02-13-2020 11:34 AM
Hello All,
ISE: v2.3.0.298 Patch 3
Switch: 4510R+E
We seem to keep having a few User's IP Phones who keep getting stuck in a configuring IP state. When I look at the auth session on the switch, it shows the following:
#show auth sess int Gi10/12 det Interface: GigabitEthernet10/12 MAC Address: 001f.cae8.xxx IPv6 Address: Unknown IPv4 Address: Unknown User-Name: 00-1F-CA-E8-XX-XX Status: Unauthorized Domain: VOICE Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Common Session ID: C0A80201000B1F411F903E0C Acct Session ID: 0x0008D681 Handle: 0xA2000B3C Current Policy: POLICY_Gi10/12 Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150) Security Policy: Should Secure Security Status: Link Unsecure Method status list: Method State dot1x Stopped mab Authc Success
The difference in the output above, from a normal/working IP Phone, is that this output does not show an IP Address and it does not show a section for Server Policies, like below:
Server Policies: ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-56161e32
If the user is to unplug power from the phone it re-authenticates and starts working, or if I clear the auth session for this device from the switch it then starts working again as well.
This appears to happen for the same users from time to time. The majority of users have no issues at all.
Thanks,
Matt
Solved! Go to Solution.
02-13-2020 11:08 PM
First things first, because of the number of components at play here, I would suggest working on the issue through TAC. But some tips still.
Get to the latest patch on the ISE side, 2.3 patch 7 for reference, there are a few hundred bugs fixed since patch 3 released. Patch 7 is the final patch for 2.3 and it's recommended to be on it if running the release.
On the NAD side, do a bug scrub and consider moving to the recommended code if you're not already. Because the 4510 can be configured with various sups, I am unable to pick the recommended target.
On a unrelated note, TAC will stop supporting ISE 2.3 on June 17th 2020. Start planning the deployment upgrade.
02-13-2020 11:08 PM
First things first, because of the number of components at play here, I would suggest working on the issue through TAC. But some tips still.
Get to the latest patch on the ISE side, 2.3 patch 7 for reference, there are a few hundred bugs fixed since patch 3 released. Patch 7 is the final patch for 2.3 and it's recommended to be on it if running the release.
On the NAD side, do a bug scrub and consider moving to the recommended code if you're not already. Because the 4510 can be configured with various sups, I am unable to pick the recommended target.
On a unrelated note, TAC will stop supporting ISE 2.3 on June 17th 2020. Start planning the deployment upgrade.
02-17-2020 10:30 AM
Hey Damien, thanks for the reply.
Yes, that's the difficult part with some many variables at play with this... We actually just had another, new user with this issue this morning as well. BTW, its Sup7-E, which we will be upgrading to Sup9-E this summer when we have some larger maintenance windows.
Who would you suggest I start with in terms of opening the TAC case? The 4510, CUCM, ISE, etc..?
Also, I'll work on getting ISE upgraded to Patch 7.
Thanks Again,
Matt
02-21-2020 01:20 PM
Because the status reporting Unauthorized, this is an AAA issue on the switch platform. Usually this is due to mismatches between the switch configurations and what sent down from AAA server; e.g. VLAN or ACL not present.
So, I would start with AAA TAC team, if I were you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide