Re: ISE Endpoint unable to get IP adress from DHCP server cable connection

phall.chetra · ‎01-23-2018

I have problem with my users laptop cannot get ip address from DHCP server by cable connection through Cisco ISE, Please help to support

my port configuration:

switchport mode access

ip access-group ACL-default in
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator

spanning-tree portfast
spanning-tree bpduguard enable

* laptop can get DHCP unless I remove command" ip access-group ACL-default in "

after I removed this command laptop can get IP but when I also remove MAC address of this laptop from ISE it still can access to my internet and network, mean ISE no vaue.

Please help to support

thanks

Chetra

Mark Elsen · ‎01-23-2018

>laptop can get DHCP unless I remove command" ip access-group ACL-default in

- I am presuming your laptop does get an IP address , but is restricted on the network, due to your ACL-> .Check it's correctness , verify if an IP address was obtained or not using , ipconfig /all , (on Windows)

>... mean ISE no value.

That statement is far from correct and or at least incomplete; ISE will authorize a MAC address and grant access once it is 'policy-verified' by ISE. To accomplish auth-network-access removal you need to look into more complex setup schemes of ISE such as CoA methodologies (for instance) . Study and learn.... !

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)