07-23-2012 08:57 AM - edited 03-10-2019 07:19 PM
We are implementing ISE with MAB for printers and although we are successfully authenticating and passing correct Vlan for printers we are not able to get DHCP address. I suspect we are timing out while doing authentication , before we are able to get dhcp address. Has anyone done this successfuly? I would appreciate configuration help if you are doing this successfully. We have cisco 4500s running version 15 xe IOS, and ISE version 1.1
07-26-2012 08:23 AM
So you're saying that when the printer is plugged in, and you issue the show authentication sess in gx/y that the VLAN is not seen in the authorization policy? I'll attach an output from a MAB policy the flips vlans and changes an ACL. If you are not seeing the authorization policy being associated with the port then check that the aaa authorization network command is there and the aaa radius-server vsa send authentication command. I think you said it already but on the SAME port, when you plug a PC in you say that it works fine flipping vlans and when you manually change the vlan on the port the printer works correctly. If thats the case then the MAB profile where the VLAN is identified in ISE is bad. Can you provide a screen shot of that profile?
Jim Thomas
Cisco Security Course Director
Global Knowledge
CCIE Security #16674
07-26-2012 08:33 AM
Yes see following switch port setup, show auth sess, and screen shot of auth policy associated with printers..
interface GigabitEthernet2/1
description Printer_00:9C:02:07:49:29_Lou's Office
switchport access vlan 116
switchport mode access
switchport voice vlan 103
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
qos trust device cisco-phone
spanning-tree portfast
spanning-tree guard root
service-policy input PER-PORT-POLICING
service-policy output 1P7Q1T
gwdswds40001#sho auth sess int gi2/1
Interface: GigabitEthernet2/1
MAC Address: 009c.0207.4929
IP Address: 10.169.99.245
User-Name: 00-9C-02-07-49-29
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AA8FF4E000097B14C5871A0
Acct Session ID: 0x000097F4
Handle: 0x2C0009D7
Runnable methods list:
Method State
mab Authc Success
dot1x Not run
07-26-2012 08:37 AM
Richard,
Can you post the results of your show run | aaa? Seems like the authorization is failing, you should have aaa authorizatoin network default group radius...for example.
thanks,
Tarik Admani
*Please rate helpful posts*
07-26-2012 11:01 AM
My first reply seemly did not go through in case this is repeat.. Jim Thomas had a good call on
aaa authorization network command
I did not configure the switches (we had consultant config) and never noticed that aaa authorization was missing. I put this in the config and initiall testing looks good see following:
gwdswds30001#sho auth sess int gi7/8
Interface: GigabitEthernet7/8
MAC Address: 009c.0204.d3d8
IP Address: 10.169.96.245
User-Name: 00-9C-02-04-D3-D8
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 113
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AA8FF42000002B24CA27FC0
Acct Session ID: 0x00002E1E
Handle: 0x5F0002B3
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
I will update after further testing..
Thanks again for your replies...
Rick Masselle
07-31-2012 07:30 AM
So an update, we now get reliable MAB VLan association. I am still seeing problems with printers either keeping the access-Vlan IP address or not getting an IP address at all. There are only about 7 printers out of 50 - 60 that are getting IP address in correct Vlan. I have not been able to track down reasons yet. Any suggestions ? We have been using auth open , because we have a very big IP phone population, along with order dot1x mab, and dot1x timeout tx-period 10. SHould we not be using auth open? There seems to be conflicting statements, one that says you should use auth open if you have voice Vlan, and another that says you should not use auth open if usin MAB?
RIck Masselle
07-31-2012 09:20 AM
Richard,
You can use auth open if you have a strong access-list on the port, which only allows dhcp traffic and dns traffic, there is no harm in this.
Thanks,
Tarik Admani
*Please rate helpful posts*
07-31-2012 11:21 AM
Tarik,
Yes I know I can use it, I am not worried about acesss restriction I can easily put acl on. What my main question is concerning getting correct IP address with new Vlan that gets assigned via MAB authentication and ISE. We are retaining access vlan IP addresses or not getting an IP address at all once vlan has changed, so I am looking for input as to what switch settings should be given our configuration and design for voice, printers, and workstation users who get their Vlan association either from voice vlan (IP phone), ISE via MAB fro printers, and dot1x for worstation users...
Rick Masselle
07-31-2012 10:46 PM
Richard,
Based on the debugs that you posted before it seems as if the dynamic vlan assignment should work just fine. My suggestion is that the printer dhcp sequence may not be occuring once you add the configuration to the port and if you shut and no shut the port and it still doesnt pull an ip address. I would suggest power cycling the printer to see if it then pulls the proper address.
The previous statement that I posted about the auth open and allowing dhcp packet through was incorrect for this scenario, if true. If the printer isnt able to dhcp when link state changes then it would be best not to allow it to grab an in ip on the 116 network and then in turn change the port over to the 113 network. My apologies for the confusion.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-01-2012 07:22 AM
Tarik,
So based on our environment of IP phones, printers , and workstations would the following be a good switch configuration?
description host port with IP phone
switchport mode access
switchport voice vlan 103
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
qos trust device cisco-phone
spanning-tree portfast
spanning-tree guard root
service-policy input PER-PORT-POLICING
service-policy output 1P7Q1T
Thanks
Rick Masselle
08-01-2012 09:08 AM
This looks like a good configuration.
How is working with the printers?
Thanks.
Tarik Admani
*Please rate helpful posts*
08-02-2012 05:29 AM
Initial indications are good, printers and IP phones are working correctly since I made the switch configuration modifications. There are still some issues with user logins from pc's but I think the supplcants and/or logins are not correct. Thanks for all your help. I beleive we are on track now.
Rick Masselle
07-25-2013 04:33 PM
Currently it seems this is an ISE 1.1.x bug, you can use as a workaround in the ALL the dot1x authorization profiles (Compliant and Not Compliant as well) this magic Cisco AV-Pair
termination-action-modifier=1
this force the ISE to use the last authentication, DOT1X, while keeping the original port authentication order syntax
authentication order mab dot1x
authentication priority dot1x mab
that worked before cisco 1.1.x flawless. Does not work now
This is (not very) well documented at this URL, last note in the bottom of the page
hope this will help ALL.
This "feature" wasted about 2 day (and this night) of my life.
09-09-2015 12:36 AM
Hi,
I know this is an old topic but i also have almost the same problem.
My question is, could this issue be resolved by assigning a static IP on the host ?
How does ISE handles this because if he can't authenticate the host, he puts it in the guest vlan. But then he's fixed IP won't match that vlan.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide