Solved: MAB Authenticatin Success ,but I cant ping the device

amhish@netfox.de · ‎02-19-2019

Hello

I been busting my head for a while regarding this Problem.

We habe an ISE with a policy allowing MAB devices to access the network.

the Policy is using MAB wired and the authorization Profile is a VLAN download to the Switch for a Port(of which the device is connected)

on the ISE everything looks fine and the device is authenticated and authurized to access .

on the switch everything is looking fine I can see the VLAN on the port.

but i cant ping the device.

and when i remove the port config and put a static VLAN on that port I can ping the device.

Did anyone encounter a problem like this?

amhish@netfox.de · ‎12-16-2020

A switch reboot or the device is not receiving DHCP requests.

View solution in original post

Mohammed al Baqari · ‎02-19-2019

When the vlan is assigned, do you see dhcp IP assigned to the device. Also,
do you have dacls downloaded (show session interface x/x details). Do you
have device tracking on.?

amhish@netfox.de · ‎02-19-2019

Thank you for your respond

there is no DACLs configured on ISE and device tracking is enabled

bern81 · ‎02-19-2019

Hi,

Watch out of Vlan change when using MAB as it is dummy, sometimes it doesn't recognize that the IP has to be changed and you end up with a VLAN ID but stay in different subnet.

did you add the in global config:

radius-server attribute 8 include-in-access-req

It also could be related to the pre-auth-ACL where you have to enable DHCP traffic.

Can you please share the config to help you better?

Please rate if helpful

amhish@netfox.de · ‎02-19-2019

Thank you for your respond

There are no DACLs configured and the device gets an IP from the DHCP server which i can clearly see but i cant ping

here are the config

network-policy 20

switchport access vlan 15

switchport mode access

device-tracking attach-policy DEVICE_TRACK

authentication timer reauthenticate server

access-session port-control auto

mab

dot1x pae authenticator

storm-control broadcast level pps 100 90

storm-control action trap

auto qos trust dscp

spanning-tree portfast

service-policy type control subscriber 802.1X_POLICY

service-policy input AutoQos-4.0-Trust-Dscp-Input-Policy

service-policy output AutoQos-4.0-Output-Policy

essions interface gigabitEthernet 2/0/3 details

Interface: GigabitEthernet2/0/3

IIF-ID: 0x1A4043D9

MAC Address: a009.ed02.77f0

IPv6 Address: Unknown

IPv4 Address: 10.1.46.161

User-Name: A0-09-ED-02-77-F0

Status: Authorized

Domain: DATA

Oper host mode: multi-auth

Oper control dir: both

Session timeout: N/A

Common Session ID: 0A01FF750000448106545967

Acct Session ID: 0x0000004d

Handle: 0xb2000068

Current Policy: 802.1X_POLICY

Server Policies:

Vlan Group: Vlan: 34

Method status list:

Method State

dot1x Running

mab Authc Success

show arp vlan 34

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.1.46.190 - a023.9f66.cac9 ARPA Vlan34

Internet 10.1.46.161 0 a009.ed02.77f0 ARPA Vlan34

device-tracking tracking retry-interval 900

!

device-tracking policy DEVICE_TRACK

data-glean recovery dhcp

destination-glean recovery dhcp

no protocol udp

tracking enable

!

roberto brito · ‎12-16-2020

Did you ever resolve this issue? I'm starting to have issues with printers that authenticate successfully with ISE and I still can't ping them.

amhish@netfox.de · ‎12-16-2020

A switch reboot or the device is not receiving DHCP requests.

Mike.Cifelli · ‎02-19-2019

Please share your switchport config. Also, check the items from Mohammed & bern.

MAB Authenticatin Success ,but I cant ping the device

Evoluindo IOT de MAB para 802.1x

Success Tracks と Success Tracks コミュニティの紹介

事象：スイッチ上でMAB認証後の通信不可について

Cisco ISE でのMAB登録

Cisco Customer Successドキュメント