- Cisco Community
- Technology and Support
- Security
- Network Access Control
- ISE not recieving DHCP attributes from device sensor radius probe
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ISE not recieving DHCP attributes from device sensor radius probe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-04-2019 08:05 PM - edited 07-04-2019 11:01 PM
Hi,
Anyone able to help with an issue i am having?
Issue with 3650 running 16.6.6 and ISE 2.6 (P1).
The device sensor seems to be working correctly as i can see CDP and DHCP attributes under "sh device-sesor cache all" however when looking under multiple devices in ISE context visibility i am only seeing the CDP attribues and not the DHCP attributes.
Switch Config:
aaa authentication login default group groupt local-case
aaa authentication enable default group groupt enable
aaa authentication dot1x default group groupr
aaa authorization console
aaa authorization exec default group groupt local if-authenticated
aaa authorization commands 15 default group groupt local if-authenticated
aaa authorization network default group groupr
aaa accounting send stop-record authentication failure
aaa accounting update newinfo periodic 240
aaa accounting identity default start-stop group groupr
aaa accounting exec default start-stop group groupt
aaa accounting commands 15 default start-stop group groupt
aaa accounting system default start-stop group groupt
aaa server radius dynamic-author
client 10.110.3.22 server-key 7 XYZ
aaa session-id common
ip dhcp snooping vlan 1-600
no ip dhcp snooping information option
ip dhcp snooping
device-sensor filter-list dhcp list DHCP-LIST
option name host-name
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
!
device-sensor filter-list lldp list LLDP-LIST
tlv name system-name
tlv name system-description
tlv name system-capabilities
!
device-sensor filter-list cdp list CDP-LIST
tlv name device-name
tlv name address-type
tlv name capabilities-type
tlv name version-type
tlv name platform-type
device-sensor filter-spec dhcp include list DHCP-LIST
device-sensor filter-spec lldp include list LLDP-LIST
device-sensor filter-spec cdp include list CDP-LIST
device-sensor notify all-changes
access-session attributes filter-list list AS_List
vlan-id
cdp
lldp
dhcp
http
access-session authentication attributes filter-spec include list AS_List
access-session accounting attributes filter-spec include list AS_List
access-session monitor
access-session acl default passthrough
!
device-tracking policy Tracking_Policy
trusted-port
no protocol udp
tracking enable
service-template CRITICAL_AUTH
description CRITICAL
access-group CRITICAL_AUTH_ACL
voice vlan
dot1x system-auth-control
AAA_SVR_DOWN_AUTHD_HOST
match result-type aaa-timeout
match authorization-status authorized
!
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
match result-type aaa-timeout
match authorization-status unauthorized
!
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_NO_AGENT
match method dot1x
match result-type method dot1x agent-not-found
!
class-map type control subscriber match-any IN_CRITICAL_AUTH
match activated-service-template CRITICAL_AUTH
!
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative
!
class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH
match activated-service-template CRITICAL_AUTH
policy-map type control subscriber AUTH
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
event authentication-failure match-first
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template CRITICAL_AUTH
20 authorize
30 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_AGENT do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
50 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication
event inactivity-timeout match-all
10 class always do-until-failure
10 unauthorize
20 clear-session
template RADIUS
dot1x pae authenticator
mab
access-session control-direction in
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber AUTH
subscriber aging inactivity-timer 28800
ip access-list extended CRITICAL_AUTH_ACL
remark Permit All Access
permit ip any any
interface GigabitEthernet1/0/2
description Test Port
switchport access vlan 200
switchport mode access
switchport voice vlan 20
device-tracking attach-policy Tracking_Policy
source template RADIUS
spanning-tree portfast
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
radius-server timeout 2
radius-server deadtime 10
- Labels:
-
Identity Services Engine (ISE)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2019 06:53 PM - edited 07-21-2019 05:17 PM
Your configuration is looking OK from what I can tell. If possible, I would suggest to try IOS-XE 16.9.x pr 16.8.x train. If needed, engage Cisco TAC to troubleshoot.
I saw a similar issue a couple of months ago with 3650 on IOS-XE 16.6 (or 16.4?) train and ISE 2.4 (Patch 6 or 7?) but did not have time to dig deeper at the time. IIRC... the RADIUS account packets were not there in ISE profiler.log with profiler in DEBUG, so it's possible some data format problem.
Today I just tested two different combinations and both worked fine:
- ISE 2.4 Patch 9 and IOS-XE 16.8.1s on 9300 with IBNS 2.0 configurations automated by DNA Center 1.2.6
- ISE 2.6 Patch 1 and IOS-XE 3.6.3E on 3650 with IBNS 1.0 (manually configured)
Below captured by TCPDUMP of a RADIUS accounting request with the DHCP sensor data of a Windows 10 client from the 9300 edge switch to ISE in our lab:
RADIUS Protocol Code: Accounting-Request (4) Packet identifier: 0x63 (99) Length: 606 Authenticator: 3a2e137750e66dd9d53acf6ef4caba03 Attribute Value Pairs AVP: l=211 t=Vendor-Specific(26) v=ciscoSystems(9) AVP Type: 26 AVP Length: 211 VSA: l=205 t=Cisco-AVPair(1): cts-pac-opaque=\000\002\000\270\000\003\000\001\000\004\000\020\274Y\370\204A\006p\326\001\301\363\220\302\266$\377\000\006\000\234\000\003\001\000\232\363\302\306\200\001U\320\262\320\345{\000\203\376\241\000 Cisco-AVPair: cts-pac-opaque= AVP: l=38 t=Vendor-Specific(26) v=ciscoSystems(9) AVP Type: 26 AVP Length: 38 VSA: l=32 t=Cisco-AVPair(1): dhcp-option=\0007\000\016\001\003\006\017\037!+,./wy\371\374 Cisco-AVPair: dhcp-option= AVP: l=32 t=Vendor-Specific(26) v=ciscoSystems(9) AVP Type: 26 AVP Length: 32 VSA: l=26 t=Cisco-AVPair(1): dhcp-option=\000<\000\bMSFT 5.0 Cisco-AVPair: dhcp-option= AVP: l=39 t=Vendor-Specific(26) v=ciscoSystems(9) AVP Type: 26 AVP Length: 39 VSA: l=33 t=Cisco-AVPair(1): dhcp-option=\000\f\000\017DESKTOP-FFKLA27 Cisco-AVPair: dhcp-option= AVP: l=11 t=User-Name(1): employee1 AVP Type: 1 AVP Length: 11 User-Name: employee1 AVP: l=49 t=Vendor-Specific(26) v=ciscoSystems(9) AVP Type: 26 AVP Length: 49 VSA: l=43 t=Cisco-AVPair(1): audit-session-id=0502A8C00000005BC48AF89F Cisco-AVPair: audit-session-id=0502A8C00000005BC48AF89F AVP: l=20 t=Vendor-Specific(26) v=ciscoSystems(9) AVP Type: 26 AVP Length: 20 VSA: l=14 t=Cisco-AVPair(1): method=dot1x Cisco-AVPair: method=dot1x AVP: l=19 t=Called-Station-Id(30): DC-F7-19-50-97-01 AVP Type: 30 AVP Length: 19 Called-Station-Id: DC-F7-19-50-97-01 AVP: l=19 t=Calling-Station-Id(31): 00-50-56-AE-20-E0 AVP Type: 31 AVP Length: 19 Calling-Station-Id: 00-50-56-AE-20-E0 AVP: l=6 t=NAS-IP-Address(4): 192.168.120.1 AVP Type: 4 AVP Length: 6 NAS-IP-Address: 192.168.120.1 AVP: l=22 t=NAS-Port-Id(87): GigabitEthernet1/0/1 AVP Type: 87 AVP Length: 22 NAS-Port-Id: GigabitEthernet1/0/1 AVP: l=6 t=NAS-Port-Type(61): Ethernet(15) AVP Type: 61 AVP Length: 6 NAS-Port-Type: Ethernet (15) AVP: l=6 t=NAS-Port(5): 50101 AVP Type: 5 AVP Length: 6 NAS-Port: 50101 AVP: l=10 t=Acct-Session-Id(44): 00000057 AVP Type: 44 AVP Length: 10 Acct-Session-Id: 00000057 AVP: l=6 t=Acct-Authentic(45): Remote(3) AVP Type: 45 AVP Length: 6 Acct-Authentic: Remote (3) AVP: l=50 t=Class(25): 434143533a30353032413843303030303030303542433438... AVP Type: 25 AVP Length: 50 Class: 434143533a30353032413843303030303030303542433438... AVP: l=6 t=Acct-Status-Type(40): Interim-Update(3) AVP Type: 40 AVP Length: 6 Acct-Status-Type: Interim-Update (3) AVP: l=6 t=Event-Timestamp(55): Jul 5, 2019 16:49:38.000000000 PDT AVP Type: 55 AVP Length: 6 Event-Timestamp: Jul 5, 2019 16:49:38.000000000 PDT AVP: l=6 t=Acct-Input-Octets(42): 0 AVP Type: 42 AVP Length: 6 Acct-Input-Octets: 0 AVP: l=6 t=Acct-Output-Octets(43): 0 AVP Type: 43 AVP Length: 6 Acct-Output-Octets: 0 AVP: l=6 t=Acct-Input-Packets(47): 0 AVP Type: 47 AVP Length: 6 Acct-Input-Packets: 0 AVP: l=6 t=Acct-Output-Packets(48): 0 AVP Type: 48 AVP Length: 6 Acct-Output-Packets: 0 AVP: l=6 t=Acct-Delay-Time(41): 0 AVP Type: 41 AVP Length: 6 Acct-Delay-Time: 0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide