11-12-2020 11:25 AM - edited 11-12-2020 11:31 AM
Hello all,
I'm having a hugeee struggle within ISE (i think the problem is with ISE). Everytime an endpoint connects via WIRED MAB it goes to their respective policy, and then to the authorization.
It goes like this
PC ---> SWITCH ----> ISE (Policy MAB -> Authentication Default Internal Endpoints -> Authorization Switch X, Location Z -> Profile Vlan 244)
I have no problems with that since after the PC connects it goes straight to that Policy and it goes to VLAN 244
My problem is im not getting any IP address given to the endpoint, and in the LIVE LOGS i don't get the IP in the TAB IP Address
SWITCH#sh authentication sessions int gi0/16
Interface: GigabitEthernet0/16
MAC Address: 18a9.0598.f631
IP Address: Unknown
User-Name: 18-A9-05-98-F6-31
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 244
ACS ACL: xACSACLx-IP-PERMIT_ANY-5fad6532
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AC31DFC0000002743AE10BE
Acct Session ID: 0x00000034
Handle: 0xAC000027
Runnable methods list:
Method State
mab Authc Success
dot1x Not run
SWITCH CONFIG
aaa group server radius ISE
server 10.194.224.21 auth-port 1812 acct-port 1813
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE
!
ip radius source-interface
!
radius-server host 10.194.224.21 auth-port 1812 acct-port 1813
!
radius-server key XXXXXXX
!
dot1x system-auth-control
dot1x critical eapol
!
ip device tracking probe delay 10
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria tries 2
radius-server key XXXXXXX
radius-server vsa send authentication
radius-server vsa send accounting
!
Interface GI0/16
switchport mode access
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 3
!
What i'm missing here?
Solved! Go to Solution.
11-14-2020 05:54 AM - edited 11-14-2020 05:56 AM
Device tracking will allow the switch to swap the any keyword defined on the dACL with the connected device IP address. If you don't enable that feature on the interested interface, the switch would not be able to perform that operation. Here is how you can enable the device tracking globally and apply it to the interfaces:
ip device tracking
interface Gi0/x
ip device tracking maximum <the maximum number of devices on the port>
Depending on the switch in use, you might need to go through a different set of syntaxes, example:
device-tracking tracking
device-tracking policy MY-TRACKING-POLICY
limit address-count 10
no protocol udp
tracking enable
interface GigabitEthernet1/0/x
device-tracking attach-policy MY-TRACKING-POLICY
Or if you want to enable it per VLAN basis:
vlan configuration 10
device-tracking attach-policy MY-TRACKING-POLICY
To check the device tracking database, use the command show ip device tracking all, or depending on the switch platform, show device-tracking database. You can also specify the interested interface you want to check.
11-13-2020 02:21 AM
Anyone can give some hint? I'm stuck, i alread test a lot of things, but still the same =/
What i'm missing here?
11-13-2020 02:50 AM
I would start by doing basic connectivity troubleshooting. If you disable authentication on the switchport (authentication port-control force-authorized) and configure the switchport manually for vlan 244 (switchport access vlan 244), does your endpoint get an IP address then?
11-13-2020 03:04 AM - edited 11-13-2020 03:04 AM
Only with switchport access vlan 244 - it will work fine
With ISE in the middle (every authentication and authorization passes) and with configuration on the switch for dot1x i can't get an IP
11-13-2020 07:19 PM - edited 11-14-2020 01:20 PM
> ACS ACL: xACSACLx-IP-PERMIT_ANY-5fad6532
That means you are sending down a DACL from ISE. With DACL, we need IP device tracking working. Please review ISE Secure Wired Access Prescriptive Deployment Guide
Besides, you should check and compare how the DHCP requests are made to the DHCP server with and without enabling 802.1X/MAB authentication.
11-14-2020 05:54 AM - edited 11-14-2020 05:56 AM
Device tracking will allow the switch to swap the any keyword defined on the dACL with the connected device IP address. If you don't enable that feature on the interested interface, the switch would not be able to perform that operation. Here is how you can enable the device tracking globally and apply it to the interfaces:
ip device tracking
interface Gi0/x
ip device tracking maximum <the maximum number of devices on the port>
Depending on the switch in use, you might need to go through a different set of syntaxes, example:
device-tracking tracking
device-tracking policy MY-TRACKING-POLICY
limit address-count 10
no protocol udp
tracking enable
interface GigabitEthernet1/0/x
device-tracking attach-policy MY-TRACKING-POLICY
Or if you want to enable it per VLAN basis:
vlan configuration 10
device-tracking attach-policy MY-TRACKING-POLICY
To check the device tracking database, use the command show ip device tracking all, or depending on the switch platform, show device-tracking database. You can also specify the interested interface you want to check.
03-16-2021 08:07 PM
Hi,
I need help, i face some problem. The device that connect has succeeded connection, but it dont get IP. Do this method can solve my problem? Hope you can help me. thank you
10-31-2023 02:54 AM
Not getting an IP could be related to a wrong VLAN on the switch port, or maybe a firewall rule that is blocking the DHCP traffic towards the DHCP server. Did you check the DHCP lease on the server to see if there was an IP lease created for that endpoint?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide