Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2387
Views
0
Helpful
4
Replies

ISE closed mode prevents DHCP after successful 802.1x authentication

waqas gondal
Level 1
Level 1

‎04-06-2021 01:54 PM

Hi

 

We are using ISE 2.4 and are using enforcement (closed) mode at our main office. It is working fine on all our switch stacks (3850 version 16.6.6).

 

I take the same configuration and apply it to another location using the same ISE appliance, same switch model. For some reason the endpoints are stuck with 169.254.x.x IP. This is after the the 802.1x authentication has passed. When I revert ISE to monitor mode for those switches, it does not fix the problem. The PCs are still not able to get an IP, not after a reboot of the PC or defaulting the port config. The trigger for this issue is ISE going into closed mode. What could the issue be?

 

This is all with the native windows 10 supplicant.

2 people had this problem
0 Helpful
4 Replies 4

sovandy.top
Level 1
Level 1

‎04-07-2021 12:36 AM

I am also facing similar problem on some PCs which can't get IP address from the DHCP server after authentication pass, but the switch is running on the low impact mode. If try to reboot the PC, the problem is fixed at that time, but it will happen again in the next time. For the implementation, we have installed Anyconnect agent, NAM module, SBL module and compliant module. 
Does anyone face this kind of issue the same to me? What is the suggestion to check on the issue?

0 Helpful

Marcelo Morais
VIP
VIP

‎04-07-2021 01:25 AM

Hi,

 as soon as your PC has been assigned an APIPA IP Addr (169.254.x.x) you are probably not reaching a DHCP Server.

 From the Switch side:

1. double check if the PC is able to reach an interface with the ip helper-address command

2. try some DHCP debugs to check what is happening (Understanding and Troubleshooting DHCP)

  From the PC side:

1. disable Antivirus

2. use a Wireshark to check the packets (Wireshark DHCP)

 

Hope this helps !!!

0 Helpful

waqas gondal
Level 1
Level 1
In response to Marcelo Morais

‎04-07-2021 08:20 AM

Hi Marcelo,

 

The DHCP is reachable, it is only some devices that have this issue. They all have the same network settings and we can see the lease going to the MAC address from the DHCP server.

0 Helpful

thomas
Cisco Employee
Cisco Employee
In response to waqas gondal

‎05-13-2021 12:45 PM

Then closed mode 802.1X is not the issue. It is a DHCP issue.

0 Helpful
Customers Also Viewed These Support Documents