Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1260
Views
30
Helpful
6
Replies

ISE Fail Close prevents DHCP after successful 802.1x authentication

Go to solution
aatahraoui
Level 1
Level 1

‎10-20-2022 09:46 AM

Hi

 

We are using ISE 2.7 and are using enforcement (closed) mode at our main office. It is working fine on all our switch C2960X-UNIVERSALK9-M), Version 15.2(2)E

For some reason the endpoints are stuck with 169.254.x.x IP. This is after the the 802.1x authentication has passed. When I revert ISE to monitor mode for those switches, it does not fix the problem. The PCs are still not able to get an IP, not after a reboot of the PC or defaulting the port config. The trigger for this issue is ISE going into closed mode. What could the issue be?

 

This is all with some Windows 10 Machines.

1 Accepted Solution

Accepted Solutions

Go to solution
aatahraoui
Level 1
Level 1
In response to Greg Gibbs

‎10-21-2022 06:14 AM

Thank you Greg, indeed it seems that's related to DHCP in the switch, the switch keep the APIPA IP address in its cache , the issue is fixed after the switch restart, but we still cannot figure out the good DHCP config to try.

APIPA CACHE SW.PNG

We use IP DHCP SNOOPING TRUST for TRUCK Interfaces (DHCP server is set in Core Switch) and all access interface are configured with ip dhcp snooping limit rate 10

View solution in original post

6 Replies 6

Go to solution
MHM Cisco World
VIP
VIP

‎10-20-2022 09:50 AM

change the mode from closed to low impact mode.

0 Helpful

Go to solution
aatahraoui
Level 1
Level 1
In response to MHM Cisco World

‎10-20-2022 10:08 AM

There is only two option Closed Mode and OPEN Mode (YES/NO)

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to aatahraoui

‎10-20-2022 02:46 PM

Low Impact Mode is a way of configuring the switch and ISE to permit some traffic prior to authentication/authorisation completing. See the ISE Secure Wired Access Prescriptive Deployment Guide for more details.

The comments "When I revert ISE to monitor mode for those switches, it does not fix the problem. The PCs are still not able to get an IP, not after a reboot of the PC or defaulting the port config." are very suspicious. If the PC still does not get an IP address from DHCP with Monitor Mode enabled or the removing the NAC config completely, something else is wrong.
You might need to look at your 'dhcp snooping' and 'dhcp snooping trust' configuration on this switch as well as the upstream switch(es) and start doing packet captures along the path.

 

 

Go to solution
aatahraoui
Level 1
Level 1
In response to Greg Gibbs

‎10-21-2022 06:14 AM

Thank you Greg, indeed it seems that's related to DHCP in the switch, the switch keep the APIPA IP address in its cache , the issue is fixed after the switch restart, but we still cannot figure out the good DHCP config to try.

APIPA CACHE SW.PNG

We use IP DHCP SNOOPING TRUST for TRUCK Interfaces (DHCP server is set in Core Switch) and all access interface are configured with ip dhcp snooping limit rate 10

Go to solution
andrewswanson
Level 7
Level 7
In response to aatahraoui

‎10-21-2022 08:37 AM

Does the bug CSCui35423 "DHCP bindings are not happening at first try" match what you are seeing?

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCui35423

Release notes below for 2960x shows it was resolved with 15.2(2)E3

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/release_notes/OL-32568.html

 

hth
Andy

Go to solution
aatahraoui
Level 1
Level 1
In response to andrewswanson

‎10-25-2022 10:34 AM

Thanks Andew for this sharing, but not sure if it's the root cause as we have the good version of Cisco IOS  Version 15.2(2)E7ios.PNG

0 Helpful
Customers Also Viewed These Support Documents