Greetings dear experts!
My problem is that after some time ISE displays the session as inactive. I had the same problem (https://community.cisco.com/t5/network-access-control/re-authorization-for-mab/m-p/4123630#M561845), after Damien's recommendation, my problem was resolved. After upgrading ISE from 2.3 to 2.7 I am getting the same problem.
This is what I see.
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 28 WS-C3650-24PD 16.12.4 CAT3K_CAA-UNIVERSALK9 INSTALL
S-B22-ASW-001#sh run aaa
!
aaa authentication login default group CS-ISE local
aaa authentication enable default group CS-ISE enable
aaa authentication dot1x default group ISE
aaa authorization exec default group CS-ISE local if-authenticated
aaa authorization network default group ISE
aaa authorization commands 1 default group CS-ISE if-authenticated
aaa authorization commands 15 default group CS-ISE if-authenticated
aaa authorization config-commands
aaa accounting exec default stop-only group CS-ISE
aaa accounting commands 1 default stop-only group CS-ISE
aaa accounting commands 15 default stop-only group CS-ISE
aaa accounting dot1x default start-stop group ISE
aaa accounting update newinfo periodic 2880
S-B22-ASW-001#sh auth sessions int gi 1/0/18 de
Interface: GigabitEthernet1/0/18
IIF-ID: 0x1D3C3827
MAC Address: bcc3.4218.69a8
IPv6 Address: fe80::bec3:42ff:fe18:69a8
IPv4 Address: 10.64.66.37
User-Name: BC-C3-42-18-69-A8
Status: Authorized
Domain: DATA
Oper host mode: multi-host
Oper control dir: in
Session timeout: N/A
Acct update timeout: 172800s (local), Remaining: 95555s
Common Session ID: 0A08086F000000E0D1243EC4
Acct Session ID: 0x000000c8
Handle: 0x230000d6
Current Policy: POLICY_Gi1/0/18
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Server Policies:
Method status list:
Method State
mab Authc Success
You can see that the session status is "Disconnected"
You can see that other endpoints on the same switch have the status "Connected"
You can see that the switch has sent accounting data and the session has been extended.
It is not the only endpoint that has a "Disconnected" status. I also see it from all my sections of the network. Maybe you have any ideas how to solve this problem?
Forgot to show port configuration.
S-B22-ASW-001#sh run int gi 1/0/18
Building configuration...
Current configuration : 891 bytes
!
interface GigabitEthernet1/0/18
description *CCTV-ACC-B22*
switchport access vlan 2102
switchport mode access
switchport nonegotiate
logging event subif-link-status
no cdp enable
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize vlan 900
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-host
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 5
storm-control broadcast level 10.00
storm-control action trap
service-policy input SEC_INGRESS_MARKING
ip dhcp snooping limit rate 100
end
The end device is a camera and I saw no reason to wait for the dot1x timeout, so for the same end devices that do not know dot1x, I set up an authentication order mab dot1x.
I see the same problem on devices that understand dot1x. Here's an example.
C-C23-ASW-012#sh run int gi 1/0/3
interface GigabitEthernet1/0/3
description *WIFI-MGMT-C23*
switchport access vlan 1322
switchport mode access
switchport nonegotiate
logging event subif-link-status
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize vlan 900
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 5
storm-control broadcast level 10.00
storm-control action trap
service-policy input AP_EXPO_INGRESS_MARKING
ip dhcp snooping limit rate 100
end
C-C23-ASW-012#sh auth sessions int gi 1/0/3 de
Interface: GigabitEthernet1/0/3
IIF-ID: 0x17290389
MAC Address: 00d7.8f4e.a364
IPv6 Address: fe80::2d7:8fff:fe4e:a364
IPv4 Address: 10.19.6.36
User-Name: Wifi_AP_EV
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: in
Session timeout: N/A
Acct update timeout: 172800s (local), Remaining: 77894s
Common Session ID: 0A08053300000020D144F094
Acct Session ID: 0x0000001a
Handle: 0x25000016
Current Policy: POLICY_Gi1/0/3
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Server Policies:
Method status list:
Method State
dot1x Authc Success
C-C23-ASW-012#
