Re: ISE - missing IP informations from endpoint

StefanSeubert44470 · ‎11-17-2022

Hi Community,

we see partial endpoints that do not contain IP information in the ISE.
If we check the endpoint information on the switch with
show auth session int gig3/0/3 detail,
the IP information is displayed.

Unfortunately we have some profiling policies that make a VLAN decision based on the IP address of the endpoint.
Sometimes it helps to switch the port off and on, but of course this is not very practical as the clients are not online for quite a while.

I suspect that at the time the device is authenticated, the information is not available. Strangely enough, this also happens with endpoints that are re-authenticated. A CoA does not help here.
In the example we have MAB authentication, no 802.1x and the endpoint is statically addressed.

Thanks for your help.

Stefan

davidgfriedman · ‎11-17-2022

Can you help me understand why you would try to tie a policy into an IP address? If you're not setting the VLAN with a policy, then you'd be relying on the access vlan number assigned to the port, tied into a subnet on a layer 3 switch. We've never used IP Addresses, in fact we try to avoid using the access vlan and try to tie all policies to vlan group names so the actual VLAN is a step away from the VLAN ID: drop a laptop into CORP in all switches and the VLAN group assignment puts it on the correct VLAN Id for that switch, no IP Address investigation required. Then if someone changes VLANs, they just update the switch .. simple... easy .. and future-proof in case of any subnet changes or segmentation re-evaluations. I'd love to know why you need the IP address for policy assignment.

StefanSeubert44470 · ‎11-18-2022

At the moment we migrate from Extreme NAC to ISE. In our network are a lot of different network endpoints. Round about 80% are in the correct VLAN but the last 20% are in the historical default VLAN.

Sometimes devices are not in the correct VLAN and use static ip addresses.
We saw after migrating the first switches that we have thinclients in three different vlans. Our thin client profile move the devices to the correct VLAN but without a reboot the device don’t asked for a new ip.
Another example is, that we will automate the onboarding process and saw that we have devices with the same MAC Vendor. Digiboard is a good example. Some devices are medical devices some are building automation. So we need more informations from the device to identify it correctly.

hslai · ‎11-19-2022

@StefanSeubert44470 Please check and confirm (1) that the switch is sending RADIUS accounting requests to ISE, and (2) that the frequency of the account requests is lower than the setting of Ignore repeated accounting updates within N seconds. Good to perform packet captures of the RADIUS transactions to ensure the switch is sending the accounting requests, which may carry the IP updates.

StefanSeubert44470 · ‎11-21-2022

Hi Hslai,

accounting is enabled on the switches with th edefault setting

aaa accounting update newinfo periodic 2880

The ignore repeated accounting settings are also on the default value 5 seconds.

Could it be that the 5 seconds are too long?
So for example, device goes online, IP was not yet determined by device tarcking, MAB authentication is performed and after e.g. 2 or 3 seconds the switch would send an update, which is ignored because only after 5 seconds updates are evaluated by the ISE?

BR Stefan

Rob Ingram · ‎11-21-2022

@StefanSeubert44470 do you have device tracking and dhcp snooping configured on the switches?

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

hslai · ‎11-21-2022

@StefanSeubert44470 That is possible. You may try tweaking the settings.

One reason I asked for packet captures is that we saw issues in the past that the switches were not sending accounting interim updates if they were configured to. You may also check the RADIUS accounting reports in ISE and/or tail the localStore log of the ISE PSN.

StefanSeubert44470 · ‎11-22-2022

@Rob Ingram device-tracking and dhcp snooping is configured. I read your linked documentation and the only thing which is missing is the device-sensor configuration. We don´t have the filter lists active and some commands are not available.

@hslai i´ll check if i can find a device where the issue is reproducible and start a packet capture. If it is that the switch sends out the ip informations i´ll reduce the 5 seconds to a lower setting.