.7322.ff73| AuditSessionID 0A2E080D00000A45825AABF8| EVENT IP-WAIT

 

 

the switchport configuration:

interface GigabitEthernet0/3
switchport mode access
authentication control-direction in
authentication event fail action next-method
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 1
spanning-tree portfast
end

 

 

and :

#show authentication sessions interface g0/3 details
Interface: GigabitEthernet0/3
MAC Address: 1803.7322.ff73
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: CENTRAL-DOMAIN\xxxxxxx
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: in
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 86400s (local), Remaining: 86331s
Session Uptime: 72s
Common Session ID: 0A2E080D00000A45825AABF8
Acct Session ID: 0x000009BB
Handle: 0x0C0000D9
Current Policy: POLICY_Gi0/3

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Method status list:
Method State

dot1x Authc Success

can anyone help with the above?

To receive a valid authentication, I implement machine and user changing against AD. 

the problem appears after  upgrading  to Windows 10 

 

7 Replies 7

Colby LeMaire
VIP Alumni
VIP Alumni

First thing I see is that you are not setting the access vlan on the port so it is defaulting to VLAN 1.  Does VLAN 1 have an SVI interface with an "ip helper-address" configured to forward DHCP requests to the DHCP server?  I don't recommend using VLAN 1.  Should probably set that to another VLAN.  Also, do you have IP Device Tracking enabled on the switch?

hello.

DHCP is local on the switch.

i configure new vlan 101  :

interface Vlan101
ip address 10.99.99.1 255.255.255.0
end 

 

and :

ip dhcp pool Test
network 10.99.99.0 255.255.255.0
domain-name YYYYYYY
dns-server X.X.X.X

netbios-node-type p-node
default-router 10.99.99.1

 

 

 

interface configuration:

interface GigabitEthernet0/3
switchport access vlan 101
switchport mode access
authentication control-direction in
authentication event fail action next-method
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 1
spanning-tree portfast
end

 

I receive the same log and same result :

Interface: GigabitEthernet0/3
MAC Address: 1803.7322.ff73
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: CENTRAL-DOMAIN\XXXXX
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: in
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 86400s (local), Remaining: 86285s
Session Uptime: 121s
Common Session ID: 0A2E080D00000A48837D4370
Acct Session ID: 0x000009BE
Handle: 0x610000DB
Current Policy: POLICY_Gi0/3

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Method status list:
Method State

dot1x Authc Success

 

 

IP device tracking is enabled.

#show run | i device
ip device tracking probe delay 10

 

SVI of vlan 101 is in another switch that is connected with this one via trunk interface. 

So your VLAN 101 interface with IP 10.99.99.1 is on a different switch across a trunk?  But you are configuring your DHCP server and pool on the L2 switch that the client is plugging into?  I believe the SVI and DHCP server need to be on the same switch OR you need to configure an ip helper-address to tell the SVI where to forward DHCP requests to.

The DHCP and POOL are on the same switch.

Sorry for the dumb question, does the switch where dhcp pool resides have a L3 interface on the same vlan?

Yes, it has L3. The switch that has the SVI and POOL works well with NAC.

 

 


Gi1/0/10 0025.64d9.3d9c dot1x DATA Auth 0A09017600000180B34DA926
Gi1/0/12 000d.0284.2d39 mab DATA Auth 0A090176000001ACC7435330
Gi1/0/7 0025.64d9.017c dot1x DATA Auth 0A0901760000000D000195D1
Gi1/0/13 1803.734c.0a22 dot1x DATA Auth 0A090176000001C7D180A9CE

If the issue is on that host only most probably it's not a network issue, have you tried to upgrade network interface drivers?