08-03-2022 05:03 AM - edited 08-03-2022 05:28 AM
Hi community. First, I'm studying the ISE so I'm simply a beginner. However I've managede to integrate my NAD's with Tacacs+ and authenticating with AD.
It's a pure lab setup, with a ISE 3.1 and 4 switches, DC, with CA.
Client1 (win10) have their certificate pushed from GPO, and are attached to the if.
client2, printer
Client3 Android device-
All 3 clients have internet access
I'd like to authenticate with Dot1x on the swithport, but after several attempt I still have no endpoints visable in ISE or anything in the live logs. I think it's the sw config, as the endpoints are in device-tracking database on the sw.
it's kind of a big mouthful, but I need start somewhere
ISE31, are in Vlan3 192.168.3.120
Clients are in Vlan2 192.168.2.0/24
DC in vlan2 192.168.2.82 and OSPF are enabled on the switches.
I hope you are able to help
some information to begin with:
The SW 3650 is NOT licensed(could this be a problem?)
labsw2#sh device-tracking database
Binding Table has 6 entries, 5 dynamic (limit 100000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
L 192.168.2.251 00f2.8b47.3d77 Vl2 2 0100 201mn REACHABLE
ARP 192.168.2.231 0021.cc72.70d9 Gi1/0/1 2 0005 5s REACHABLE N/A
ARP 192.168.2.102 b422.0023.3854 Gi1/0/2 2 0005 4mn REACHABLE N/A
ARP 192.168.2.54 0004.4bfb.2253 Gi1/0/3 2 0005 82s REACHABLE N/A
ND FE80::B622:FF:FE23:3854 b422.0023.3854 Gi1/0/2 2 0005 4mn REACHABLE N/A
ND FE80::4467:5437:A836:5A0A 0021.cc72.70d9 Gi1/0/1 2 0005 9mn REACHABLE N/A
labsw2#
labsw2#sh authentication se
labsw2#sh authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/3 0004.4bfb.2253 mab UNKNOWN Auth C0A802FB000000256374F7FD
Gi1/0/1 0021.cc72.70d9 dot1x UNKNOWN Auth C0A802FB0000002763752D71
Gi1/0/2 b422.0023.3854 mab UNKNOWN Auth C0A802FB0000002663750C99
Session count = 3
Key to Session Events Blocked Status Flags:
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
labsw2#
labsw2#sh authentication sessions in gi 1/0/1 det
Interface: GigabitEthernet1/0/1
IIF-ID: 0x114136F0
MAC Address: 0021.cc72.70d9
IPv6 Address: fe80::4467:5437:a836:5a0a
IPv4 Address: 192.168.2.231
Status: Authorized
Domain: UNKNOWN
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Acct update timeout: 86400s (local), Remaining: 85415s
Common Session ID: C0A802FB0000002763752D71
Acct Session ID: 0x00000005
Handle: 0x9100001d
Current Policy: POLICY_Gi1/0/1
Local Policies:
Service Template: DEFAULT_CRITICAL_VOICE_TEMPLATE (priority 150)
Voice Vlan: Vlan: 4096
Service Template: CRITICAL_AUTH_VLAN_Gi1/0/1 (priority 150)
Vlan Group: Vlan: 2
Idle timeout: 65536 sec
Server Policies:
Method status list:
Method State
dot1x Authc Failed
labsw2#
labsw2#sh ver
Cisco IOS XE Software, Version 16.12.05b
Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.12.5b,
ROM: IOS-XE ROMMON
BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) Version 4.76, RELEASE SOFTWARE (P)
------------------------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------------
ipbasek9 Smart License ipbasek9
None Subscription Smart License None
Smart Licensing Status: UNREGISTERED/EVAL EXPIRED
Base Ethernet MAC Address :
Motherboard Assembly Number :
Motherboard Serial Number :
Model Revision Number : K0
Motherboard Revision Number : B0
Model Number : WS-C3650-48PD
System Serial Number :
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 52 WS-C3650-48PD 16.12.05b CAT3K_CAA-UNIVERSALK9 INSTALL
Configuration register is 0x102
labsw2#
Br- Kasper
Solved! Go to Solution.
08-07-2022 01:56 AM
Update.
I have played around with the Vmware machines settings, copied it from one to another host, and changed CPU, and RAM settings. I knew I should'nt do that, but I didn't think it mattered so much in an lab enviroment. now we know:-)
Story short, it crashed on a startup one morning. So I reinstalled a new ISE, and changed it to the same VLAN/subnet as my clients.
Now I have endpints registering on the fly.
BR. Kasper
08-03-2022 06:34 AM
Hi,
You are missing the command which tells switch which group to be used for Dot1x authentication.
aaa authentication dot1x default group ISE-Radius-group
08-03-2022 07:49 AM
Hi PradeepSingh and thankls for taking the time to help me.
I have entered the command, and by making the policy set a bit "wide" with and default permit access in the end, I was able to get it to authenticate. I still need to set up the policy set for the certificate, but I haven't figured this out yet.
How ever I still don't see any endpoints in ISE?
Br. Kasper
08-07-2022 01:56 AM
Update.
I have played around with the Vmware machines settings, copied it from one to another host, and changed CPU, and RAM settings. I knew I should'nt do that, but I didn't think it mattered so much in an lab enviroment. now we know:-)
Story short, it crashed on a startup one morning. So I reinstalled a new ISE, and changed it to the same VLAN/subnet as my clients.
Now I have endpints registering on the fly.
BR. Kasper
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: