Solved: Swith port security using ISE 2.4

patrick.dice · ‎10-14-2018

Running ISE 2.4 on a variety of switch platforms in open mode. When making the transition to closed mode some devices behave differently for the authentication of devices even though were classifying devices via mab....

When removing the authen open from an int on 3750 switch running base122-55.SE5.bin invokes a psecure_delete_address_not_ok: and pings to phone devices stop. A debug of ISE and dot1x indicates that device has authenticated as expected.

When removing auth open from int on a 4500 with sup6le 4500e-lanbasek9-mz.152-2.E3.bin removing open auth from an interface has no impact. However, reauthentication of the int does disrupt traffic for period of time during authentication even though ISE is configured to not disrupt if auth pass.

Anyone have thoughts on this behaviour?

Mohammed al Baqari · ‎10-14-2018

Hi,

I have similar setup and had many problems related to bugs. I am using
these two images which as stable.

4500 - 15.2(2)E4
3750 - 15.2(4)E4

Then also, closed mode had issues with phones similar to yours. So instead
I used partial closed with a pre-auth ACL allowing DHCP/DNS only. Then
remaining ACLs are downloaded from ISE and this fixed the problem

View solution in original post

Mohammed al Baqari · ‎10-14-2018

Hi,

I have similar setup and had many problems related to bugs. I am using
these two images which as stable.

4500 - 15.2(2)E4
3750 - 15.2(4)E4

Then also, closed mode had issues with phones similar to yours. So instead
I used partial closed with a pre-auth ACL allowing DHCP/DNS only. Then
remaining ACLs are downloaded from ISE and this fixed the problem