MAB and dhcp timing out - Page 2

RICHARD MASSELLE · ‎07-23-2012

We are implementing ISE with MAB for printers and although we are successfully authenticating and passing correct Vlan for printers we are not able to get DHCP address. I suspect we are timing out while doing authentication , before we are able to get dhcp address. Has anyone done this successfuly? I would appreciate configuration help if you are doing this successfully. We have cisco 4500s running version 15 xe IOS, and ISE version 1.1

Jim Thomas · ‎07-26-2012

So you're saying that when the printer is plugged in, and you issue the show authentication sess in gx/y that the VLAN is not seen in the authorization policy? I'll attach an output from a MAB policy the flips vlans and changes an ACL. If you are not seeing the authorization policy being associated with the port then check that the aaa authorization network command is there and the aaa radius-server vsa send authentication command. I think you said it already but on the SAME port, when you plug a PC in you say that it works fine flipping vlans and when you manually change the vlan on the port the printer works correctly. If thats the case then the MAB profile where the VLAN is identified in ISE is bad. Can you provide a screen shot of that profile?

Jim Thomas
Cisco Security Course Director
Global Knowledge
CCIE Security #16674

Jim Thomas Cisco Security Course Director Global Knowledge CCIE Security #16674

RICHARD MASSELLE · ‎07-26-2012

Yes see following switch port setup, show auth sess, and screen shot of auth policy associated with printers..

interface GigabitEthernet2/1

description Printer_00:9C:02:07:49:29_Lou's Office

switchport access vlan 116

switchport mode access

switchport voice vlan 103

ip access-group ACL-ALLOW in

authentication event fail action next-method

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 10

qos trust device cisco-phone

spanning-tree portfast

spanning-tree guard root

service-policy input PER-PORT-POLICING

service-policy output 1P7Q1T

gwdswds40001#sho auth sess int gi2/1

Interface: GigabitEthernet2/1

MAC Address: 009c.0207.4929

IP Address: 10.169.99.245

User-Name: 00-9C-02-07-49-29

Status: Authz Success

Domain: DATA

Security Policy: Should Secure

Security Status: Unsecure

Oper host mode: multi-auth

Oper control dir: both

Authorized By: Authentication Server

Vlan Policy: N/A

Session timeout: N/A

Idle timeout: N/A

Common Session ID: 0AA8FF4E000097B14C5871A0

Acct Session ID: 0x000097F4

Handle: 0x2C0009D7

Runnable methods list:

Method State

mab Authc Success

dot1x Not run

Tarik Admani · ‎07-26-2012

Richard,

Can you post the results of your show run | aaa? Seems like the authorization is failing, you should have aaa authorizatoin network default group radius...for example.

thanks,

Tarik Admani
*Please rate helpful posts*

RICHARD MASSELLE · ‎07-26-2012

My first reply seemly did not go through in case this is repeat.. Jim Thomas had a good call on

aaa authorization network command

I did not configure the switches (we had consultant config) and never noticed that aaa authorization was missing. I put this in the config and initiall testing looks good see following:

gwdswds30001#sho auth sess int gi7/8

Interface: GigabitEthernet7/8

MAC Address: 009c.0204.d3d8

IP Address: 10.169.96.245

User-Name: 00-9C-02-04-D3-D8

Status: Authz Success

Domain: DATA

Security Policy: Should Secure

Security Status: Unsecure

Oper host mode: multi-domain

Oper control dir: both

Authorized By: Authentication Server

Vlan Policy: 113

ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406

Session timeout: N/A

Idle timeout: N/A

Common Session ID: 0AA8FF42000002B24CA27FC0

Acct Session ID: 0x00002E1E

Handle: 0x5F0002B3

Runnable methods list:

Method State

dot1x Failed over

mab Authc Success

I will update after further testing..

Thanks again for your replies...

