09-08-2015 08:03 AM - edited 03-10-2019 11:02 PM
So i encountered a strange problem the other day after changing the Native/Mgt vlan on a switch. It was set to 1 and i changed it to 10. after that none of the PC's could get DHCP addresses. restarted the router and switch and pc's to no avial. they would get the windows pipa address 169.254.x.x. as soon as i did a auth open, they got ip's before i could even say "how about now" and all are working just fine. I need to know what caused this blockage before i start down the road of doing the other 170 networks that need to be done.
my steps were:
create new vlan on switch with ip, ssh into new vlan IP, change original mgt vlan, set native command on trunk ports and PC ports, change encap dot1q on router subint for new vlan. rebooted router and switch, and PC's. Had to "auth open" ports do PC's could get DHCP, then everything was fine. No auth open to return to normal and all is well.
ISE version 1.1.0876 patch 4
distributed deployment
09-08-2015 10:17 AM
Is the device updated with the correct ip in ISE Network Devices?
its able to talk with ISE if you try "test aaa group radius ..."
09-08-2015 10:29 AM
yes i added the new IP to Network devices.
that i don't know because i am investigating this after it happened.
09-08-2015 11:58 AM
just to clarify, the switch and router were already in ISE and everything worked fine. we were just getting the mgt vlan off 1.
here is the port config on the switch before the change
switchport mode access
switchport voice vlan 25
authentication event fail action authorize vlan 1
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
int g0/3
switchport mode trunk
spanning-tree portfast trunk
router :
int g0/0.20
encap dot1q 1 native
and after the change:
switchport access vlan 20
switchport mode access
switchport voice vlan 25
authentication event fail action authorize vlan 20
authentication event server dead action authorize vlan 20
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
int g0/3
switchport trunk native vlan 20
switchport mode trunk
spanning-tree portfast trunk
router
int g0/0.20
encap dot1q 20 native
after making and writing the changes i rebooted both devices and the PC's
09-09-2015 02:13 PM
any help is appreciated.
09-14-2015 06:37 AM
Could you post the complete config (without passwords of course) ?
Also, are you running dhcp snooping and ip device tracking ?
When your PC's don't get a dhcp address, do they actually do a successfull dot1x authentication? Are you assigning the new vlan id in your authorization result ?
09-14-2015 06:54 AM
from what i remember, yes, some did get successful dot1x on the switch. We are assigning a new vlan to that port as well.
09-18-2015 11:48 AM
anything else you can think of?
09-08-2015 10:33 AM
Ok, make sure its talking with the right interface via "ip radius source-interface" on the switch/routers.
09-09-2015 04:13 PM
What is the status of "show auth sess interface x/x", when the pc is trying to get an ip address ? Try running it with a few secs interval after you plug the pc in.
09-11-2015 08:25 AM
it would say running or failed
09-13-2015 05:02 PM
where is your dhcp server, is it your router? or is it another device on your network? if yes, just make sure your new vlan is exist all along the path between your switch and your dhcp server.
09-14-2015 06:25 AM
i dont think you read the entire post. how would an auth open fix that?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide