cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9477
Views
6
Helpful
7
Replies

ISE - IP does not show UP - Endpoint not getting IP

Kalimoz
Level 1
Level 1

Hello all,

I'm having a hugeee struggle within ISE (i think the problem is with ISE). Everytime an endpoint connects via WIRED MAB it goes to their respective policy, and then to the authorization.

 

It goes like this

PC ---> SWITCH ----> ISE (Policy MAB -> Authentication Default Internal Endpoints -> Authorization Switch X, Location Z -> Profile Vlan 244)

I have no problems with that since after the PC connects it goes straight to that Policy and it goes to VLAN 244

 

My problem is im not getting any IP address given to the endpoint, and in the LIVE LOGS i don't get the IP in the TAB IP Address

 

SWITCH#sh authentication sessions int gi0/16
Interface: GigabitEthernet0/16
MAC Address: 18a9.0598.f631
IP Address: Unknown
User-Name: 18-A9-05-98-F6-31
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 244
ACS ACL: xACSACLx-IP-PERMIT_ANY-5fad6532
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AC31DFC0000002743AE10BE
Acct Session ID: 0x00000034
Handle: 0xAC000027

Runnable methods list:
Method State
mab Authc Success
dot1x Not run

 

SWITCH CONFIG

aaa group server radius ISE
server 10.194.224.21 auth-port 1812 acct-port 1813
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE
!
ip radius source-interface
!
radius-server host 10.194.224.21 auth-port 1812 acct-port 1813
!
radius-server key XXXXXXX

!

dot1x system-auth-control
dot1x critical eapol

!

ip device tracking probe delay 10

!

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria tries 2
radius-server key XXXXXXX
radius-server vsa send authentication
radius-server vsa send accounting

!

Interface GI0/16

switchport mode access

authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 3

!

 

What i'm missing here?

1 Accepted Solution

Accepted Solutions

Device tracking will allow the switch to swap the any keyword defined on the dACL with the connected device IP address. If you don't enable that feature on the interested interface, the switch would not be able to perform that operation. Here is how you can enable the device tracking globally and apply it to the interfaces:

ip device tracking

interface Gi0/x

 ip device tracking maximum <the maximum number of devices on the port>

Depending on the switch in use, you might need to go through a different set of syntaxes, example:

device-tracking tracking
device-tracking policy MY-TRACKING-POLICY
 limit address-count 10
no protocol udp
tracking enable
interface GigabitEthernet1/0/x
 device-tracking attach-policy MY-TRACKING-POLICY

Or if you want to enable it per VLAN basis:

vlan configuration 10

 device-tracking attach-policy MY-TRACKING-POLICY

To check the device tracking database, use the command show ip device tracking all, or depending on the switch platform, show device-tracking database. You can also specify the interested interface you want to check.

View solution in original post

7 Replies 7

Kalimoz
Level 1
Level 1

Anyone can give some hint? I'm stuck, i alread test a lot of things, but still the same =/

What i'm missing here?

martin.fischer
Level 1
Level 1

I would start by doing basic connectivity troubleshooting. If you disable authentication on the switchport (authentication port-control force-authorized) and configure the switchport manually for vlan 244 (switchport access vlan 244), does your endpoint get an IP address then?

Only with switchport access vlan 244 - it will work fine

With ISE in the middle  (every authentication and authorization passes) and with configuration on the switch for dot1x i can't get an IP

2.jpg

hslai
Cisco Employee
Cisco Employee

ACS ACL: xACSACLx-IP-PERMIT_ANY-5fad6532

That means you are sending down a DACL from ISE. With DACL, we need IP device tracking working. Please review ISE Secure Wired Access Prescriptive Deployment Guide

Besides, you should check and compare how the DHCP requests are made to the DHCP server with and without enabling 802.1X/MAB authentication.

 

Device tracking will allow the switch to swap the any keyword defined on the dACL with the connected device IP address. If you don't enable that feature on the interested interface, the switch would not be able to perform that operation. Here is how you can enable the device tracking globally and apply it to the interfaces:

ip device tracking

interface Gi0/x

 ip device tracking maximum <the maximum number of devices on the port>

Depending on the switch in use, you might need to go through a different set of syntaxes, example:

device-tracking tracking
device-tracking policy MY-TRACKING-POLICY
 limit address-count 10
no protocol udp
tracking enable
interface GigabitEthernet1/0/x
 device-tracking attach-policy MY-TRACKING-POLICY

Or if you want to enable it per VLAN basis:

vlan configuration 10

 device-tracking attach-policy MY-TRACKING-POLICY

To check the device tracking database, use the command show ip device tracking all, or depending on the switch platform, show device-tracking database. You can also specify the interested interface you want to check.

Hi,

I need help, i face some problem. The device that connect has succeeded connection, but it dont get IP. Do this method can solve my problem? Hope you can help me. thank you

success no ip.jpg

Not getting an IP could be related to a wrong VLAN on the switch port, or maybe a firewall rule that is blocking the DHCP traffic towards the DHCP server. Did you check the DHCP lease on the server to see if there was an IP lease created for that endpoint?