Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1410
Views
0
Helpful
5
Replies

Laptop behind phone does not get assigned to DACL if phone boots first

Josh Morris
Level 3
Level 3

‎08-22-2014 07:30 AM - edited ‎03-10-2019 09:57 PM

I have some laptops plugged into Cisco phones. I'm using MAB on the switchport. If the PC comes up first, it matches the correct ISE policies, gets an IP address, and can get out. When the phone comes up, it too works fine.

If the phone comes up first, it still matches the correct ISE policies and works correctly. But once the PC comes up behind it, it matches the correct ISE policies, gets an IP address, but cannot get out to the network. If I look at the access-list on the port, I do not see where the PC has an entry; only the phone.

I am using the default IP-Phone authorization profile, which uses the permit any DACL. I am using NO DACL on my PC authorization rule.

Labels:
0 Helpful
5 Replies 5

cciesec333
Level 1
Level 1

‎08-22-2014 12:28 PM

can you paste the out put of #show authentication sessions interface GigabitEthernet  and live authentication

0 Helpful

Josh Morris
Level 3
Level 3
In response to cciesec333

‎08-22-2014 01:09 PM

This is output during a period where this is working...

 

51IDF2#show authen sess int g3/40 d
            Interface:  GigabitEthernet3/40
          MAC Address:  20bb.c020.7cb8
         IPv6 Address:  Unknown
         IPv4 Address:  10.42.66.254
            User-Name:  20-BB-C0-20-7C-B8
               Status:  Authorized
               Domain:  VOICE
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
    Common Session ID:  0A2A000C000014AAB78F3FB4
      Acct Session ID:  0x000028EA
               Handle:  0xB10004DD
       Current Policy:  POLICY_Gi3/40
 
Local Policies:
Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
      Security Policy:  Should Secure
      Security Status:  Link Unsecure
 
Server Policies:
              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-4fe7f797
 
Method status list:
       Method           State
       mab              Authc Success
 
----------------------------------------
            Interface:  GigabitEthernet3/40
          MAC Address:  b8ca.3ac0.f250
         IPv6 Address:  Unknown
         IPv4 Address:  10.42.34.21
            User-Name:  B8-CA-3A-C0-F2-50
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
    Common Session ID:  0A2A000C000014A9B78E8F78
      Acct Session ID:  0x000028E8
               Handle:  0x12000323
       Current Policy:  POLICY_Gi3/40
 
Local Policies:
Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
      Security Policy:  Should Secure
      Security Status:  Link Unsecure
 
Server Policies:
 
Method status list:
       Method           State
          
       mab              Authc Success
 
51IDF2#show ip access int g3/40
     permit ip host 10.42.66.254 any
     permit ip host 10.42.34.21 any
Extended IP access list Auth-Default-ACL
    10 permit udp any any eq domain
    20 permit tcp any any eq domain
    30 permit udp any eq bootps any
    40 permit udp any any eq bootpc
    50 permit udp any eq bootpc any
    60 deny ip any any
51IDF2#
 
I was unable to get a live authentication on this device. But I did get the following in the troubleshooting tool on the last auth...
Diagnosis and Resolution  
Could not determine the root cause and suggest a diagnosis/resolution.
Please see below for details on steps performed.
 
Troubleshooting Summary  
Step successfulInvestigated authentication record with details:
Details
 
Timestamp2014-08-21 12:56:01.572
ISEServerdc5051ise-psn1
UsernameB8:CA:3A:C0:F2:50
MAC AddressB8:CA:3A:C0:F2:50
StatusPassed
Failure Reason 
Network Device NameSJ5051IDF2
Network Device IP10.42.0.12
Identity StoreInternal Endpoints
Identity GroupWorkstation
NAS Port IDGigabitEthernet3/40
Audit Session ID0A2A000C000014A9B78E8F78
Authentication Methodmab
Step failed No relevant VLAN or dACL context found in the ISE response. No further troubleshooting can be performed on the selected authentication record.
0 Helpful

Saurav Lodh
Level 7
Level 7

‎09-18-2014 05:57 PM

Enable cdp feature on the switch

0 Helpful

Josh Morris
Level 3
Level 3
In response to Saurav Lodh

‎09-19-2014 05:05 AM

Thanks, but cdp is enabled already. 

0 Helpful

Josh Morris
Level 3
Level 3

‎09-25-2014 07:11 AM

My TAC engineer finally came back and reported this as a bug in my version of software (3.3.1). 

CSCuq36259

This bug is supposed to be fixed in 3.6.0.

Thanks.

0 Helpful
Customers Also Viewed These Support Documents