ISE, MAB issue

c.andrew · ‎04-07-2013

I'm working with the following lab:

ISE 1.1.3.124

3560 running c3560-ipservicesk9-mz.122-55.SE

Cisco AP (1131, 1231).

I'm attempting MAB. The AP is being profiled correctly and I'm seeing successful authen and authz. But the device (AP/whatever) cannot pickup a DHCP address. If I manually assign an IP, then no traffic flows through the switchport. DHCP works fine for ports with no security. The DACL is being applied and should permit the traffic - I've even tried a permit ip any any.

I've attached the switch config and some ISE screenshots / logs.

Some further details below.

Thanks to anyone if you can nudge me in the right direction.

##

## switch dot1x debug

##

%MAB-5-SUCCESS: Authentication successful for client (001b.2abc.5de0) on Interface Fa0/2 AuditSessionID C0A863FE000001392E8FE236

3560-1#

%EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 001b.2abc.5de0| AuditSessionID C0A863FE000001392E8FE236| AUTHTYPE DOT1X| EVENT APPLY

%EPM-6-AAA: POLICY xACSACLx-IP-LAB2-WLC-ONLY-5160b7f6| EVENT DOWNLOAD-REQUEST

%EPM-6-AAA: POLICY xACSACLx-IP-LAB2-WLC-ONLY-5160b7f6| EVENT DOWNLOAD-SUCCESS

%EPM-6-IPEVENT: IP 0.0.0.0| MAC 001b.2abc.5de0| AuditSessionID C0A863FE000001392E8FE236| AUTHTYPE DOT1X| EVENT IP-WAIT

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up

3560-1#

%AUTHMGR-5-SUCCESS: Authorization succeeded for client (001b.2abc.5de0) on Interface Fa0/2 AuditSessionID C0A863FE000001392E8FE236

3560-1#sh authentication sessions int fa0/2

Interface: FastEthernet0/2

MAC Address: 001b.2abc.5de0

IP Address: Unknown

User-Name: 00-1B-2A-BC-5D-E0

Status: Authz Success

Domain: DATA

Security Policy: Should Secure

Security Status: Unsecure

Oper host mode: single-host

Oper control dir: both

Authorized By: Authentication Server

Vlan Group: N/A

ACS ACL: xACSACLx-IP-LAB2-WLC-ONLY-5160b7f6

Session timeout: N/A

Idle timeout: N/A

Common Session ID: C0A863FE000001392E8FE236

Acct Session ID: 0x00000180

Handle: 0xFC000139

Runnable methods list:

Method State

dot1x Failed over

mab Authc Success

3560-1#sh authentication method mab

Interface MAC Address Method Domain Status Session ID

Fa0/2 001b.2abc.5de0 mab DATA Authz Success C0A863FE000001392E8FE236

3560-1#sh ip access-lists

Standard IP access list 10

10 permit 192.168.99.10 (9814 matches)

20 deny any log

Extended IP access list ACL_DEFAULT

10 permit udp any eq bootpc any eq bootps (71 matches)

20 permit udp any any eq domain

30 permit icmp any any

40 permit udp any any eq tftp

50 permit ip any host 192.168.99.10

60 deny ip any any log

Extended IP access list ACL_REDIRECT

10 deny udp any eq bootpc any eq bootps

20 deny udp any any eq domain

30 deny ip any host 192.168.99.10

40 permit tcp any any eq www

50 deny ip any any

Extended IP access list xACSACLx-IP-LAB2-WLC-ONLY-5160b7f6 (per-user)

10 permit udp any eq bootpc any eq bootps

20 permit udp any any eq domain

30 permit ip any host 192.168.99.224

40 deny ip any any log

c.andrew · ‎04-07-2013

Ignore the above - problem found - I had missed "ip dhcp snooping trust" on my dhcp server interface.

bhthapa · ‎04-08-2013

It is nice to see that you find the resolution the command “ip dncp snooping trust” Validates DHCP messages received from untrusted sources and filters out invalid messages.