cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1310
Views
0
Helpful
2
Replies
Highlighted
Contributor

ISE Endpoint losing IP after transition to Low-Impact-Mode

I've recently moved an ISE implementation into the low-impact authentication phase, and the client's security cameras are having a rough go of it. In monitor mode, they were able to stay connected as they should but in low-impact mode they are losing their IP addresses as evidenced in the auth session output below:

SWITCH-1#sh auth sess int g4/0/6

            Interface:  GigabitEthernet4/0/6

          MAC Address:  0040.8cc7.4822

           IP Address:  10.92.6.3

            User-Name:  00-40-8C-C7-48-22

               Status:  Authz Success

               Domain:  DATA

       Oper host mode:  multi-domain

     Oper control dir:  both

        Authorized By:  Authentication Server

          Vlan Policy:  N/A

              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-5165e13c

      Session timeout:  3600s (local), Remaining: 338s

       Timeout action:  Reauthenticate

         Idle timeout:  N/A

    Common Session ID:  0AFF320A000661C965742D42

      Acct Session ID:  0x00067E9F

               Handle:  0x72000982

Runnable methods list:

       Method   State

       dot1x    Failed over

       mab      Authc Success

SWITCH-1#sh auth sess int g4/0/6

            Interface:  GigabitEthernet4/0/6

          MAC Address:  0040.8cc7.4822

           IP Address:  169.254.45.196

            User-Name:  00-40-8C-C7-48-22

               Status:  Authz Success

               Domain:  DATA

       Oper host mode:  multi-domain

     Oper control dir:  both

        Authorized By:  Authentication Server

          Vlan Policy:  N/A

              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-5165e13c

      Session timeout:  3600s (local), Remaining: 338s

       Timeout action:  Reauthenticate

         Idle timeout:  N/A

    Common Session ID:  0AFF320A000661C965742D42

      Acct Session ID:  0x00067E9F

               Handle:  0x72000982

Runnable methods list:

       Method   State

       dot1x    Failed over

       mab      Authc Success

This is happening approx. every 10 seconds which curiously is the timer value of my dot1x tx-period. As well, the host never has its reauthentication timer restarted but I can see the following in ISE approx. every 10-15 seconds:

Why is it going through Dynamic Authorization? Why am I losing my legitimate IP address every 10 seconds and getting an APIPA address in its place? The port configuration is as follows:

interface GigabitEthernet4/0/6

description Security

switchport access vlan 292

switchport mode access

ip access-group ACL-DEFAULT in

power inline auto max 15400

authentication event fail action next-method

authentication host-mode multi-domain

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 10

storm-control broadcast level 2.00

storm-control action shutdown

spanning-tree portfast

spanning-tree bpduguard enable

end

And my ACL-DEFAULT is...

Extended IP access list ACL-DEFAULT

    10 permit udp any eq bootpc any eq bootps

    20 permit udp any any eq domain

    30 permit icmp any any

    40 permit udp any any eq tftp

    50 deny ip any any log

Upon switch log review, I'd noticed that the ACL-DEFAULT is blocking the cameras from certain igmp and tcp/554 (RTSP) communications. To see if it would help, even though I shouldn't have to, I placed ACE's into my ACL-DEFAULT to permit this traffic and would still drop my IP address every 10 seconds. I shouldn't have to do this because the "xACSACLx-IP-PERMIT_ALL_TRAFFIC-5165e13c" is a simple "permit ip any any" ACL which should allow all of the traffic to flow.

Ideas?

Kind Regards,

Kevin

Kind Regards, Kevin Sheahan, CCIE # 41349
2 REPLIES 2
Highlighted
Contributor

As well, the dACL is properly replacing the first "any" with the endpoint's IP:

SWITCH-1#show ip access-lists interface g4/0/6

     permit ip host 169.254.45.196 any

SWITCH-1#show ip access-lists interface g4/0/6

     permit ip host 10.92.6.3 any

Kind Regards,

Kevin

Kind Regards, Kevin Sheahan, CCIE # 41349
Highlighted

Did you ever find the cause of the problem and the solution?

Content for Community-Ad