Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3875
Views
75
Helpful
17
Replies

Wired 802.1x Endpoint IP Issue

fatalXerror
Level 5
Level 5

‎10-16-2020 08:33 AM

Hi Guys,

I am doing a wired 802.1x via ISE 2.7 and I had a successful test however, one thing I noticed in my testing. In the RADIUS Live Logs, I can see that my endpoint is being successfully authenticated and authorized to the correct VLAN and my endpoint is able to get an IP address from the DHCP server however, in the RADIUS Live Logs and in the switchport (show auth session int), I cannot see the endpoint's IP address. 

The switch is configured dhcp snooping, device sensor, and radius-server vsa attributes but still, the IP address is not showing in either the switchport or RADIUS Live Logs.

The topology is looks is something like this;

TOPOLOGY:

Endpoint <-> Access-Switch <-cascaded to-> Access-Switch <-> Core-Switch <-> WAN <-> DHCP

Thanks

Labels:
0 Helpful
17 Replies 17

andy!doesnt!like!uucp
Spotlight
Spotlight
In response to fatalXerror

‎10-17-2020 08:20 AM - edited ‎10-17-2020 08:22 AM

what about "sho device-tra data | i <e/p_MAC>"? what about Attributes tab in ISE/Visability about this MAC?
do u have DHCP-snooping turned on the core switch - do u have any relevant data there?

ultimately what is the output of "sho ip dhcp snoo" on the access-switch? 

Arne Bier
VIP
VIP
In response to andy!doesnt!like!uucp

‎10-19-2020 01:35 PM

I have problems with DHCP snooping all the time, because there are so many moving parts. I have a checklist now to ensure that I don't forget anything. I think the commands are universal, but I deal with Cat9300 (IOS-XE 16.12.x) mostly these days.

 

  1. Enable it globally: ip dhcp snooping
  2. Configure the VLANs that you want to snoopon: ip dhcp snooping vlan 1-4094
  3. Disable the information option (works in my case): no ip dhcp snooping information option
  4. Trust the uplinks: int gig blah / ip dhcp snooping trust
  5. On the access-ports (optional): ip dhcp snooping limit rate 15 

 

SW-1#show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
E8:E0:B7:DF:60:65   10.68.33.200     611451      dhcp-snooping   33    GigabitEthernet1/0/1
E8:E0:B7:DF:60:65   10.68.50.21      644474      dhcp-snooping   50    GigabitEthernet1/0/2
A4:88:73:89:E8:A8   10.68.42.21      604628      dhcp-snooping   42    GigabitEthernet1/0/48
E8:E0:B7:DF:60:65   192.168.183.21   32294       dhcp-snooping   183   GigabitEthernet1/0/4

I mostly use this to populate the Device Sensor - and I follow the steps as per the Wired Prescriptive Guide

Peter Koltl
Level 7
Level 7

‎10-22-2020 02:22 PM

Can you see the client IPv4 address in

show access-session int Gi1/0/x detail

output?

0 Helpful
Customers Also Viewed These Support Documents