Rick Masselle

RICHARD MASSELLE · ‎07-31-2012

So an update, we now get reliable MAB VLan association. I am still seeing problems with printers either keeping the access-Vlan IP address or not getting an IP address at all. There are only about 7 printers out of 50 - 60 that are getting IP address in correct Vlan. I have not been able to track down reasons yet. Any suggestions ? We have been using auth open , because we have a very big IP phone population, along with order dot1x mab, and dot1x timeout tx-period 10. SHould we not be using auth open? There seems to be conflicting statements, one that says you should use auth open if you have voice Vlan, and another that says you should not use auth open if usin MAB?

RIck Masselle

Tarik Admani · ‎07-31-2012

Richard,

You can use auth open if you have a strong access-list on the port, which only allows dhcp traffic and dns traffic, there is no harm in this.

Thanks,

Tarik Admani
*Please rate helpful posts*

RICHARD MASSELLE · ‎07-31-2012

Tarik,

Yes I know I can use it, I am not worried about acesss restriction I can easily put acl on. What my main question is concerning getting correct IP address with new Vlan that gets assigned via MAB authentication and ISE. We are retaining access vlan IP addresses or not getting an IP address at all once vlan has changed, so I am looking for input as to what switch settings should be given our configuration and design for voice, printers, and workstation users who get their Vlan association either from voice vlan (IP phone), ISE via MAB fro printers, and dot1x for worstation users...

Rick Masselle

Tarik Admani · ‎07-31-2012

Richard,

Based on the debugs that you posted before it seems as if the dynamic vlan assignment should work just fine. My suggestion is that the printer dhcp sequence may not be occuring once you add the configuration to the port and if you shut and no shut the port and it still doesnt pull an ip address. I would suggest power cycling the printer to see if it then pulls the proper address.

The previous statement that I posted about the auth open and allowing dhcp packet through was incorrect for this scenario, if true. If the printer isnt able to dhcp when link state changes then it would be best not to allow it to grab an in ip on the 116 network and then in turn change the port over to the 113 network. My apologies for the confusion.

Thanks,

Tarik Admani
*Please rate helpful posts*

RICHARD MASSELLE · ‎08-01-2012

Tarik,

So based on our environment of IP phones, printers , and workstations would the following be a good switch configuration?

description host port with IP phone

switchport mode access

switchport voice vlan 103

ip access-group ACL-ALLOW in

authentication event fail action next-method

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 10

qos trust device cisco-phone

spanning-tree portfast

spanning-tree guard root

service-policy input PER-PORT-POLICING

service-policy output 1P7Q1T

Thanks

Rick Masselle

Tarik Admani · ‎08-01-2012

This looks like a good configuration.

How is working with the printers?

Thanks.

Tarik Admani
*Please rate helpful posts*

RICHARD MASSELLE · ‎08-02-2012

Initial indications are good, printers and IP phones are working correctly since I made the switch configuration modifications. There are still some issues with user logins from pc's but I think the supplcants and/or logins are not correct. Thanks for all your help. I beleive we are on track now.

Rick Masselle

Alfredo Cozzino · ‎07-25-2013

Currently it seems this is an ISE 1.1.x bug, you can use as a workaround in the ALL the dot1x authorization profiles (Compliant and Not Compliant as well) this magic Cisco AV-Pair

termination-action-modifier=1

this force the ISE to use the last authentication, DOT1X, while keeping the original port authentication order syntax

authentication order mab dot1x

authentication priority dot1x mab

that worked before cisco 1.1.x flawless. Does not work now

This is (not very) well documented at this URL, last note in the bottom of the page

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/application_note_c27-573287_ps6638_Products_White_Paper.html#wp9000028

hope this will help ALL.

This "feature" wasted about 2 day (and this night) of my life.

Me And You · ‎09-09-2015

Hi,

I know this is an old topic but i also have almost the same problem.

My question is, could this issue be resolved by assigning a static IP on the host ?

How does ISE handles this because if he can't authenticate the host, he puts it in the guest vlan. But then he's fixed IP won't match that vlan.