Solved: Re: Workstation Identity Using Other Devices Identity/MAC

tcebak · ‎01-10-2020

This is a super weird issue and just curious if any one has seen anything like this. I received a call about an off-site location having issues with 3 ports (with VoIP and Windows 10 workstations) having an issues with authentication. Looking at the first two ports the computers and phones looked fine. Looking at the third port, I noticed that in the RADIUS Live logs something really weird.

Usually in the RADIUS live logs i see the under Identity is the workstations host name, and the Endpoint ID is the MAC using dot 1x. MAB i would see the MAC under both the identity and endpoint id.

The History showed that the computer with lets say MAC ending in 1111. I guess at some point it didn't want to do dot 1x and it tried MAB. However the identity showed as a MAC of a phone on another port, same switch. It happened twice, the endpoint ID is that computers MAC however there are 3 different entries under identity, all using the MAC of another phone.

example

Identity    EnpointID
3333        1111
2222         1111
hostname   1111

First and only time i've seen this. The computer is currently using 802.1x and is happy. But it blew my mind!

Colby LeMaire · ‎01-10-2020

I have seen issues like this with older versions of ISE. Like 1.4, 2.0, and 2.1. We would see endpoint records being merged together in the database so we would see Windows DHCP attributes and the Windows workstation name as identity but would also see a totally different MAC address and other attributes. We concluded that there were database issues and records were getting merged together. Or wrong endpoint records were updated when new information came in. I haven't seen that in a long time though. If your ISE system is an older version OR was upgraded over the years without a clean rebuild, then that may be what you saw. When moving to a newer version of ISE, I usually try to do a clean install and put all the policies and configurations back in manually. Especially if the system had been upgraded inline in the past from older versions.

View solution in original post

Colby LeMaire · ‎01-10-2020

I have seen issues like this with older versions of ISE. Like 1.4, 2.0, and 2.1. We would see endpoint records being merged together in the database so we would see Windows DHCP attributes and the Windows workstation name as identity but would also see a totally different MAC address and other attributes. We concluded that there were database issues and records were getting merged together. Or wrong endpoint records were updated when new information came in. I haven't seen that in a long time though. If your ISE system is an older version OR was upgraded over the years without a clean rebuild, then that may be what you saw. When moving to a newer version of ISE, I usually try to do a clean install and put all the policies and configurations back in manually. Especially if the system had been upgraded inline in the past from older versions.

tcebak · ‎01-13-2020

Thanks for the Info!

We did do a clean build from 2.0 to 2.4, however we've just been updating to and patching and currently running 2.6 patch 3. I did just rebuild the 2.6 nodes. However, I did it the lazy way, unregister the old node, deployed a new node and registered it so that all the settings were transferred over.

Thanks again for the advise. I'll look into this if we need to rebuild again.

hslai · ‎01-16-2020

If this issue seen again, best to engage Cisco TAC.