03-06-2021 06:38 AM
Hello All,
I am facing issue in Cisco ISE for Wired Users and would like to get your help. Below are the details
1. We are using ISE version 2.7.
2. Two different series of Cisco Switches 2960x and 9200
3. No issue faced by users who are connected on 9200 series switches
4. For users connected on 2960x series switches, there are two issues
4.1 users move from Compliant State to Unknown state, even after doing multiple Network Repairs on end user side, it doesn't get back to Compliant state.
4.2 users when in Compliant State don't have any network access. They will have an IP Address through DHCP but they cannot ping Default Gateway.
We have enabled dot1x authentication for end users and have 3 Authorization Policies
Compliant Authorization Policy
NAS Por Type: Ethernet,
Posture Status: Compliant
EAP Chaining Result: User and Machine both succeeded.
Non-Compliant Authorization Policy
Posture Status: Non Compliant
Unknown
Posture Status: Unknown
Strangely we started facing these issue in 2960x when we upgraded IOS image from 15.0 to 15.2(2)E6.
Before the upgrade of the switch, users were connected and had network access, once compliant they will stay compliant.
Reason for the switch upgrade was that in 15.0 image, users were not automatically redirected to Client Provisioning Portal to download Cisco Anyconnect software from the portal. After IOS upgrade, redirection to client provisioning portal issue has been resolved but facing two new issues as mentioned above.
I have attached switch configuration of 2960x. Please check if you find anything missing.
Solved! Go to Solution.
03-08-2021 03:04 AM
it's correct for a User to hit the "Unknown Authorization Policy" because the Posture Status is Unknown, at this point, an Authorization Profile that contains the Redirect URL must be applied ... the question is, why the User is not hitting the Posture Status of Compliant on ISE?
Could you please check the Posture Status of the User at:
Work Center > Posture > Reports > Reports > Posture Reports > Posture Assessment by Endpoint
PS.: good news about the dhcp snooping, but also interesting ... did you only have to apply the ip dhcp snooping command globally?
Hope this helps !!!
03-10-2021 09:27 AM
I checked the Authentication and Accounting Servers, both are same PSN Nodes.
I opened TAC case and the engineer requested for the DART Bundle when the end device has hit the "Unknown Authorization Policy" and not moved to "Compliant Authorization Policy".
This is the response from the Engineer
"On the first attempt for the 13:21 I can see that all probes are unreachable while being able to reach out directly to ISE. This would point out the issue in the configuration for the redirect but the next discovery attempt at 13:28 did succeed for the redirect probe sent to discovery host. This would point to the issue being intermittent.
On top of the 13:28 issue we can see that anyconnect does receive redirection URL’s for all 3 probes and only 1 of them was successful, since all 3 URL’s are the same, it would also would point to the issue being somewhere in the network. I’m doing some further internal checks regarding this behavior
03-07-2021 02:26 PM
Hi @Mohammad Raza Meer ,
first of all ... the 2960X - 15.2(2)E6 is compatible with ISE 2.7 (ISE Compatibility Matrix Network Component Compatibility 2.7 - search for Validated Cisco Access Switches).
second ... use the following commands to check what is happening during the issue:
show authentication sessions interface <interface> details
debug dot1x all
Hope this helps !!!
03-07-2021 11:39 PM
Thank you for your response!
Users on 2960x are hitting the same authentication and authorization policies that users on 9200 series switches are hitting. Posture status will be compliant.
Today i fixed one of the issues faced, i went to Operations-> Diagnostic Tool -> Configuration Evaluator and i saw that DHCP snooping commands are shown as mandatory. i run dhcp snooping commands on the switch. After this modification in configuration, users on 2960x switch when in Compliant state (both on computer side and in ISE Radius Live logs) they will have Network/Internet Access. DHCP snooping configuration was not required on 9200 series switches and the users there are working without any issue.
Second issue that i am facing, still working on it. not yet resolved. For testing, i restarted the computer to see if the user will get the network access once his system is rebooted, what happens is that the user hits unknown authorization policy but on user side it will show Compliant. on Switch show authentication session interface gig x/x will show that user has URL redirect and REDIRECT-ACL applied to it. End user will be redirected to the client provisioning portal. URL redirect should not be applied on the user side when he already has the anyconnect software installed and previously it has been compliant. (or in other words User should not hit the Unknown Authorization Policy)
03-08-2021 03:04 AM
it's correct for a User to hit the "Unknown Authorization Policy" because the Posture Status is Unknown, at this point, an Authorization Profile that contains the Redirect URL must be applied ... the question is, why the User is not hitting the Posture Status of Compliant on ISE?
Could you please check the Posture Status of the User at:
Work Center > Posture > Reports > Reports > Posture Reports > Posture Assessment by Endpoint
PS.: good news about the dhcp snooping, but also interesting ... did you only have to apply the ip dhcp snooping command globally?
Hope this helps !!!
03-08-2021 05:38 AM
Hi
This is what i did now for testing
On switch shut/no-shut on user interface
Now the question is that its okay for the user to hit "Unknown Authorization Policy" at first but it should complete the Network Scan and move to the "Compliant Authorization Policy" automatically without user intervention and doing network repair 2 to 3 times.
I checked the Posture status as mentioned in your comment, and i found that at both times (unknown-auth-policy and compliant-auth-policy), user's end machine is showing status Compliant in posture assessment report. Only difference in the two reports is that "username" when in unknown-auth-policy is the "mac address of the machine" and the username is the "actual user-id" of the user when "compliant-auth-policy"
03-08-2021 06:54 AM
Hi @Mohammad Raza Meer ,
the User should first hit "Unknown Authorization Policy", complete the Network Scan and move to the "Compliant Authorization Policy" automatically.
Please take a look at:
Operations > Reports > Reports > Endpoints and Users > RADIUS Authentication and also RADIUS Accounting
if the Authentication and Accounting has the same PSN Node.
Hope this helps !!!
03-10-2021 09:27 AM
I checked the Authentication and Accounting Servers, both are same PSN Nodes.
I opened TAC case and the engineer requested for the DART Bundle when the end device has hit the "Unknown Authorization Policy" and not moved to "Compliant Authorization Policy".
This is the response from the Engineer
"On the first attempt for the 13:21 I can see that all probes are unreachable while being able to reach out directly to ISE. This would point out the issue in the configuration for the redirect but the next discovery attempt at 13:28 did succeed for the redirect probe sent to discovery host. This would point to the issue being intermittent.
On top of the 13:28 issue we can see that anyconnect does receive redirection URL’s for all 3 probes and only 1 of them was successful, since all 3 URL’s are the same, it would also would point to the issue being somewhere in the network. I’m doing some further internal checks regarding this behavior
03-10-2021 10:44 AM
thanks for the feedback !!!
Please take a look at: ISE Posture Style Comparison for Pre and Post 2.2, for a better understand of the Posture process:
"...
Step 12. In ISE 2.2, posture process is divided into two stages. First stage contains set of traditional posture discovery probes to support backward compatibility with deployments which relays on URL Redirect.
Step 13. First stage contains all traditional posture discovery probes. To get more details about the probes please review Step 20 in Pre ISE 2.2 posture flow.
Step 14.Stage two contains two discovery probes which allows AC ISE posture module to establish connection to the PSN where session is authenticated in environments where redirection is not supported. During stage two all probes are sequential
..."
Hope this helps !!!
03-08-2021 05:41 AM
Regarding DHCP Snooping
Yes i applied ip dhcp snooping commands that were given in ISE configuration evaluator (3 to 4 commands) and after this the user has got network access. Before DHCP snooping was applied on switch, user will not have any network access even after reaching step-5 above.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide