cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
557
Views
5
Helpful
3
Replies

ISE3.1 shows no endpoints

Kasper Elsborg
Beginner
Beginner

Hi community. First, I'm studying the ISE so I'm simply a beginner. However I've managede to integrate my NAD's with Tacacs+ and authenticating with AD.

It's a pure lab setup, with a ISE 3.1 and 4 switches, DC, with CA.

Client1 (win10) have their certificate pushed from GPO, and are attached to the if.

client2, printer

Client3 Android device-

All 3 clients have internet access

I'd like to authenticate with Dot1x on the swithport, but after several attempt I still have no endpoints visable in ISE or anything in the live logs. I think it's the sw config, as the endpoints are in device-tracking database on the sw.

it's kind of a big mouthful, but I need start somewhere

ISE31, are in Vlan3 192.168.3.120

Clients are in Vlan2 192.168.2.0/24

DC in vlan2 192.168.2.82 and OSPF are enabled on the switches.

I hope you are able to help

some information to begin with: 

The SW 3650 is NOT licensed(could this be a problem?)

 

 

 

 

 

labsw2#sh device-tracking database 
Binding Table has 6 entries, 5 dynamic (limit 100000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   


    Network Layer Address               Link Layer Address Interface        vlan prlvl  age   state     Time left        
L   192.168.2.251                           00f2.8b47.3d77  Vl2               2  0100  201mn REACHABLE                   
ARP 192.168.2.231                           0021.cc72.70d9  Gi1/0/1           2  0005    5s  REACHABLE  N/A              
ARP 192.168.2.102                           b422.0023.3854  Gi1/0/2           2  0005    4mn REACHABLE  N/A              
ARP 192.168.2.54                            0004.4bfb.2253  Gi1/0/3           2  0005   82s  REACHABLE  N/A              
ND  FE80::B622:FF:FE23:3854                 b422.0023.3854  Gi1/0/2           2  0005    4mn REACHABLE  N/A              
ND  FE80::4467:5437:A836:5A0A               0021.cc72.70d9  Gi1/0/1           2  0005    9mn REACHABLE  N/A              

labsw2#

labsw2#sh authentication se
labsw2#sh authentication sessions 
Interface                MAC Address    Method  Domain  Status Fg  Session ID
--------------------------------------------------------------------------------------------
Gi1/0/3                  0004.4bfb.2253 mab     UNKNOWN Auth        C0A802FB000000256374F7FD
Gi1/0/1                  0021.cc72.70d9 dot1x   UNKNOWN Auth        C0A802FB0000002763752D71
Gi1/0/2                  b422.0023.3854 mab     UNKNOWN Auth        C0A802FB0000002663750C99

Session count = 3

Key to Session Events Blocked Status Flags:

  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  P - Pushed Session
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker

labsw2#
labsw2#sh authentication sessions in gi 1/0/1 det
            Interface:  GigabitEthernet1/0/1
               IIF-ID:  0x114136F0
          MAC Address:  0021.cc72.70d9
         IPv6 Address:  fe80::4467:5437:a836:5a0a
         IPv4 Address:  192.168.2.231
               Status:  Authorized
               Domain:  UNKNOWN
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
  Acct update timeout:  86400s (local), Remaining: 85415s
    Common Session ID:  C0A802FB0000002763752D71
      Acct Session ID:  0x00000005
               Handle:  0x9100001d
       Current Policy:  POLICY_Gi1/0/1


Local Policies:
        Service Template: DEFAULT_CRITICAL_VOICE_TEMPLATE (priority 150)
           Voice Vlan:  Vlan: 4096
        Service Template: CRITICAL_AUTH_VLAN_Gi1/0/1 (priority 150)
           Vlan Group:  Vlan: 2
         Idle timeout: 65536 sec

Server Policies:


Method status list:
       Method           State
        dot1x           Authc Failed

labsw2#

labsw2#sh ver
Cisco IOS XE Software, Version 16.12.05b
Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.12.5b, 
ROM: IOS-XE ROMMON
BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) Version 4.76, RELEASE SOFTWARE (P)

------------------------------------------------------------------------------
Technology-package                                     Technology-package
Current                        Type                       Next reboot  
------------------------------------------------------------------------------
ipbasek9                Smart License                    ipbasek9            
None                    Subscription Smart License       None                          


Smart Licensing Status: UNREGISTERED/EVAL EXPIRED



Base Ethernet MAC Address          : 
Motherboard Assembly Number        :
Motherboard Serial Number          : 
Model Revision Number              : K0
Motherboard Revision Number        : B0
Model Number                       : WS-C3650-48PD
System Serial Number               : 

          
Switch Ports Model              SW Version        SW Image              Mode   
------ ----- -----              ----------        ----------            ----   
*    1 52    WS-C3650-48PD      16.12.05b         CAT3K_CAA-UNIVERSALK9 INSTALL


Configuration register is 0x102

labsw2#

 

 

 

 

 

  Br- Kasper

1 Accepted Solution

Accepted Solutions

Kasper Elsborg
Beginner
Beginner

Update.

I have played around with the Vmware machines settings, copied it from one to another host, and changed CPU, and RAM settings. I knew I should'nt do that, but I didn't think it mattered so much in an lab enviroment. now we know:-)

Story short, it crashed on a startup one morning. So I reinstalled a new ISE, and changed it to the same VLAN/subnet as my clients.

Now I have endpints registering on the fly.

BR. Kasper

 

View solution in original post

3 Replies 3

PradeepSingh
Beginner
Beginner

Hi,

 

You are missing the command which tells switch which group to be used for Dot1x authentication.

aaa authentication dot1x default group ISE-Radius-group

 

Kasper Elsborg
Beginner
Beginner

Hi PradeepSingh and thankls for taking the time to help me.

I have entered the command, and by making the policy set a bit "wide" with and default permit access in the end, I was able to get it to authenticate. I still need to set up the policy set for the certificate, but I haven't figured this out yet.

How ever I still don't see any endpoints in ISE?

Br. Kasper

Kasper Elsborg
Beginner
Beginner

Update.

I have played around with the Vmware machines settings, copied it from one to another host, and changed CPU, and RAM settings. I knew I should'nt do that, but I didn't think it mattered so much in an lab enviroment. now we know:-)

Story short, it crashed on a startup one morning. So I reinstalled a new ISE, and changed it to the same VLAN/subnet as my clients.

Now I have endpints registering on the fly.

BR. Kasper

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers