where is your dhcp server, is

preston trogden · ‎09-08-2015

So i encountered a strange problem the other day after changing the Native/Mgt vlan on a switch. It was set to 1 and i changed it to 10. after that none of the PC's could get DHCP addresses. restarted the router and switch and pc's to no avial. they would get the windows pipa address 169.254.x.x. as soon as i did a auth open, they got ip's before i could even say "how about now" and all are working just fine. I need to know what caused this blockage before i start down the road of doing the other 170 networks that need to be done.

my steps were:

create new vlan on switch with ip, ssh into new vlan IP, change original mgt vlan, set native command on trunk ports and PC ports, change encap dot1q on router subint for new vlan. rebooted router and switch, and PC's. Had to "auth open" ports do PC's could get DHCP, then everything was fine. No auth open to return to normal and all is well.

ISE version 1.1.0876 patch 4

distributed deployment

Tobias Svensson · ‎09-08-2015

Is the device updated with the correct ip in ISE Network Devices?

its able to talk with ISE if you try "test aaa group radius ..."

preston trogden · ‎09-08-2015

yes i added the new IP to Network devices.

that i don't know because i am investigating this after it happened.

preston trogden · ‎09-08-2015

just to clarify, the switch and router were already in ISE and everything worked fine. we were just getting the mgt vlan off 1.

here is the port config on the switch before the change

switchport mode access
switchport voice vlan 25
authentication event fail action authorize vlan 1
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast

int g0/3

switchport mode trunk
spanning-tree portfast trunk

router :

int g0/0.20

encap dot1q 1 native

and after the change:

switchport access vlan 20
switchport mode access
switchport voice vlan 25
authentication event fail action authorize vlan 20
authentication event server dead action authorize vlan 20
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast

int g0/3

switchport trunk native vlan 20
switchport mode trunk
spanning-tree portfast trunk

router

int g0/0.20

encap dot1q 20 native

after making and writing the changes i rebooted both devices and the PC's

preston trogden · ‎09-09-2015

any help is appreciated.

jan.nielsen · ‎09-14-2015

Could you post the complete config (without passwords of course) ?

Also, are you running dhcp snooping and ip device tracking ?

When your PC's don't get a dhcp address, do they actually do a successfull dot1x authentication? Are you assigning the new vlan id in your authorization result ?

preston trogden · ‎09-14-2015

from what i remember, yes, some did get successful dot1x on the switch. We are assigning a new vlan to that port as well.

preston trogden · ‎09-18-2015

anything else you can think of?

Tobias Svensson · ‎09-08-2015

Ok, make sure its talking with the right interface via "ip radius source-interface" on the switch/routers.

jan.nielsen · ‎09-09-2015

What is the status of "show auth sess interface x/x", when the pc is trying to get an ip address ? Try running it with a few secs interval after you plug the pc in.

preston trogden · ‎09-11-2015

it would say running or failed

adam kalabadzi · ‎09-13-2015

where is your dhcp server, is it your router? or is it another device on your network? if yes, just make sure your new vlan is exist all along the path between your switch and your dhcp server.

preston trogden · ‎09-14-2015

i dont think you read the entire post. how would an auth open fix that?

ISE blocking PC's after switch native vlan change