Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9824
Views
15
Helpful
3
Replies

ISE Domain Unknown

Go to solution
Ethan_Bray
Level 1
Level 1

‎10-22-2018 12:01 AM - edited ‎03-11-2019 01:50 AM

We're currently doing a tech refresh and replacing older switches with 2960s and we're having an issue with our switches displaying UKNOWN when doing the command "sh auth sess". Here's an example of the command output. The switch I use in this example is allowing users to connect however sometimes this is not the case.

 

sh auth sess

Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/18  xxxx.xxxx.xxxx dot1x UNKNOWN Auth 842A611B000000F31868AABC
Gi1/0/13  xxxx.xxxx.xxxx dot1x UNKNOWN Auth 842A611B000000EE1868A9ED
Gi2/0/5 xxxx.xxxx.xxxx mab UNKNOWN Auth 842A611B000000F61868B3AA

 

A detailed auth session

sh auth sess int g1/0/18 det
Interface: GigabitEthernet1/0/18
MAC Address: xxxx.xxxx.xxxx
IPv6 Address: Unknown
IPv4 Address: xxx.xxx.xxx.xxx
Status: Authorized
Domain: UNKNOWN
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Common Session ID: 842A611B000000E91868A97E
Acct Session ID: 0x0000011B
Handle: 0xF30000CE
Current Policy: POLICY_Gi1/0/18

Local Policies:
Service Template: CRITICAL_AUTH_VLAN_Gi1/0/18 (priority 150)
Vlan Group: Vlan: 
Service Template: DEFAULT_CRITICAL_VOICE_TEMPLATE (priority 150)
Voice Vlan:

Method status list:
Method State
dot1x Stopped
mab Authc Failed

----------------------------------------
Interface: GigabitEthernet1/0/18
MAC Address: xxxx.xxxx.xxxx
IPv6 Address: Unknown
IPv4 Address: xxx.xxx.xxx.xxx
Status: Authorized
Domain: UNKNOWN
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Common Session ID: 842A611B000000F31868AABC
Acct Session ID: 0x000000DE
Handle: 0x040000D8
Current Policy: POLICY_Gi1/0/18

Local Policies:
Service Template: CRITICAL_AUTH_VLAN_Gi1/0/18 (priority 150)
Vlan Group: Vlan:
Service Template: DEFAULT_CRITICAL_VOICE_TEMPLATE (priority 150)
Voice Vlan: 

Method status list:
Method State
dot1x Authc Failed

 

 

Here's is what every port is configured with.

description USER_Port
switchport access vlan 
switchport mode access
switchport voice vlan 
authentication event fail action next-method
authentication event server dead action authorize vlan 
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 8
dot1x max-req 3
spanning-tree portfast

 

Global commands we use for dot1x.

dot1x system-auth-control

dot1x critical eapol

 

Here are our radius/aaa commands we're using for ISE.

aaa authentication dot1x default group ISE

aaa authorization network default group ISE

aaa accounting dot1x default start-stop group ISE

aaa accounting update newinfo periodic 2880

!

aaa session-id common

!

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 30 tries 3

radius-server vsa send accounting

radius-server vsa send authentication

!

 

Finally here are the switches versions and models.

1 52 WS-C2960X-48LPD-L 15.2(2)E3 C2960X-UNIVERSALK9-M
2 52 WS-C2960X-48LPD-L 15.2(2)E3 C2960X-UNIVERSALK9-M

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎10-25-2018 03:16 PM - edited ‎10-25-2018 03:17 PM

This is expected as the endpoints are put into critical VLAN. Critical condition happens when none of the configured RADIUS servers are available or the switch management IP has not been added to ISE NAD list. When this happens the domain will show UNKNOWN. It is also evident from your output:

Local Policies:
Service Template: CRITICAL_AUTH_VLAN_Gi1/0/18 (priority 150)
Vlan Group: Vlan: 
Service Template: DEFAULT_CRITICAL_VOICE_TEMPLATE (priority 150)
Voice Vlan:

View solution in original post

3 Replies 3

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-25-2018 03:03 PM

For Cisco IOS, the domain is usually either data or voice and I do not believe there is a such thing as ISE domain.

Anyhow, it looks the authentications are failing and that would be where to start the investigation. Please check whether the RADIUS auth requests are reaching ISE and, if so, what info available in ISE about these authentications.

Go to solution
howon
Cisco Employee
Cisco Employee

‎10-25-2018 03:16 PM - edited ‎10-25-2018 03:17 PM

This is expected as the endpoints are put into critical VLAN. Critical condition happens when none of the configured RADIUS servers are available or the switch management IP has not been added to ISE NAD list. When this happens the domain will show UNKNOWN. It is also evident from your output:

Local Policies:
Service Template: CRITICAL_AUTH_VLAN_Gi1/0/18 (priority 150)
Vlan Group: Vlan: 
Service Template: DEFAULT_CRITICAL_VOICE_TEMPLATE (priority 150)
Voice Vlan:

Go to solution
Captain82
Level 1
Level 1
In response to howon

‎09-19-2024 12:50 PM

Why do these devices stay in the unknown domain after the radius server is back up? The sessions seem to reauthenticate to the critical VLAN they fell back to. Is there a way to have the unknown devices reauth when RADIUS comes back online?

0 Helpful
Customers Also Viewed These Support Documents