10-16-2013 05:57 PM - edited 03-10-2019 09:00 PM
I've recently moved an ISE implementation into the low-impact authentication phase, and the client's security cameras are having a rough go of it. In monitor mode, they were able to stay connected as they should but in low-impact mode they are losing their IP addresses as evidenced in the auth session output below:
SWITCH-1#sh auth sess int g4/0/6
Interface: GigabitEthernet4/0/6
MAC Address: 0040.8cc7.4822
IP Address: 10.92.6.3
User-Name: 00-40-8C-C7-48-22
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-5165e13c
Session timeout: 3600s (local), Remaining: 338s
Timeout action: Reauthenticate
Idle timeout: N/A
Common Session ID: 0AFF320A000661C965742D42
Acct Session ID: 0x00067E9F
Handle: 0x72000982
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
SWITCH-1#sh auth sess int g4/0/6
Interface: GigabitEthernet4/0/6
MAC Address: 0040.8cc7.4822
IP Address: 169.254.45.196
User-Name: 00-40-8C-C7-48-22
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-5165e13c
Session timeout: 3600s (local), Remaining: 338s
Timeout action: Reauthenticate
Idle timeout: N/A
Common Session ID: 0AFF320A000661C965742D42
Acct Session ID: 0x00067E9F
Handle: 0x72000982
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
This is happening approx. every 10 seconds which curiously is the timer value of my dot1x tx-period. As well, the host never has its reauthentication timer restarted but I can see the following in ISE approx. every 10-15 seconds:
Why is it going through Dynamic Authorization? Why am I losing my legitimate IP address every 10 seconds and getting an APIPA address in its place? The port configuration is as follows:
interface GigabitEthernet4/0/6
description Security
switchport access vlan 292
switchport mode access
ip access-group ACL-DEFAULT in
power inline auto max 15400
authentication event fail action next-method
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 2.00
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
end
And my ACL-DEFAULT is...
Extended IP access list ACL-DEFAULT
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit icmp any any
40 permit udp any any eq tftp
50 deny ip any any log
Upon switch log review, I'd noticed that the ACL-DEFAULT is blocking the cameras from certain igmp and tcp/554 (RTSP) communications. To see if it would help, even though I shouldn't have to, I placed ACE's into my ACL-DEFAULT to permit this traffic and would still drop my IP address every 10 seconds. I shouldn't have to do this because the "xACSACLx-IP-PERMIT_ALL_TRAFFIC-5165e13c" is a simple "permit ip any any" ACL which should allow all of the traffic to flow.
Ideas?
Kind Regards,
Kevin
10-16-2013 06:04 PM
As well, the dACL is properly replacing the first "any" with the endpoint's IP:
SWITCH-1#show ip access-lists interface g4/0/6
permit ip host 169.254.45.196 any
SWITCH-1#show ip access-lists interface g4/0/6
permit ip host 10.92.6.3 any
Kind Regards,
Kevin
12-18-2017 12:55 PM
Did you ever find the cause of the problem and the solution?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide