Re: ISE Authentication Succeed but the Windows not obtaining IP

BASILISGKOGKOS7311 · ‎09-15-2020

Hello

after enabling NAC on a C2960S-UNIVERSALK9-M , the authentication result in success but WKS doesn't obtain IP

I receive the following log;

194541: Sep 15 16:40:21.116 EET: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 1803.7322.ff73| AuditSessionID 0A2E080D00000A45825AABF8| EVENT APPLY
194542: Sep 15 16:40:21.116 EET: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-531f2938| EVENT DOWNLOAD_REQUEST
194543: Sep 15 16:40:21.116 EET: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 1803.7322.ff73| AuditSessionID 0A2E080D00000A45825AABF8| EVENT APPLY
194544: Sep 15 16:40:21.132 EET: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-531f2938| EVENT DOWNLOAD-SUCCESS
194545: Sep 15 16:40:21.153 EET: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 1803.7322.ff73| AuditSessionID 0A2E080D00000A45825AABF8| EVENT IP-WAIT

the switchport configuration:

interface GigabitEthernet0/3
switchport mode access
authentication control-direction in
authentication event fail action next-method
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 1
spanning-tree portfast
end

and :

#show authentication sessions interface g0/3 details
Interface: GigabitEthernet0/3
MAC Address: 1803.7322.ff73
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: CENTRAL-DOMAIN\xxxxxxx
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: in
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 86400s (local), Remaining: 86331s
Session Uptime: 72s
Common Session ID: 0A2E080D00000A45825AABF8
Acct Session ID: 0x000009BB
Handle: 0x0C0000D9
Current Policy: POLICY_Gi0/3

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Method status list:
Method State

dot1x Authc Success

can anyone help with the above?

To receive a valid authentication, I implement machine and user changing against AD.

the problem appears after upgrading to Windows 10

Colby LeMaire · ‎09-15-2020

First thing I see is that you are not setting the access vlan on the port so it is defaulting to VLAN 1. Does VLAN 1 have an SVI interface with an "ip helper-address" configured to forward DHCP requests to the DHCP server? I don't recommend using VLAN 1. Should probably set that to another VLAN. Also, do you have IP Device Tracking enabled on the switch?

BASILISGKOGKOS7311 · ‎09-15-2020

hello.

DHCP is local on the switch.

i configure new vlan 101 :

interface Vlan101
ip address 10.99.99.1 255.255.255.0
end

and :

ip dhcp pool Test
network 10.99.99.0 255.255.255.0
domain-name YYYYYYY
dns-server X.X.X.X

netbios-node-type p-node
default-router 10.99.99.1

interface configuration:

interface GigabitEthernet0/3
switchport access vlan 101
switchport mode access
authentication control-direction in
authentication event fail action next-method
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 1
spanning-tree portfast
end

I receive the same log and same result :

Interface: GigabitEthernet0/3
MAC Address: 1803.7322.ff73
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: CENTRAL-DOMAIN\XXXXX
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: in
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 86400s (local), Remaining: 86285s
Session Uptime: 121s
Common Session ID: 0A2E080D00000A48837D4370
Acct Session ID: 0x000009BE
Handle: 0x610000DB
Current Policy: POLICY_Gi0/3

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Method status list:
Method State

dot1x Authc Success

IP device tracking is enabled.

#show run | i device
ip device tracking probe delay 10

SVI of vlan 101 is in another switch that is connected with this one via trunk interface.

Colby LeMaire · ‎09-15-2020

So your VLAN 101 interface with IP 10.99.99.1 is on a different switch across a trunk? But you are configuring your DHCP server and pool on the L2 switch that the client is plugging into? I believe the SVI and DHCP server need to be on the same switch OR you need to configure an ip helper-address to tell the SVI where to forward DHCP requests to.

BASILISGKOGKOS7311 · ‎09-15-2020

The DHCP and POOL are on the same switch.

Massimo Baschieri · ‎09-16-2020

Sorry for the dumb question, does the switch where dhcp pool resides have a L3 interface on the same vlan?

BASILISGKOGKOS7311 · ‎09-16-2020

Yes, it has L3. The switch that has the SVI and POOL works well with NAC.

Gi1/0/10 0025.64d9.3d9c dot1x DATA Auth 0A09017600000180B34DA926
Gi1/0/12 000d.0284.2d39 mab DATA Auth 0A090176000001ACC7435330
Gi1/0/7 0025.64d9.017c dot1x DATA Auth 0A0901760000000D000195D1
Gi1/0/13 1803.734c.0a22 dot1x DATA Auth 0A090176000001C7D180A9CE

Massimo Baschieri · ‎09-16-2020

If the issue is on that host only most probably it's not a network issue, have you tried to upgrade network interface drivers?