Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


MAB Authenticatin Success ,but I cant ping the device



I been busting my head for a while regarding this Problem.

We habe an ISE with a policy allowing MAB devices to access the network.

the Policy is using MAB wired and the authorization Profile is a VLAN download to the Switch for a Port(of which the device is connected)

on the ISE everything looks fine and the device is authenticated and authurized to access .

on the switch everything is looking fine I can see the VLAN on the port.

but i cant ping the device.

and when i remove the port config and put a static VLAN on that port I can ping the device.

Did anyone encounter a problem like this?

VIP Advisor

When the vlan is assigned, do you see dhcp IP assigned to the device. Also,
do you have dacls downloaded (show session interface x/x details). Do you
have device tracking on.?

Thank you for your respond

there is no DACLs configured on ISE and device tracking is enabled



Watch out of Vlan change when using MAB as it is dummy, sometimes it doesn't recognize that the IP has to be changed and you end up with a VLAN ID but stay in different subnet.

did you add the in global config:

radius-server attribute 8 include-in-access-req

It also could be related to the pre-auth-ACL where you have to enable DHCP traffic.

Can you please share the config to help you better?


Please rate if helpful




Thank you for your respond


There are no DACLs configured and the device gets an IP from the DHCP server which i can clearly see but i cant ping


here are the config 

network-policy 20
 switchport access vlan 15
 switchport mode access
 device-tracking attach-policy DEVICE_TRACK
 authentication timer reauthenticate server
 access-session port-control auto
 dot1x pae authenticator
 storm-control broadcast level pps 100 90
 storm-control action trap
 auto qos trust dscp
 spanning-tree portfast
 service-policy type control subscriber 802.1X_POLICY
 service-policy input AutoQos-4.0-Trust-Dscp-Input-Policy
 service-policy output AutoQos-4.0-Output-Policy

essions interface gigabitEthernet 2/0/3 details
            Interface:  GigabitEthernet2/0/3
               IIF-ID:  0x1A4043D9
          MAC Address:  a009.ed02.77f0
         IPv6 Address:  Unknown
         IPv4 Address:
            User-Name:  A0-09-ED-02-77-F0
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
    Common Session ID:  0A01FF750000448106545967
      Acct Session ID:  0x0000004d
               Handle:  0xb2000068
       Current Policy:  802.1X_POLICY
Server Policies:
           Vlan Group:  Vlan: 34
Method status list:
       Method           State
        dot1x           Running
          mab           Authc Success

show arp vlan 34
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet             -   a023.9f66.cac9  ARPA   Vlan34
Internet             0   a009.ed02.77f0  ARPA   Vlan34

device-tracking tracking retry-interval 900
device-tracking policy DEVICE_TRACK
 data-glean recovery dhcp
 destination-glean recovery dhcp
 no protocol udp
 tracking enable
VIP Engager

Please share your switchport config. Also, check the items from Mohammed & bern.