08-20-2020 01:55 AM
HI
Started to looking at NAC again.
I've dropped the config on to a switch which used in my lab.
This has a Openspace IP Phone plugged in to it.
I drop the config on to the port with open authentication, I can see the log that the phone connects to voice vlan and this is confirmed on the ISE log.
If this is in open auth it should connect the same as it did in switchport as before the config dropped on . the ISE Auth Policy is set to permit all while I configure a policy for it ?
But the phone gets an IP, but doesn't talk to the servers.
Unfortunately working from a distance on this, have to rely on good will of someone onsite to keep checking.
any help much appreicated
Solved! Go to Solution.
08-20-2020 06:54 AM
At a quick glance, your configuration looks fine. With "authentication open", the only thing that could possibly be restricting traffic flow is if there is a default/pre-auth ACL configured on the port or if ISE is pushing down a dACL that restricts traffic. Sometimes ISE will show a good authentication but the switch is not able to apply the policy and will keep the port as not authorized. This can happen if you are pushing a VLAN assignment but the VLAN doesn't exist on the switch. Or if your dACL has errors in it that the switch doesn't like. So to be sure, you need to do a "show auth sessions int gx/y detail" and verify the output. Should show "Authorized" and if any dACL's are applied. If you are using a dACL (even a permit all), then IP Device Tracking will need to know the client's IP address. So verify that the IP address shows up in the show output as well. And for true monitor mode, don't use a default/pre-auth ACL unless it is a permit ip any any.
 
					
				
		
08-20-2020 06:48 AM
Review the section Monitoring Authentications with Open Access in the ISE Secure Wired Access Prescriptive Deployment Guide including Monitoring Authentication Sessions to see what ISE is authorizing.
Then confirm the authorized state on the switch with
show authentication session interface Gig x/y/z details
This should not be an issue in this scenario but our best practice timer values are very different than yours.
dot1x timeout tx-period 7 dot1x max-reauth-req 3
08-20-2020 06:54 AM
At a quick glance, your configuration looks fine. With "authentication open", the only thing that could possibly be restricting traffic flow is if there is a default/pre-auth ACL configured on the port or if ISE is pushing down a dACL that restricts traffic. Sometimes ISE will show a good authentication but the switch is not able to apply the policy and will keep the port as not authorized. This can happen if you are pushing a VLAN assignment but the VLAN doesn't exist on the switch. Or if your dACL has errors in it that the switch doesn't like. So to be sure, you need to do a "show auth sessions int gx/y detail" and verify the output. Should show "Authorized" and if any dACL's are applied. If you are using a dACL (even a permit all), then IP Device Tracking will need to know the client's IP address. So verify that the IP address shows up in the show output as well. And for true monitor mode, don't use a default/pre-auth ACL unless it is a permit ip any any.
08-21-2020 07:59 AM - edited 08-21-2020 08:00 AM
thanks you for your reply's, very useful
cheers
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide